Member Avatar for mjktool

Greetings Everyone,
I am so glad i found this website, everyone seems very helpful and kind. 2 days ago i got a trojan/something that i thought Norton 2008 internet security cleaned. Guess not. after 2 days of cleaning...here's where i am.

explorer.exe keeps restarting and stopping about 20 times, then never tries to load again. If i try to manually load it, it does the same thing over and over. also i see imapi.exe do the same thing at the same time

I have to use Task manager>RUN to do anything

******* Here is the steps i have taken
1. Ran Spybot s&d
2. Ran Lavasoft Adaware
3. Ran Kaspersky Online Scan (have log) won't fix errors because was FREE scan
4. Ran ATF temp cleaner
4. Ran Ccleaner
6. Ran Registry Mechanic
---- even restored a older registry from a month ago
7. Turned off System Restore
8. Ran Msconfig, turned off everything uneeded for startup
9. Ran cmd prompt>sfc /scannow with original xp disk (it replaced a bunch of dll's)
10. Ran Windows Disk Cleanup
11. Tried all of this in SAFE MODE also
11.5 I uninstalled norton internet security and installed AVG free
12. Ran AVG virus and adware scan, deleted and fixed all
13. Every program i ran found something different, and i cleaned them all and deleted all files.
14. Finally found this website and ran HIJACKTHIS....SAFE MODE does the same thing with explorer.exe

so if anyone can assist me in deciphering this log file, i am pretty new at this. As descriptive as you can would be awesome

***************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:10 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\jf8ukmxv.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97F96CB6-B9BC-4670-B26F-DA9EB52577FE}: NameServer = 68.10.16.25,68.10.16.30
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexswf - Lexmark International, Inc. - (no file)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8298 bytes
************************************************************************

Thank you so much in advance.
Kevin

  • 2 Contributors
  • 9 Replies
  • 142 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 9 Replies

Member Avatar for mjktool

214 views, and no one can assist me in any way?

please help, this is my home computer with all my personal pictures, finance records and everything

kevin

Member Avatar for crunchie

Not seeing anything in that log and not promising that we can get you up and running again, but let's give it a crack :).
Welcome to Daniweb :).

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Member Avatar for mjktool

Thank you so much for your time and help response. What you had me did seems to have worked!! i am up and running with my desktop intact!, and explorer.exe running. But i was hoping to continue with what you said just to make sure there isn't anything else.

**************************************************************************
ComboFix 07-12-21.4 - Administrator 2007-12-24 12:51:39.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2606 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Program Files\Temporary
C:\Temp\bkR11
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\x.dat
C:\z.dat


.
(((((((((((((((((((((((((   Files Created from 2007-11-24 to 2007-12-24  )))))))))))))))))))))))))))))))
.


