 |  |  |  |  |  |  |  |
pmkjh.dll won't go away!
 |
Not sure how much you trust anyone on this website, but crunchie is a moderator on this site. That means he knows his stuff! I have also used ComboFix, and it worked for me. I have actually used it on six computers. They all work fine now! In my opinion it is a great tool. Good luck.
I have tried VundoFix numerous times in all versions but pmkjh.dll still regenerates itself.
I will use ComboFix when I get home tonight.
I will use ComboFix when I get home tonight.
Ok, well good luck, I am sure this has been frustrating for you. If I can help in any way I will try. So let us know how it goes!!
ComboFix 08-04-26.3 - Owner 2008-04-30 17:01:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\Owner\Application Data\PPPATC~1
C:\lswmv.ini
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\uninstall information
C:\Program Files\fnts~1
C:\Program Files\SoftwareOnline
C:\Program Files\SoftwareOnline\soproc.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\winupdate
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bxtyhjns.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ggfvmakq.ini
C:\WINDOWS\system32\gokekyww.ini
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\snjhytxb.ini
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem~1\s?stem\
C:\xcrashdump.dat
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-28 19:49 . 2008-04-28 19:49 294 ---hs---- C:\WINDOWS\system32\chuibbgy.ini
2008-04-27 12:50 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 12:50 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-04-27 12:50 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-04-27 12:50 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 12:50 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-27 12:50 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-04-27 12:50 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-04-26 14:29 . 2008-04-30 14:23 109,793 --a------ C:\WINDOWS\BM63f23048.xml
2008-04-26 12:15 . 2008-04-26 12:15 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-04-26 08:37 . 2008-04-26 08:37 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Webroot
2008-04-24 06:05 . 2008-04-24 06:05 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 09:52 . 2008-04-23 09:52 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 08:58 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:58 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:58 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 08:10 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 08:05 . 2006-06-14 00:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-23 08:05 . 2006-06-14 01:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-23 08:05 . 2006-06-14 00:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-22 20:25 . 2008-04-22 20:25 0 --a------ C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\regsvr32
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-26 12:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-22 06:44 . 2008-04-22 06:44 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-21 16:20 . 2008-04-21 16:20 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-21 12:35 . 2008-04-21 12:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-20 18:10 . 2008-04-22 19:41 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon
2008-04-18 09:25 . 2008-04-21 09:11 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-04-14 09:35 . 2008-04-14 09:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 01:27 --------- d-----w C:\Program Files\Unlocker
2008-04-21 20:35 --------- d-----w C:\Program Files\RecordNow!
2008-04-21 20:35 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-21 00:41 --------- d-----w C:\Program Files\AIM
2008-04-20 21:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 21:45 --------- d-----w C:\Program Files\Starcraft
2008-04-14 16:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-13 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-04-05 18:53 --------- d-----w C:\Program Files\ImgBurn
2008-04-01 01:31 --------- d-----w C:\Documents and Settings\Christine.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 17:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 17:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 18:31 13,195 ----a-w C:\Documents and Settings\Owner\zguicfgw.dat
2006-03-10 02:54 272 ----a-w C:\Documents and Settings\Owner\sfa2dat.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f69bbef-119f-41ca-a2e3-860f206c8df0}]
C:\WINDOWS\system32\vjpmdedr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [ ]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"BM63f23048"="C:\WINDOWS\system32\iyxjcluf.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0086076]
C:\WINDOWS\system32\__c0086076.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B7BEF]
C:\WINDOWS\system32\__c00B7BEF.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BC67B]
C:\WINDOWS\system32\__c00BC67B.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c103d4]
C:\WINDOWS\system32\nhtnvkly.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 19:34 88363 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-01-08 14:40 441856 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brxv]
C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-08-15 00:59 70816 c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-01-16 19:16 229376 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 19:02 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
--a------ 2008-01-08 14:40 417280 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-02-12 13:12 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2003-08-15 18:24 124096 c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\WINDOWS\system32\SSTEM~1\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 19:13 98304 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 20:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-17 23:31 118784 C:\Windows\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 00:49 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-02 01:43 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tndzcg]
C:\Program Files\Common Files\?racle\?canregw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-21 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 02:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 16:52:24 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2004-04-03 08:05:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:45:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 32
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 02:15:17
Pre-Run: 78,093,807,616 bytes free
Post-Run: 78,672,683,008 bytes free
329 --- E O F --- 2008-04-24 21:41:33
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:23 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
My system seems clear so far, pmkjh.dll has not regenerated itself
But on my laptop I have the same problem but instead of pmkjh.dll its jkkii.dll and even with ComboFix, jkkii.dll regenerated itself. But my desktop computer is much more important and it appears to function properly! Thanks for the help guys =)
I will post another HJT log tomorrow and I will also check if the stubborn .dll managed to regenerate itself. *crosses fingers*
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.120 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\Owner\Application Data\PPPATC~1
C:\lswmv.ini
c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\uninstall information
C:\Program Files\fnts~1
C:\Program Files\SoftwareOnline
C:\Program Files\SoftwareOnline\soproc.exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\Program Files\winupdate
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bxtyhjns.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ggfvmakq.ini
C:\WINDOWS\system32\gokekyww.ini
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\snjhytxb.ini
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem~1\s?stem\
C:\xcrashdump.dat
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.
