0

RE:Hi,

I'm having the same poblem My computer starts up, then my Explorer.exe flickers for awhile then just exits, without warning or messages. I ran HJT.exe and got

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:46:52 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Compaq_Owner\Desktop\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SystemApp - {163D9676-810E-11DC-8314-0800200C9A66} - C:\Program Files\SystemApp\ie-improver.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2429C56A-A701-43E5-B355-95BAA8F13158} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\yayxyab.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayxyab - C:\WINDOWS\SYSTEM32\yayxyab.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8488 bytes

I just recently started getting it, It was working brfor I left for school one morning, cam home and it started, I'm the only one with the PW for my computer, I did download something, but never installed it, infact I deleted it befor it even finished, It was just a addon for World Of Warcraft

4
Contributors
13
Replies
14
Views
9 Years
Discussion Span
Last Post by jonahshelp
0

I can see you've tried to get rid of some trojan or other (Winser.exe) as they are listed file missing in the HJT list.
--------------------------------------------------------
O2 - BHO: (no name) - {2429C56A-A701-43E5-B355-95BAA8F13158} - C:\WINDOWS\system32\mllmn.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\yayxyab.dll
O20 - Winlogon Notify: yayxyab - C:\WINDOWS\SYSTEM32\yayxyab.dll
---------------------------------------------------------

At least the above are identifiable baddies. if you know the date and approximate time that it could have happened, then you can hunt for clumps of silly named files around the same timeline. When you've fixed the timeline more precisely, you can search for any files created at the same time - they are suspect. Any EXE files in C:\ and get rid of them manually if necessary.

You should read the other SOLVED posts in this forum and use the method described in the thread, using tools such as ComboFix and others.

Some kind heart might take you through the steps - but if I were you I'd just get on with it in a methodical manner.

Each time you reboot, the trojan will load and likely spawn. Note the time of reboot so that you can spot the file size of spawned trojans so that you can be sure of what you are deleting as you work your way through your system.

Whichever method you choose for ridding yourself of the trojan, it's a long haul.

0

Hi, Suspishio, thrum tagged onto another thread and I asked him to post anew; I already had made up my reply so I'm just going to paste it here - hope you don't mind..?
Beauty, thrum ... this saves a lot of confusion, and you don't want me confused, now do you?
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!

=ComboFix:- [normal mode is fine] - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Post the contents of C:\vundofix.txt, Combofix.txt plus a new HijackThis log.

0

@ Gerbil

I'm grateful you stepped in/continued.

I feel sorry for people with zero replies and I like to point them to the method I employ (which I wish would be stickied - 2nd Sep 07) and which I'm fully qualified to speak to.

So if none of you Vundo pros reply, I help out by identifying the baddies and giving them a hybrid of my method combined with ComboFix. I think I've got one cured that way out of three; not good enough for my taste.

Anyway, back to you for now and sticky my post!

0

Thank you, "Gerbil"!

Combofix.exe has fixed my problem!

the other program diden't seem to work for me, I rebotted and started in safe mode, but nothing...

here is the log for Combofix.exe

ComboFix 07-11-01.1 - Compaq_Owner 2007-11-02 17:31:29.1 - NTFSx86 
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SystemApp
C:\Program Files\SystemApp\bho.dat
C:\Program Files\SystemApp\er.dat
C:\Program Files\SystemApp\ie-improver.dll
C:\Program Files\SystemApp\uninstall.exe
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\sysdl132.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


(((((((((((((((((((((((((   Files Created from 2007-10-03 to 2007-11-03  )))))))))))))))))))))))))))))))
.