2007-12-23 23:41 . 2007-12-23 23:41 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2007-12-23 23:39 . 2007-12-24 12:42 <DIR>    d--------   C:\Program Files\TrojanHunter 5.0
2007-12-23 23:22 . 2007-12-23 23:24 <DIR>    d--------   C:\I386
2007-12-23 15:52 . 2007-12-23 15:52 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-23 15:52 . 2007-05-30 07:10 10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-23 11:59 . 2007-12-23 11:59 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-23 11:56 . 2007-12-23 11:56 <DIR>    d--------   C:\Documents and Settings\NetworkService\Application Data\AVG7
2007-12-23 11:56 . 2007-12-23 12:30 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 11:56 . 2007-12-23 12:42 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-12-23 11:56 . 2007-12-23 22:20 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-23 03:54 . 2007-12-23 03:54 <DIR>    d--------   C:\Program Files\Lavasoft
2007-12-23 03:54 . 2007-12-23 03:54 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 03:13 . 2007-12-23 22:05 <DIR>    d--------   C:\VIRUS TEMP
2007-12-22 23:41 . 2007-06-05 10:56 44,928  --a------   C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-22 23:39 . 2007-06-08 09:44 8,576   --a------   C:\WINDOWS\system32\drivers\cpprconukdab.sys
2007-12-22 22:57 . 2007-12-22 23:39 <DIR>    d--------   C:\WINDOWS\system32\ActiveScan
2007-12-22 22:57 . 2007-12-22 23:37 30,590  --a------   C:\WINDOWS\system32\pavas.ico
2007-12-22 22:57 . 2007-12-22 23:37 2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2007-12-22 22:57 . 2007-12-22 23:37 1,406   --a------   C:\WINDOWS\system32\Help.ico
2007-12-22 22:52 . 2007-12-22 22:52 <DIR>    d--------   C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 22:52 . 2007-12-22 22:52 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 14:56 . 2007-12-23 11:47 174,592 --a------   C:\WINDOWS\system32\lexpps .exe
2007-12-22 14:20 . 2001-08-17 13:28 794,654 --a--c---   C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-22 14:19 . 2001-08-17 12:18 285,760 --a--c---   C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-22 14:18 . 2001-08-17 22:36 386,560 --a--c---   C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-12-22 14:17 . 2001-08-17 14:56 245,632 --a--c---   C:\WINDOWS\system32\dllcache\s3savmx.dll
2007-12-22 14:16 . 2001-08-17 13:28 899,146 --a--c---   C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-22 14:15 . 2001-08-17 14:05 351,616 --a--c---   C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-22 14:14 . 2001-08-17 13:28 802,683 --a--c---   C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-22 14:13 . 2004-08-04 02:56 702,845 --a--c---   C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-22 14:12 . 2001-08-17 14:56 1,733,120   --a--c---   C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-22 14:11 . 2001-08-17 12:14 952,007 --a--c---   C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-22 14:10 . 2001-08-17 12:13 980,034 --a--c---   C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-22 14:09 . 2001-08-17 13:28 871,388 --a--c---   C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-22 12:48 . 2001-08-17 14:07 56,960  --a--c---   C:\WINDOWS\system32\dllcache\aic78xx.sys
2007-12-22 12:48 . 2001-08-17 14:07 55,168  --a--c---   C:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-22 12:48 . 2004-08-04 00:31 36,224  --a--c---   C:\WINDOWS\system32\dllcache\an983.sys
2007-12-22 12:48 . 2001-08-17 12:11 27,678  --a--c---   C:\WINDOWS\system32\dllcache\ali5261.sys
2007-12-22 12:48 . 2001-08-17 13:49 26,624  --a--c---   C:\WINDOWS\system32\dllcache\alifir.sys
2007-12-22 12:48 . 2001-08-17 12:11 16,969  --a--c---   C:\WINDOWS\system32\dllcache\amb8002.sys
2007-12-22 12:48 . 2001-08-17 13:52 12,800  --a--c---   C:\WINDOWS\system32\dllcache\aha154x.sys
2007-12-22 12:48 . 2001-08-17 13:52 12,032  --a--c---   C:\WINDOWS\system32\dllcache\amsint.sys
2007-12-22 12:48 . 2001-08-17 13:47 6,272   --a--c---   C:\WINDOWS\system32\dllcache\apmbatt.sys
2007-12-22 12:48 . 2001-08-17 13:51 5,248   --a--c---   C:\WINDOWS\system32\dllcache\aliide.sys
2007-12-22 12:45 . 2001-08-17 13:28 762,780 --a--c---   C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-22 12:45 . 2001-08-17 14:55 689,216 --a--c---   C:\WINDOWS\system32\dllcache\3dfxvs.dll
2007-12-22 12:45 . 2001-08-17 22:36 462,848 --a--c---   C:\WINDOWS\system32\dllcache\a3dapi.dll
2007-12-22 12:45 . 2001-08-17 12:48 148,352 --a--c---   C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2007-12-22 12:45 . 2001-08-17 14:56 66,048  --a--c---   C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-22 12:45 . 2004-08-04 01:10 53,248  --a--c---   C:\WINDOWS\system32\dllcache\1394bus.sys
2007-12-22 12:45 . 2004-08-04 01:10 48,128  --a--c---   C:\WINDOWS\system32\dllcache\61883.sys
2007-12-22 12:45 . 2001-08-17 14:55 38,400  --a--c---   C:\WINDOWS\system32\dllcache\8514a.dll
2007-12-22 12:45 . 2004-08-04 01:00 12,288  --a--c---   C:\WINDOWS\system32\dllcache\4mmdat.sys
2007-12-22 12:45 . 2001-08-17 14:06 11,264  --a--c---   C:\WINDOWS\system32\dllcache\1394vdbg.sys
2007-12-22 03:36 . 2007-12-22 14:56 15,360  --a------   C:\WINDOWS\system32\ctfmon .exe
2007-12-22 02:52 . 2007-12-23 00:06 337,920 --a------   C:\WINDOWS\system32\gebyy.exe
2007-12-22 02:51 . 2007-12-22 02:51 147,456 --a------   C:\WINDOWS\system32\vbzip10.dll
2007-12-22 02:48 . 2007-12-22 02:48 134 --a------   C:\n.bat
2007-12-22 02:47 . 2007-12-22 18:40 <DIR>    d--------   C:\WINDOWS\system32\daSgo05
2007-12-22 02:45 . 2007-12-22 02:46 <DIR>    d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 02:29 . 2007-12-22 23:37 <DIR>    d--------   C:\Program Files\MagicISO
2007-12-22 02:20 . 2007-12-22 02:55 <DIR>    d--------   C:\Incomplete
2007-12-22 02:20 . 2007-12-22 02:20 <DIR>    d--------   C:\Documents and Settings\Administrator\Incomplete
2007-12-22 02:20 . 2007-12-22 02:51 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-12-22 01:57 . 2007-12-23 03:44 <DIR>    d--------   C:\Program Files\Symantec
2007-12-22 01:57 . 2007-12-23 03:44 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-21 17:51 . 2007-12-21 17:52 91  --a------   C:\WINDOWS\system32\NemuAudio.ini
2007-12-21 17:51 . 2007-12-21 17:52 65  --a------   C:\WINDOWS\system32\NemuVideo.ini
2007-12-20 16:35 . 2007-12-20 16:40 <DIR>    d--------   C:\Program Files\CamStudio
2007-12-14 15:44 . 2007-12-14 15:44 <DIR>    d--------   C:\Program Files\Maxis
2007-12-11 20:56 . 2007-12-11 21:02 <DIR>    d--------   C:\WINDOWS\.jagex_cache_32
2007-12-02 22:22 . 2007-12-02 22:22 552 --a------   C:\WINDOWS\system32\d3d8caps.dat
2007-11-29 01:12 . 2007-12-17 11:07 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2007-11-29 01:12 . 2007-11-29 01:12 1,409   --a------   C:\WINDOWS\QTFont.for