2008-04-28 19:49 . 2008-04-28 19:49 294 ---hs---- C:\WINDOWS\system32\chuibbgy.ini
2008-04-27 12:50 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 12:50 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-04-27 12:50 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-04-27 12:50 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 12:50 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-27 12:50 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-04-27 12:50 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-04-26 14:29 . 2008-04-30 14:23 109,793 --a------ C:\WINDOWS\BM63f23048.xml
2008-04-26 12:15 . 2008-04-26 12:15 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-04-26 08:37 . 2008-04-26 08:37 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Webroot
2008-04-24 06:05 . 2008-04-24 06:05 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 09:52 . 2008-04-23 09:52 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 08:58 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:58 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:58 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 08:10 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 08:05 . 2006-06-14 00:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-23 08:05 . 2006-06-14 01:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-23 08:05 . 2006-06-14 00:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-22 20:25 . 2008-04-22 20:25 0 --a------ C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\regsvr32
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-26 12:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-22 06:44 . 2008-04-22 06:44 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-21 16:20 . 2008-04-21 16:20 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-21 12:35 . 2008-04-21 12:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-20 18:10 . 2008-04-22 19:41 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon
2008-04-18 09:25 . 2008-04-21 09:11 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-04-14 09:35 . 2008-04-14 09:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 01:27 --------- d-----w C:\Program Files\Unlocker
2008-04-21 20:35 --------- d-----w C:\Program Files\RecordNow!
2008-04-21 20:35 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-21 00:41 --------- d-----w C:\Program Files\AIM
2008-04-20 21:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 21:45 --------- d-----w C:\Program Files\Starcraft
2008-04-14 16:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-13 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-04-05 18:53 --------- d-----w C:\Program Files\ImgBurn
2008-04-01 01:31 --------- d-----w C:\Documents and Settings\Christine.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 17:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 17:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 18:31 13,195 ----a-w C:\Documents and Settings\Owner\zguicfgw.dat
2006-03-10 02:54 272 ----a-w C:\Documents and Settings\Owner\sfa2dat.dat
.
<pre> ----a-w 307,200 2008-04-26 16:34:34 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe ----a-w 748,032 2008-04-29 01:37:49 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe ----a-w 67,160 2008-04-21 00:41:18 C:\Program Files\AIM\aim .exe ----a-w 110,592 2008-04-30 23:39:14 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe ----a-w 57,344 2008-01-08 22:40:20 C:\Program Files\Lexmark X6100 Series\lxbfbmgr .exe ----a-w 1,175,160 2008-04-26 20:25:20 C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe ----a-w 1,694,208 2008-04-29 01:37:50 C:\Program Files\Messenger\msmsgs .exe ----a-w 365,568 2008-04-30 21:46:49 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-30 04:03:59 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-30 01:07:36 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-29 22:44:18 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-29 17:37:37 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-29 03:49:18 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-28 17:21:26 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-28 04:56:43 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-28 01:30:23 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-27 23:41:28 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-27 23:18:11 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-27 20:30:10 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-27 18:02:08 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-27 16:22:16 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-27 15:25:26 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 22:29:14 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 20:37:05 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 20:24:36 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 20:09:38 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 19:44:03 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 15:50:29 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 06:00:54 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 05:55:10 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 05:45:07 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 05:40:12 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 05:02:27 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 04:52:52 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 04:38:32 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-26 03:54:43 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-25 17:49:35 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-25 14:48:13 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-25 05:53:12 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-25 03:54:47 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-25 03:30:37 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-25 01:50:07 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-24 17:48:37 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-24 01:20:20 