2007-11-02 17:28    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-28 10:43    <DIR>    d--------   C:\Documents and Settings\Compaq_Owner\Application Data\fretsonfire
2007-10-28 10:42    <DIR>    d--------   C:\Program Files\Frets on Fire
2007-10-23 19:54    116,224 --a------   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-23 19:54    99,865  --a------   C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-23 19:54    27,648  --a------   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-23 19:54    23,040  --a------   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-23 19:54    19,455  --a------   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-10-23 19:54    19,328  --a------   C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-10-23 19:54    17,408  --a------   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-23 19:54    16,970  --a------   C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-10-23 19:54    4,608   --a------   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-23 19:44    252,032 --a------   C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-10-23 19:44    161,568 --a------   C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-10-23 19:44    150,144 --a------   C:\WINDOWS\system32\dllcache\sis6306v.dll
2007-10-23 19:44    101,760 --a------   C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-10-23 19:44    68,608  --a------   C:\WINDOWS\system32\dllcache\sis6306p.sys
2007-10-23 19:44    41,088  --a------   C:\WINDOWS\system32\dllcache\sisagp.sys
2007-10-23 19:44    3,901   --a------   C:\WINDOWS\system32\dllcache\siint5.dll
2007-10-23 19:30    27,136  --a------   C:\WINDOWS\system32\dllcache\irmon.dll
2007-10-23 19:30    26,624  --a------   C:\WINDOWS\system32\dllcache\irstusb.sys
2007-10-23 19:30    23,552  --a------   C:\WINDOWS\system32\dllcache\irmk7.sys
2007-10-23 19:30    18,688  --a------   C:\WINDOWS\system32\dllcache\irsir.sys
2007-10-23 19:30    14,848  --a------   C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-23 19:30    6,144   --a------   C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-23 19:30    6,144   --a------   C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-23 19:30    6,144   --a------   C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-10-23 19:30    5,632   --a------   C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-23 15:06    33,792  --a------   C:\WINDOWS\system32\yayxyab.dll
2007-10-18 21:07    <DIR>    d--------   C:\Program Files\World of Warcraft (2.2.3)
2007-10-10 15:07    3,495,784   --a------   C:\WINDOWS\system32\d3dx9_33.dll
2007-10-08 19:57    <DIR>    d--------   C:\Program Files\Mumble
2007-10-03 15:49    <DIR>    d--------   C:\wamp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 23:38    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\IGN_DLM
2007-10-30 21:53    ---------   d-----w C:\Program Files\Common Files\Command Software
2007-10-30 21:52    ---------   d-----w C:\Program Files\Common Files\PestPatrol
2007-10-23 01:00    ---------   d-----w C:\Program Files\Steam
2007-10-21 07:02    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hamachi
2007-10-20 07:21    ---------   d-----w C:\Program Files\World of Warcraft (2.2.2)
2007-10-19 05:04    ---------   d-----w C:\Program Files\SQLyog Community
2007-10-10 22:06    ---------   d-----w C:\Program Files\directx
2007-10-08 22:46    ---------   d-----w C:\Program Files\Teamspeak2_RC2
2007-10-06 04:29    38  ----a-w C:\Program Files\realmlist.wtf
2007-10-01 13:18    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Turbine
2007-10-01 13:16    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\GetRightToGo
2007-10-01 04:34    ---------   d-----w C:\Program Files\EA GAMES
2007-09-24 17:11    ---------   d-----w C:\Documents and Settings\Mom\Application Data\Skype
2007-09-19 05:33    ---------   d-----w C:\Program Files\Common Files\EasyInfo
2007-09-18 22:53    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Xfire
2007-09-18 05:51    ---------   d-s---w C:\Program Files\Xfire
2007-09-10 00:57    22,328  ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-10 00:57    22,328  ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\PnkBstrK.sys
2007-09-08 17:41    ---------   d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-03 05:06    25,544  ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-03 04:36    ---------   d-----w C:\Program Files\Hamachi
2007-05-25 02:25    1,674   -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-12-07 14:48    242 -c--a-w C:\Documents and Settings\Mom\Application Data\wklnhst.dat
2005-07-15 03:50:10 10,240  -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
2005-09-16 20:50:30 22  -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-23 15:06    33792   --a------   C:\WINDOWS\system32\yayxyab.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 17:48]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 15:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

C:\Documents and Settings\Mom\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\yayxyab.dll [2007-10-23 15:06 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyab] 
yayxyab.dll 2007-10-23 15:06 33792 C:\WINDOWS\system32\yayxyab.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"RichVideo"=2 (0x2)
"iPodService"=3 (0x3)

S2 Win PPPe;Win PPPe;C:\WINDOWS\system32\winser.exe
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 09:57:02 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-11-02 17:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

**************************************************************************
.
Completion time: 2007-11-02 17:59:29 - machine was rebooted 
.
    --- E O F ---

I'm sorry "Suspishio" but I did not really understand how you were telling me to fix it, I kept reading it over and over but diden't quite understand. Thank you for trying to help me though!

Edited by mike_2000_17: Fixed formatting

0

Sadly....it's not solved, it doing the same thing again, it was fine for about an hour, then just... yeah.

I was only on MSN to send an e-mail and talk to a few people then it started up as I closed MSN.

0

I can see a vundo file ramaining in the combofix log. I know vundofix can remove it - perhaps you should dl a fresh copy and try again. We cannnot just delete it because it would have files waiting to recreate it, and those do not show themselves.