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 04:00    ---------   d-----w C:\Program Files\Mozilla Thunderbird
2007-12-23 19:24    ---------   d-----w C:\Program Files\QuickTime
2007-12-23 19:24    ---------   d-----w C:\Program Files\PowerISO
2007-12-23 19:24    ---------   d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-23 17:06    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 08:54    ---------   d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-23 08:53    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-23 04:39    ---------   d-----w C:\Program Files\Bonjour
2007-12-23 04:37    ---------   d-----w C:\Program Files\7-Zip
2007-12-22 07:00    ---------   d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-21 03:57    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 22:42    ---------   d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-16 17:13    ---------   d-----w C:\Program Files\FlashFXP
2007-11-25 08:01    ---------   d-----w C:\Program Files\City of Heroes
2007-11-13 10:25    20,480  ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 03:42    ---------   d-----w C:\Program Files\Serv-U
2007-11-05 04:57    ---------   d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-05 04:56    ---------   d-----w C:\Program Files\SlySoft
2007-11-01 23:57    ---------   d-----w C:\Program Files\AGEIA Technologies
2007-11-01 23:55    ---------   d-----w C:\Program Files\Sony
2007-11-01 23:55    ---------   d-----w C:\Program Files\Flying Lab Software
2007-10-26 21:54    ---------   d-----w C:\Program Files\Three Rings Design
2007-08-23 03:44    32  ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-12 23:26    92,064  ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 23:26    9,232   ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 23:26    79,328  ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 23:26    66,656  ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 23:26    6,208   ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 23:26    5,936   ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 23:26    4,048   ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 23:26    25,600  ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 23:26    22,768  ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2002-07-26 23:02    153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-09-01 23:55    263,428 ----a-w C:\Program Files\mp_pak4.pk3
2006-08-08 22:18    12,208  --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-12-24 12:42]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-23 11:56]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 C:\WINDOWS\system32\narrator.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnopo]
opnnopo.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FRUpdate]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2007-12-23 00:06    337920  --a------   C:\WINDOWS\system32\gebyy.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\\PSDrvCheck.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
RUNDLL32.EXE C:\WINDOWS\system32\PCLECoInst.dll,CheckUSBController