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-23 23:29:26 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-23 17:44:41 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-23 05:54:50 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-23 04:29:58 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-23 03:54:31 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-23 03:43:27 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-22 16:59:53 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-22 14:44:27 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-22 03:36:22 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-22 01:07:02 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-21 23:56:39 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-21 22:49:52 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-21 18:09:14 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-21 03:01:58 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 365,568 2008-04-21 02:52:53 C:\Program Files\Unlocker\UnlockerAssistant .exe ----a-w 3,096,576 2008-04-29 22:44:28 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-29 22:44:16 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-29 17:37:35 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-28 17:21:25 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-27 16:22:13 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-26 15:50:26 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-25 20:25:34 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-24 17:48:37 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-23 17:44:39 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-23 05:54:49 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-22 16:59:52 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,479,552 2008-04-21 18:09:13 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 3,096,576 2008-04-26 16:37:28 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe ----a-w 158,208 2008-01-10 23:12:31 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe ----a-w 15,360 2008-01-21 06:55:28 C:\WINDOWS\system32\ctfmon .exe ----a-w 174,592 2008-01-21 06:55:21 C:\WINDOWS\system32\lexpps .exe </pre>
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f69bbef-119f-41ca-a2e3-860f206c8df0}]
C:\WINDOWS\system32\vjpmdedr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [ ]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant .exe" [ ]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"BM63f23048"="C:\WINDOWS\system32\iyxjcluf.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0086076]
C:\WINDOWS\system32\__c0086076.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B7BEF]
C:\WINDOWS\system32\__c00B7BEF.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BC67B]
C:\WINDOWS\system32\__c00BC67B.dat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c103d4]
C:\WINDOWS\system32\nhtnvkly.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 19:34 88363 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-01-08 14:40 441856 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brxv]
C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-08-15 00:59 70816 c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-01-16 19:16 229376 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 19:02 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
--a------ 2008-01-08 14:40 417280 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-02-12 13:12 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2003-08-15 18:24 124096 c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\WINDOWS\system32\SSTEM~1\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 19:13 98304 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 20:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-17 23:31 118784 C:\Windows\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 00:49 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-02 01:43 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tndzcg]
C:\Program Files\Common Files\?racle\?canregw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-21 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 02:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 16:52:24 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2004-04-03 08:05:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:45:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 32
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 02:15:17
Pre-Run: 78,093,807,616 bytes free
Post-Run: 78,672,683,008 bytes free
329 --- E O F --- 2008-04-24 21:41:33
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:23 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
My system seems clear so far, pmkjh.dll has not regenerated itself
But on my laptop I have the same problem but instead of pmkjh.dll its jkkii.dll and even with ComboFix, jkkii.dll regenerated itself. But my desktop computer is much more important and it appears to function properly! Thanks for the help guys =)
I will post another HJT log tomorrow and I will also check if the stubborn .dll managed to regenerate itself. *crosses fingers*
•
•
Join Date: Feb 2004
Posts: 10,018
Reputation: 
Solved Threads: 759
You need to understand that your system is still severely compromised. Combofix has revealed one heck of a lot of nasties on your pc. There is no guarantee that even once they are removed, your pc will be 'back to normal.'
==
Go to Start | Run and type in msconfig and hit ok. Go to the Startup Tab and enable all startups. Apply the settings and ok out. Do NOT reboot!
Do a scan with hijackthis and save the log.
Go back into msconfig and change the startups back again to how they were.
==
1. Please open Notepad
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==
Go to Start | Run and type in msconfig and hit ok. Go to the Startup Tab and enable all startups. Apply the settings and ok out. Do NOT reboot!
Do a scan with hijackthis and save the log.
Go back into msconfig and change the startups back again to how they were.