0

Alrighty, i got it to run, but not fix the problem.


VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:58:17 PM 11/2/2007

Listing files found while scanning....

C:\windows\system32\yayxyab.dll

Beginning removal...

Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:05:41 PM 11/2/2007

Listing files found while scanning....

C:\windows\system32\yayxyab.dll

Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Has been deleted!

Performing Repairs to the registry.
Done!
________________________________________

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:12:57 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Compaq_Owner\Desktop\backups\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8228 bytes

0

Another vundo popped up:
O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll

0

thrum, let's clean up your log entries first; start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {376339FC-F23C-430B-8FF6-E3F6BDC0C859} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Good. Now to remove this service:
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

Okay. Note that I have modified the Vundofix run instructions. Please delete C:\Vundofix.txt:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window this pathname:

C:\WINDOWS\system32\geebc.dll

Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E992732-295F-4987-8BE3-16FAC1639198}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= -
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

So. Post vundofix, combofix and a fresh hijackthis log [normal mode].

0

Alrighty, all run!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:58:17 PM 11/2/2007

Listing files found while scanning....

C:\windows\system32\yayxyab.dll

Beginning removal...

 Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:05:41 PM 11/2/2007

Listing files found while scanning....

C:\windows\system32\yayxyab.dll

 Attempting to delete C:\windows\system32\yayxyab.dll
C:\windows\system32\yayxyab.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:57:51 PM 11/2/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:16:14 AM 11/3/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Performing Repairs to the registry.
Done!
________________________________________

ComboFix 07-11-01.1 - Compaq_Owner 2007-11-02 17:31:29.1 - NTFSx86 
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SystemApp
C:\Program Files\SystemApp\bho.dat
C:\Program Files\SystemApp\er.dat
C:\Program Files\SystemApp\ie-improver.dll
C:\Program Files\SystemApp\uninstall.exe
C:\WINDOWS\msvrc20.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\sysdl132.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


(((((((((((((((((((((((((   Files Created from 2007-10-03 to 2007-11-03  )))))))))))))))))))))))))))))))
.