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)


R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-05-13 11:44]
S3 CrystalCpuInfo;CrystalCpuInfo;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CpuInfo.sys []
S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Fadpu16E.sys []
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 04:59]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 04:59]
S3 SDTHOOK;SDTHOOK;C:\WINDOWS\system32\DRIVERS\SDTHOOK.sys [2007-06-05 10:56]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []


.
**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 12:58:39
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-12-24 12:59:48 - machine was rebooted
.
2007-12-24 04:00:57 --- E O F ---
**************************************************************************


here is the hijackthis.log


*************************************************************************
*************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:24 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\jf8ukmxv.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97F96CB6-B9BC-4670-B26F-DA9EB52577FE}: NameServer = 68.10.16.25,68.10.16.30
O20 - Winlogon Notify: opnnopo - opnnopo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexswf - Lexmark International, Inc. - (no file)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--
End of file - 8789 bytes

i wish i understood this....cause what is flexnet macrovision and also the extra button lines?

Edited by happygeek because: fixed formatting
Member Avatar for mjktool

I spoke to soon, Upon reboot after Combofix.exe, it worksand desktop stays. I uninstalled a few things that were obviously not working because i installed them while it was screwing up. I uninstalled all the AVG stuff and trojan hunters and all that stuff. Upon reboot, it goes back to the same thing, but if i run combofix.exe again...i will work untill i do something like install or uninstall.

Member Avatar for crunchie

Merry Christmas :).
Please enable all startups in msconfig and apply settings but do not reboot. When you have done the following, you can change back the settings.

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

    O20 - Winlogon Notify: opnnopo - opnnopo.dll (file missing)

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\gebyy.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
Folder::
C:\Program Files\WinAble

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

commented: Nice detail, and merry xmas! +12
Member Avatar for mjktool

Merry Christmas and Happy New Year!
thanks so much for continuing to help me!
ok i did exactly as you said.

here is the new logs for both
I am doing all of this by "task manager>run" cause i have no desktop!! haha. after i run Combofix, it seems to be fine until i start uninstalling, installing or messing with firefox (profile corrupt and hacked?) i am now using IEExplorer for the first time. Also there was a couple errors while running Combofix....something like "Can't blah blah becasue of process is in use? also "cant do this and that because directory doesn't exist" on one of the files.....

****************************************************************************
ComboFix 07-12-21.4 - Administrator 2007-12-24 18:58:16.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2616 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point


FILE
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\gebyy.exe
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.exe
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2


.
(((((((((((((((((((((((((   Files Created from 2007-11-25 to 2007-12-25  )))))))))))))))))))))))))))))))
.