==
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
KillAll::
File::
C:\WINDOWS\system32\vjpmdedr.dll
C:\WINDOWS\system32\__c0086076.dat
C:\WINDOWS\system32\__c00B7BEF.dat
C:\WINDOWS\system32\__c00BC67B.dat
C:\WINDOWS\system32\nhtnvkly.dll
RENV::
----a-w 307,200 2008-04-26 16:34:34 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 748,032 2008-04-29 01:37:49 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 67,160 2008-04-21 00:41:18 C:\Program Files\AIM\aim .exe
----a-w 110,592 2008-04-30 23:39:14 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 57,344 2008-01-08 22:40:20 C:\Program Files\Lexmark X6100 Series\lxbfbmgr .exe
----a-w 1,175,160 2008-04-26 20:25:20 C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe
----a-w 1,694,208 2008-04-29 01:37:50 C:\Program Files\Messenger\msmsgs .exe
----a-w 365,568 2008-04-30 21:46:49 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-30 04:03:59 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-30 01:07:36 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-29 22:44:18 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-29 17:37:37 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-29 03:49:18 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-28 17:21:26 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-28 04:56:43 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-28 01:30:23 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 23:41:28 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 23:18:11 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 20:30:10 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 18:02:08 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 16:22:16 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-27 15:25:26 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 22:29:14 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 20:37:05 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 20:24:36 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 20:09:38 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 19:44:03 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 15:50:29 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 06:00:54 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:55:10 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:45:07 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:40:12 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 05:02:27 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 04:52:52 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 04:38:32 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-26 03:54:43 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 17:49:35 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 14:48:13 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 05:53:12 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 03:54:47 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 03:30:37 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-25 01:50:07 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-24 17:48:37 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-24 01:20:20 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 23:29:26 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 17:44:41 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 05:54:50 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 04:29:58 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 03:54:31 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-23 03:43:27 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 16:59:53 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 14:44:27 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 03:36:22 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-22 01:07:02 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 23:56:39 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 22:49:52 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 18:09:14 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 03:01:58 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 365,568 2008-04-21 02:52:53 C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w 3,096,576 2008-04-29 22:44:28 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-29 22:44:16 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-29 17:37:35 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-28 17:21:25 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-27 16:22:13 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-26 15:50:26 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-25 20:25:34 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-24 17:48:37 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-23 17:44:39 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-23 05:54:49 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-22 16:59:52 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,479,552 2008-04-21 18:09:13 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 3,096,576 2008-04-26 16:37:28 C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w 158,208 2008-01-10 23:12:31 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 15,360 2008-01-21 06:55:28 C:\WINDOWS\system32\ctfmon .exe
----a-w 174,592 2008-01-21 06:55:21 C:\WINDOWS\system32\lexpps .exe
Folders::
C:\Documents and Settings\Owner\My Documents\W?nSxS
C:\WINDOWS\system32\SSTEM~1
C:\Program Files\Common Files\?racle
Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0f69bbef-119f-41ca-a2e3-860f206c8df0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0086076]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B7BEF]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BC67B]Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log that have previously run.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Crunchie,
I have a question for you. Is the killall: command something you should always do after combofix is ran? Providing that you can see where the bad files are, does the killall completely wipe them out. I am asking cause I have used combofix, but I have never ran a killall after. I just did this about a month ago on a few machines. Should I anticipate further problems with these?? I have had no issues with them since CF.
I have a question for you. Is the killall: command something you should always do after combofix is ran? Providing that you can see where the bad files are, does the killall completely wipe them out. I am asking cause I have used combofix, but I have never ran a killall after. I just did this about a month ago on a few machines. Should I anticipate further problems with these?? I have had no issues with them since CF.
•
•
Join Date: Feb 2004
Posts: 10,018
Reputation:
Solved Threads: 759
killall stops all non-essential processes to prevent any hiccups whilst it is running. Can be used from the 'Run' box using the killall switch.
I would say that if your pc is still ok, you will be fine.
I would say that if your pc is still ok, you will be fine
. Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
ComboFix 08-04-26.3 - Owner 2008-05-01 15:57:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\__c0086076.dat
C:\WINDOWS\system32\__c00B7BEF.dat
C:\WINDOWS\system32\__c00BC67B.dat
C:\WINDOWS\system32\nhtnvkly.dll
C:\WINDOWS\system32\vjpmdedr.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.