2007-11-02 17:28    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-28 10:43    <DIR>    d--------   C:\Documents and Settings\Compaq_Owner\Application Data\fretsonfire
2007-10-28 10:42    <DIR>    d--------   C:\Program Files\Frets on Fire
2007-10-23 19:54    116,224 --a------   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-23 19:54    99,865  --a------   C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-23 19:54    27,648  --a------   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-23 19:54    23,040  --a------   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-23 19:54    19,455  --a------   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-10-23 19:54    19,328  --a------   C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-10-23 19:54    17,408  --a------   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-23 19:54    16,970  --a------   C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-10-23 19:54    4,608   --a------   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-23 19:44    252,032 --a------   C:\WINDOWS\system32\dllcache\sis300iv.dll
2007-10-23 19:44    161,568 --a------   C:\WINDOWS\system32\dllcache\sgsmusb.sys
2007-10-23 19:44    150,144 --a------   C:\WINDOWS\system32\dllcache\sis6306v.dll
2007-10-23 19:44    101,760 --a------   C:\WINDOWS\system32\dllcache\sis300ip.sys
2007-10-23 19:44    68,608  --a------   C:\WINDOWS\system32\dllcache\sis6306p.sys
2007-10-23 19:44    41,088  --a------   C:\WINDOWS\system32\dllcache\sisagp.sys
2007-10-23 19:44    3,901   --a------   C:\WINDOWS\system32\dllcache\siint5.dll
2007-10-23 19:30    27,136  --a------   C:\WINDOWS\system32\dllcache\irmon.dll
2007-10-23 19:30    26,624  --a------   C:\WINDOWS\system32\dllcache\irstusb.sys
2007-10-23 19:30    23,552  --a------   C:\WINDOWS\system32\dllcache\irmk7.sys
2007-10-23 19:30    18,688  --a------   C:\WINDOWS\system32\dllcache\irsir.sys
2007-10-23 19:30    14,848  --a------   C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-23 19:30    6,144   --a------   C:\WINDOWS\system32\dllcache\kbd106.dll
2007-10-23 19:30    6,144   --a------   C:\WINDOWS\system32\dllcache\kbd101c.dll
2007-10-23 19:30    6,144   --a------   C:\WINDOWS\system32\dllcache\kbd101b.dll
2007-10-23 19:30    5,632   --a------   C:\WINDOWS\system32\dllcache\kbd103.dll
2007-10-23 15:06    33,792  --a------   C:\WINDOWS\system32\yayxyab.dll
2007-10-18 21:07    <DIR>    d--------   C:\Program Files\World of Warcraft (2.2.3)
2007-10-10 15:07    3,495,784   --a------   C:\WINDOWS\system32\d3dx9_33.dll
2007-10-08 19:57    <DIR>    d--------   C:\Program Files\Mumble
2007-10-03 15:49    <DIR>    d--------   C:\wamp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 23:38    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\IGN_DLM
2007-10-30 21:53    ---------   d-----w C:\Program Files\Common Files\Command Software
2007-10-30 21:52    ---------   d-----w C:\Program Files\Common Files\PestPatrol
2007-10-23 01:00    ---------   d-----w C:\Program Files\Steam
2007-10-21 07:02    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Hamachi
2007-10-20 07:21    ---------   d-----w C:\Program Files\World of Warcraft (2.2.2)
2007-10-19 05:04    ---------   d-----w C:\Program Files\SQLyog Community
2007-10-10 22:06    ---------   d-----w C:\Program Files\directx
2007-10-08 22:46    ---------   d-----w C:\Program Files\Teamspeak2_RC2
2007-10-06 04:29    38  ----a-w C:\Program Files\realmlist.wtf
2007-10-01 13:18    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Turbine
2007-10-01 13:16    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\GetRightToGo
2007-10-01 04:34    ---------   d-----w C:\Program Files\EA GAMES
2007-09-24 17:11    ---------   d-----w C:\Documents and Settings\Mom\Application Data\Skype
2007-09-19 05:33    ---------   d-----w C:\Program Files\Common Files\EasyInfo
2007-09-18 22:53    ---------   d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Xfire
2007-09-18 05:51    ---------   d-s---w C:\Program Files\Xfire
2007-09-10 00:57    22,328  ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-10 00:57    22,328  ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\PnkBstrK.sys
2007-09-08 17:41    ---------   d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-03 05:06    25,544  ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-03 04:36    ---------   d-----w C:\Program Files\Hamachi
2007-05-25 02:25    1,674   -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-12-07 14:48    242 -c--a-w C:\Documents and Settings\Mom\Application Data\wklnhst.dat
2005-07-15 03:50:10 10,240  -csha-w C:\WINDOWS\rnapxs\rnapxs.dat
2005-09-16 20:50:30 22  -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-23 15:06    33792   --a------   C:\WINDOWS\system32\yayxyab.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 17:48]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 15:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

C:\Documents and Settings\Mom\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\yayxyab.dll [2007-10-23 15:06 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyab] 
yayxyab.dll 2007-10-23 15:06 33792 C:\WINDOWS\system32\yayxyab.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllmn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"RichVideo"=2 (0x2)
"iPodService"=3 (0x3)

S2 Win PPPe;Win PPPe;C:\WINDOWS\system32\winser.exe
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 09:57:02 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-11-02 17:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

**************************************************************************
.
Completion time: 2007-11-02 17:59:29 - machine was rebooted 
.
    --- E O F ---
________________________________________

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:44:52 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 6.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\backups\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.ca/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab[/url]
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - [url]http://www.xblock.com/download/xclean_micro.exe[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7700 bytes

Edited by mike_2000_17: Fixed formatting

0

2007-10-23 19:54 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll

I'm sorry "Suspishio" but I did not really understand how you were telling me to fix it, I kept reading it over and over but diden't quite understand. Thank you for trying to help me though!

That's all right. Gerbil's sound track record on this problem goes back awhile and I had to fix Vundo my way before alighting on this fine forum.

What I was trying to get you to do, preferably by putting the disk onto another PC as a slave or in an enclosure, was to identify and delete all files created around the time shown by ComboFix. You can see that they tend to be located in c:\windows\system32; but also in c:\windows, c:\, c:\program files.

The advantage of doing that as a slaved drive on another PC is that while you're cleaning it all up, no further propogation occurs.

What I'm suggesting stongly complements Gerbil's method and provides extra assurance.

Anyway, best of and all that.

0

thrum, you should have a file C:\combofix(2).txt or similar..... that would be the later run, you posted the first run log again...:)

0

Hello. I have been trying to correct a explorer desktop crash that sounds amazingly similiar to this thread. It seems to be the same but I'm at a total loss. If anyone could help I've run Hijack this using v.2.02. Here is what it gives me. I don't know what to do next.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.