2007-12-24 14:09 . 2007-12-24 14:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-23 23:41 . 2007-12-23 23:41 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2007-12-23 23:39 . 2007-12-24 14:17 <DIR>    d--------   C:\Program Files\TrojanHunter 5.0
2007-12-23 23:22 . 2007-12-23 23:24 <DIR>    d--------   C:\I386
2007-12-23 11:56 . 2007-12-24 14:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 03:54 . 2007-12-23 03:54 <DIR>    d--------   C:\Program Files\Lavasoft
2007-12-23 03:13 . 2007-12-23 22:05 <DIR>    d--------   C:\VIRUS TEMP
2007-12-22 23:41 . 2007-06-05 10:56 44,928  --a------   C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-22 23:39 . 2007-06-08 09:44 8,576   --a------   C:\WINDOWS\system32\drivers\cpprconukdab.sys
2007-12-22 22:57 . 2007-12-22 23:37 2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2007-12-22 22:57 . 2007-12-22 23:37 1,406   --a------   C:\WINDOWS\system32\Help.ico
2007-12-22 22:52 . 2007-12-22 22:52 <DIR>    d--------   C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 14:56 . 2007-12-23 11:47 174,592 --a------   C:\WINDOWS\system32\lexpps .exe
2007-12-22 14:20 . 2001-08-17 13:28 794,654 --a--c---   C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-22 14:19 . 2001-08-17 12:18 285,760 --a--c---   C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-22 14:18 . 2001-08-17 22:36 386,560 --a--c---   C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-12-22 14:17 . 2001-08-17 14:56 245,632 --a--c---   C:\WINDOWS\system32\dllcache\s3savmx.dll
2007-12-22 14:16 . 2001-08-17 13:28 899,146 --a--c---   C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-22 14:15 . 2001-08-17 14:05 351,616 --a--c---   C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-22 14:14 . 2001-08-17 13:28 802,683 --a--c---   C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-22 14:13 . 2004-08-04 02:56 702,845 --a--c---   C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-22 14:12 . 2001-08-17 14:56 1,733,120   --a--c---   C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-22 14:11 . 2001-08-17 12:14 952,007 --a--c---   C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-22 14:10 . 2001-08-17 12:13 980,034 --a--c---   C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-22 14:09 . 2001-08-17 13:28 871,388 --a--c---   C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-22 12:48 . 2001-08-17 14:07 56,960  --a--c---   C:\WINDOWS\system32\dllcache\aic78xx.sys
2007-12-22 12:48 . 2001-08-17 14:07 55,168  --a--c---   C:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-22 12:48 . 2004-08-04 00:31 36,224  --a--c---   C:\WINDOWS\system32\dllcache\an983.sys
2007-12-22 12:48 . 2001-08-17 12:11 27,678  --a--c---   C:\WINDOWS\system32\dllcache\ali5261.sys
2007-12-22 12:48 . 2001-08-17 13:49 26,624  --a--c---   C:\WINDOWS\system32\dllcache\alifir.sys
2007-12-22 12:48 . 2001-08-17 12:11 16,969  --a--c---   C:\WINDOWS\system32\dllcache\amb8002.sys
2007-12-22 12:48 . 2001-08-17 13:52 12,800  --a--c---   C:\WINDOWS\system32\dllcache\aha154x.sys
2007-12-22 12:48 . 2001-08-17 13:52 12,032  --a--c---   C:\WINDOWS\system32\dllcache\amsint.sys
2007-12-22 12:48 . 2001-08-17 13:47 6,272   --a--c---   C:\WINDOWS\system32\dllcache\apmbatt.sys
2007-12-22 12:48 . 2001-08-17 13:51 5,248   --a--c---   C:\WINDOWS\system32\dllcache\aliide.sys
2007-12-22 12:45 . 2001-08-17 13:28 762,780 --a--c---   C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-22 12:45 . 2001-08-17 14:55 689,216 --a--c---   C:\WINDOWS\system32\dllcache\3dfxvs.dll
2007-12-22 12:45 . 2001-08-17 22:36 462,848 --a--c---   C:\WINDOWS\system32\dllcache\a3dapi.dll
2007-12-22 12:45 . 2001-08-17 12:48 148,352 --a--c---   C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2007-12-22 12:45 . 2001-08-17 14:56 66,048  --a--c---   C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-22 12:45 . 2004-08-04 01:10 53,248  --a--c---   C:\WINDOWS\system32\dllcache\1394bus.sys
2007-12-22 12:45 . 2004-08-04 01:10 48,128  --a--c---   C:\WINDOWS\system32\dllcache\61883.sys
2007-12-22 12:45 . 2001-08-17 14:55 38,400  --a--c---   C:\WINDOWS\system32\dllcache\8514a.dll
2007-12-22 12:45 . 2004-08-04 01:00 12,288  --a--c---   C:\WINDOWS\system32\dllcache\4mmdat.sys
2007-12-22 12:45 . 2001-08-17 14:06 11,264  --a--c---   C:\WINDOWS\system32\dllcache\1394vdbg.sys
2007-12-22 03:36 . 2007-12-22 14:56 15,360  --a------   C:\WINDOWS\system32\ctfmon .exe
2007-12-22 02:51 . 2007-12-22 02:51 147,456 --a------   C:\WINDOWS\system32\vbzip10.dll
2007-12-22 02:48 . 2007-12-22 02:48 134 --a------   C:\n.bat
2007-12-22 02:47 . 2007-12-22 18:40 <DIR>    d--------   C:\WINDOWS\system32\daSgo05
2007-12-22 02:45 . 2007-12-22 02:46 <DIR>    d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 02:29 . 2007-12-22 23:37 <DIR>    d--------   C:\Program Files\MagicISO
2007-12-22 02:20 . 2007-12-22 02:55 <DIR>    d--------   C:\Incomplete
2007-12-22 02:20 . 2007-12-22 02:20 <DIR>    d--------   C:\Documents and Settings\Administrator\Incomplete
2007-12-22 02:20 . 2007-12-22 02:51 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-12-22 01:57 . 2007-12-23 03:44 <DIR>    d--------   C:\Program Files\Symantec
2007-12-22 01:57 . 2007-12-23 03:44 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-21 17:51 . 2007-12-21 17:52 91  --a------   C:\WINDOWS\system32\NemuAudio.ini
2007-12-21 17:51 . 2007-12-21 17:52 65  --a------   C:\WINDOWS\system32\NemuVideo.ini
2007-12-20 16:35 . 2007-12-20 16:40 <DIR>    d--------   C:\Program Files\CamStudio
2007-12-14 15:44 . 2007-12-14 15:44 <DIR>    d--------   C:\Program Files\Maxis
2007-12-11 20:56 . 2007-12-11 21:02 <DIR>    d--------   C:\WINDOWS\.jagex_cache_32
2007-12-02 22:22 . 2007-12-02 22:22 552 --a------   C:\WINDOWS\system32\d3d8caps.dat
2007-11-29 01:12 . 2007-12-17 11:07 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2007-11-29 01:12 . 2007-11-29 01:12 1,409   --a------   C:\WINDOWS\QTFont.for