2008-04-28 19:49 . 2008-04-28 19:49 294 ---hs---- C:\WINDOWS\system32\chuibbgy.ini
2008-04-27 12:50 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 12:50 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-04-27 12:50 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-04-27 12:50 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 12:50 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-27 12:50 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-04-27 12:50 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-04-26 14:29 . 2008-04-30 14:23 109,793 --a------ C:\WINDOWS\BM63f23048.xml
2008-04-26 12:15 . 2008-04-26 12:15 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-04-26 08:37 . 2008-04-26 08:37 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Webroot
2008-04-24 06:05 . 2008-04-24 06:05 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 09:52 . 2008-04-23 09:52 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 08:58 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:58 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:58 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 08:10 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 08:05 . 2006-06-14 00:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-23 08:05 . 2006-06-14 01:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-23 08:05 . 2006-06-14 00:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-22 20:25 . 2008-04-22 20:25 0 --a------ C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\regsvr32
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-05-01 15:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-22 06:44 . 2008-04-22 06:44 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-21 16:20 . 2008-04-21 16:20 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-21 12:35 . 2008-04-21 12:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-20 18:10 . 2008-04-22 19:41 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon
2008-04-18 09:25 . 2008-04-21 09:11 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-04-14 09:35 . 2008-04-14 09:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 23:55 --------- d-----w C:\Program Files\Unlocker
2008-05-01 23:55 --------- d-----w C:\Program Files\Lexmark X6100 Series
2008-05-01 23:55 --------- d-----w C:\Program Files\AIM
2008-04-21 20:35 --------- d-----w C:\Program Files\RecordNow!
2008-04-21 20:35 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-20 21:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 21:45 --------- d-----w C:\Program Files\Starcraft
2008-04-14 16:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-13 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-04-05 18:53 --------- d-----w C:\Program Files\ImgBurn
2008-04-01 01:31 --------- d-----w C:\Documents and Settings\Christine.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 17:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 17:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 18:31 13,195 ----a-w C:\Documents and Settings\Owner\zguicfgw.dat
2006-03-10 02:54 272 ----a-w C:\Documents and Settings\Owner\sfa2dat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-20 22:55 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c103d4]
C:\WINDOWS\system32\nhtnvkly.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 19:34 88363 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-04-20 16:41 67160 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brxv]
C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-08-15 00:59 70816 c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-20 22:55 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-01-16 19:16 229376 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 19:02 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
--a------ 2008-01-08 14:40 57344 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-02-12 13:12 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2003-08-15 18:24 124096 c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\WINDOWS\system32\SSTEM~1\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 19:13 98304 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 20:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-17 23:31 118784 C:\Windows\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 00:49 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-02 01:43 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tndzcg]
C:\Program Files\Common Files\?racle\?canregw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2008-04-30 15:39 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-21 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 02:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 16:52:24 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2004-04-03 08:05:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 16:38:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 32
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-01 17:12:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 01:11:32
ComboFix2.txt 2008-05-01 02:17:02
Pre-Run: 79,145,226,240 bytes free
Post-Run: 79,133,798,400 bytes free
207 --- E O F --- 2008-04-24 21:41:33
Hijackthis log when enabled all startups:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:10 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\nhtnvkly.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tndzcg] "C:\Program Files\Common Files\?racle\?canregw.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\SSTEM~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Brxv] "C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
--
End of file - 7070 bytes
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\__c0086076.dat
C:\WINDOWS\system32\__c00B7BEF.dat
C:\WINDOWS\system32\__c00BC67B.dat
C:\WINDOWS\system32\nhtnvkly.dll
C:\WINDOWS\system32\vjpmdedr.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.
2008-04-28 19:49 . 2008-04-28 19:49 294 ---hs---- C:\WINDOWS\system32\chuibbgy.ini
2008-04-27 12:50 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 12:50 . 2003-11-19 13:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-04-27 12:50 . 2004-05-11 09:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-04-27 12:50 . 2004-03-08 23:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 12:50 . 2000-07-15 05:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-27 12:50 . 2001-03-28 22:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-04-27 12:50 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-04-26 14:29 . 2008-04-30 14:23 109,793 --a------ C:\WINDOWS\BM63f23048.xml
2008-04-26 12:15 . 2008-04-26 12:15 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-04-26 08:37 . 2008-04-26 08:37 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Webroot
2008-04-24 06:05 . 2008-04-24 06:05 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 09:52 . 2008-04-23 09:52 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-23 08:58 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:58 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:58 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 08:10 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-23 08:05 . 2006-06-14 00:47 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-23 08:05 . 2006-06-14 01:00 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-23 08:05 . 2006-06-14 00:47 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-22 20:25 . 2008-04-22 20:25 0 --a------ C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\regsvr32
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-05-01 15:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 17:58 . 2008-04-22 17:58 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Malwarebytes
2008-04-22 06:44 . 2008-04-22 06:44 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-21 16:20 . 2008-04-21 16:20 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-04-21 12:35 . 2008-04-21 12:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\Sonic
2008-04-20 18:10 . 2008-04-22 19:41 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-C8BH3JAGLT\Application Data\Desktopicon
2008-04-18 09:25 . 2008-04-21 09:11 <DIR> d-------- C:\Documents and Settings\Mei-Ling.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-04-14 09:35 . 2008-04-14 09:35 <DIR> d-------- C:\Documents and Settings\Chih-Pin.YOUR-C8BH3JAGLT\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 23:55 --------- d-----w C:\Program Files\Unlocker
2008-05-01 23:55 --------- d-----w C:\Program Files\Lexmark X6100 Series
2008-05-01 23:55 --------- d-----w C:\Program Files\AIM
2008-04-21 20:35 --------- d-----w C:\Program Files\RecordNow!