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 19:44    ---------   d-----w C:\Program Files\Common Files\Adobe
2007-12-24 19:34    ---------   d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 04:00    ---------   d-----w C:\Program Files\Mozilla Thunderbird
2007-12-23 19:24    ---------   d-----w C:\Program Files\QuickTime
2007-12-23 19:24    ---------   d-----w C:\Program Files\PowerISO
2007-12-23 19:24    ---------   d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-23 17:06    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 08:53    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-23 04:39    ---------   d-----w C:\Program Files\Bonjour
2007-12-23 04:37    ---------   d-----w C:\Program Files\7-Zip
2007-12-22 07:00    ---------   d-----w C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-21 03:57    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 22:42    ---------   d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-16 17:13    ---------   d-----w C:\Program Files\FlashFXP
2007-11-25 08:01    ---------   d-----w C:\Program Files\City of Heroes
2007-11-13 10:25    20,480  ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 03:42    ---------   d-----w C:\Program Files\Serv-U
2007-11-05 04:57    ---------   d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-05 04:56    ---------   d-----w C:\Program Files\SlySoft
2007-11-01 23:57    ---------   d-----w C:\Program Files\AGEIA Technologies
2007-11-01 23:55    ---------   d-----w C:\Program Files\Sony
2007-11-01 23:55    ---------   d-----w C:\Program Files\Flying Lab Software
2007-10-26 21:54    ---------   d-----w C:\Program Files\Three Rings Design
2007-08-23 03:44    32  ----a-r C:\Documents and Settings\All Users\hash.dat
2007-04-12 23:26    92,064  ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 23:26    9,232   ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 23:26    79,328  ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 23:26    66,656  ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 23:26    6,208   ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 23:26    5,936   ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 23:26    4,048   ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 23:26    25,600  ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 23:26    22,768  ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2002-07-26 23:02    153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-09-01 23:55    263,428 ----a-w C:\Program Files\mp_pak4.pk3
2006-08-08 22:18    12,208  --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.


(((((((((((((((((((((((((((((   snapshot@2007-12-24_12.59.14.95   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-24 03:20:34   158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
+ 2007-12-24 23:52:26   158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
- 2007-10-06 04:42:42   1,598,744   ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-24 19:53:39   1,598,016   ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-24 17:50:33   169,957 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-24 20:04:17   169,956 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2007-12-24 17:46:12   73,814  ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-24 20:06:28   73,814  ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-24 17:46:12   431,368 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-24 20:06:28   431,368 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-25 00:03:48   49,152  ----a-w C:\WINDOWS\Temp\CompiledAdapter.dll
+ 2007-12-25 00:03:25   16,384  ----atw C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" []
"USB2Check"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard .exe" [2007-12-24 19:04]
"RegistryMechanic"="" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" []
"nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" []
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" []
"FRUpdate"="" []
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" []
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" []


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 C:\WINDOWS\system32\narrator.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnopo]
opnnopo.dll


[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\gebyy.exe


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 C:\WINDOWS\system32\gebyy


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)


R1 XPROTECTOR;XPROTECTOR;C:\WINDOWS\system32\drivers\Oreans.sys [2006-05-13 11:44]
S3 CrystalCpuInfo;CrystalCpuInfo;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CpuInfo.sys []
S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Fadpu16E.sys []
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 04:59]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 04:59]
S3 SDTHOOK;SDTHOOK;C:\WINDOWS\system32\DRIVERS\SDTHOOK.sys [2007-06-05 10:56]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []


.
**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 19:03:52
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


C:\WINDOWS\system32\yybeg.ini 319 bytes
C:\WINDOWS\system32\yybeg.ini2 319 bytes
C:\WINDOWS\system32\gebyy.dll 334336 bytes executable
C:\WINDOWS\system32\gebyy.exe 337920 bytes executable


scan completed successfully
hidden files: 4


**************************************************************************
.
Completion time: 2007-12-24 19:05:19 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 15:04
C:\ComboFix3.txt ... 2007-12-24 14:31
.
2007-12-24 04:00:57 --- E O F ---
***************************************************************************
***************************************************************************


hijackthis.log


***************************************************************************
***************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:24 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\Virus Stuff\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\gebyy.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard  .exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97F96CB6-B9BC-4670-B26F-DA9EB52577FE}: NameServer = 68.10.16.25,68.10.16.30
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexswf - Lexmark International, Inc. - (no file)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


--
End of file - 5003 bytes

THANKS A BILLION Crunchie!!

Edited by happygeek because: fixed formatting
Member Avatar for crunchie

Seems like something may have gotten badly corrupted. Is there a system restore point that you can revert to from before these problems? If so, I suggest doing that and posting another hijackthis log.

Member Avatar for mjktool

No :(
because it was completely messed up.....so i had to turn system restore off. So they are all deleted. Should i delete firefox and it's profile?.....also THguard.exe is Trojan Hunter and i uninstalled the damn thing.....so why is it still there.....

what about a Windows XP repair? last resort......this is crazy.....combofix makes it work then it goes to hell again......i can't beleive this!

Member Avatar for crunchie

System repair would be one of the things to try. All your M$ updates would have to be redone.

Can try running sfc /scannow from the Run command too.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.