2008-04-21 20:35 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-04-20 21:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 21:45 --------- d-----w C:\Program Files\Starcraft
2008-04-14 16:52 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-13 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-05 21:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\ImgBurn
2008-04-05 18:53 --------- d-----w C:\Program Files\ImgBurn
2008-04-01 01:31 --------- d-----w C:\Documents and Settings\Christine.YOUR-C8BH3JAGLT\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 17:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 17:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-21 18:31 13,195 ----a-w C:\Documents and Settings\Owner\zguicfgw.dat
2006-03-10 02:54 272 ----a-w C:\Documents and Settings\Owner\sfa2dat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-20 22:55 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=C:\WINDOWS\pss\Compaq Organize.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60c103d4]
C:\WINDOWS\system32\nhtnvkly.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-01-16 19:34 88363 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2008-04-20 16:41 67160 C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brxv]
C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2003-08-15 00:59 70816 c:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-20 22:55 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 21:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-01-16 19:16 229376 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 19:02 61440 C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
--a------ 2008-01-08 14:40 57344 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-02-12 13:12 59392 C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
--a------ 2003-08-15 18:24 124096 c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
C:\WINDOWS\system32\SSTEM~1\services.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-02-11 20:08 455168 C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 19:13 98304 C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 20:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-17 23:31 118784 C:\Windows\Creator\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-04-02 00:49 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-02 01:43 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tndzcg]
C:\Program Files\Common Files\?racle\?canregw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2008-04-30 15:39 110592 c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-04-21 16:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 02:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 16:52:24 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 04:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2004-04-03 08:05:51 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 16:38:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 32
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-01 17:12:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 01:11:32
ComboFix2.txt 2008-05-01 02:17:02
Pre-Run: 79,145,226,240 bytes free
Post-Run: 79,133,798,400 bytes free
207 --- E O F --- 2008-04-24 21:41:33
Hijackthis log when enabled all startups:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:10 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\nhtnvkly.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tndzcg] "C:\Program Files\Common Files\?racle\?canregw.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\SSTEM~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Brxv] "C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1190412252843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1190412236609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
--
End of file - 7070 bytes
•
•
Join Date: Feb 2004
Posts: 10,018
Reputation:
Solved Threads: 759
Can you please do the following.
===============
Scan with HijackThis and then place a check next to all the following, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\nhtnvkly.dll",b
O4 - HKCU\..\Run: [Tndzcg] "C:\Program Files\Common Files\?racle\?canregw.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\SSTEM~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Brxv] "C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe"
O4 - Startup: Compaq Organize.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
folders...
C:\WINDOWS\system32\SSTEM~1
C:\Program Files\AIM
files...
C:\WINDOWS\system32\nhtnvkly.dll
Search for...
ALCXMNTR.EXE
...using "Start | Search...".
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
===============
Scan with HijackThis and then place a check next to all the following, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [60c103d4] rundll32.exe "C:\WINDOWS\system32\nhtnvkly.dll",b
O4 - HKCU\..\Run: [Tndzcg] "C:\Program Files\Common Files\?racle\?canregw.exe"
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\system32\SSTEM~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Brxv] "C:\Documents and Settings\Owner\My Documents\W?nSxS\m?iexec.exe"
O4 - Startup: Compaq Organize.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
folders...
C:\WINDOWS\system32\SSTEM~1
C:\Program Files\AIM
files...
C:\WINDOWS\system32\nhtnvkly.dll
Search for...
ALCXMNTR.EXE
...using "Start | Search...".
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear.
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- someone please HELP!!!! me spyware trouble (Viruses, Spyware and other Nasties)
- .EXE, .ZIP, .RAR won't open. (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: sudden change to windows theme and infection messages
- Next Thread: trojan horse Downloader.UHT
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
