0

I woke up this morning to find a config/lsass.exe error which with hijack i managed to get rid of by the explorer continues to restart on me. Over and over non stop. I hope you can help. I have tried vundofix to no avail, atf cleaner doesnt help, my virus scan is coming up with nothing. So here is my hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:41 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QLU\qlu.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hpshopping.com/cgi-bin/hpdirect/shopping/scripts/home/store_access.jsp?template_type=storefronts&category=esp_notebooks&aoid=26020
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [qlu] C:\Program Files\QLU\qlu.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://security.symantec.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188344461578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{21E47261-BF84-4F04-8389-F6425CA62E48}: NameServer = 192.168.1.1,64.13.48.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8182 bytes

3
Contributors
12
Replies
13
Views
9 Years
Discussion Span
Last Post by midnightmomma
0

oooopppsssss....read to fast...sorry about that. One of the things you could do:
Also, I do recommend that you clean/restore your registry files…if these are corrupted, your PC may act a bit crazy. The software to help you with your registry: RegCure and Regpair. Please use these utilities and let’s know the outcome.

0

thanks for the tip things started going back to normal after I located a win32.trojan-gen virus and deleted it and i keep forcing the explorer to function. I did the regrepair scan and omg the errors lol. thanks for the tip i think i will be keeping that program for future use.

0

i restarted my computer today and the explorer.exe keeps restarting again. i am running the rerepair again and the antivirus but no luck so far. I want to avoid reformatting at any cost.

0

O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe

The above was your trojan, I reckon, in the original HJT log. First thing to do, IMO, is to go to the location and note the date and time that the file was created. The next thing I'd do is to hunt around in \Windows\system32; \windows and c:\ for stuff created in and around a 10 second window of that date and time. This will dimension your problem.

A useful tool here is ComboFix which nicely logs date and time of key entries and files as well doing a bit of repait/discovery work.

You've basically got to get rid of that lurker.

0

I dis covered that earlier tpoday and it removing it didnt help me any. also i have no idea how to obtain combo fix

0

yeah - but please do as I say and have a look at your system for date & time related files.

As for ComboFix, go to the Virus section of this forum and one of Crunchie's posts will tell you where to download stuff you'll need.

The repost your findings in relation to my questions in the Virus forum with your logs.

Cheers

0

what i was saying was i deleted that file hours ago so i dont have access to it anymore.

0

infact i went hunting for asnwers and right now i am doing the sfc/scannow and hoping that the problem is fixed i have been trying everything i can and i would have been more than happy to have hunted for the time and date but i deleted it hours ago sorry hun

0

You may have deleted it hours ago, but if your system's misbehaving, it'll be there again and tracking down what it has spawned this time round is essential.

0

Here is my combofix log:

ComboFix 07-10-30.5 - Sondra Hicks 2007-10-31 12:53:23.1 - NTFSx86
Running from: C:\Documents and Settings\Sondra Hicks\Desktop\ComboFix.exe
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\Sondra Hicks\Application Data\dach100.dll
C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\nvrssk.dll
C:\WINDOWS\system32\nvrssl.dll
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\qqtwa.bak2
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\tsitra1044.exe
D:\Autorun.inf


.
(((((((((((((((((((((((((   Files Created from 2007-09-28 to 2007-10-31  )))))))))))))))))))))))))))))))
.


2007-10-31 12:51    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-31 03:08    57,856  --a------   C:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2007-10-31 03:08    23,936  --a------   C:\WINDOWS\system32\dllcache\sccmusbm.sys
2007-10-31 03:08    17,280  --a------   C:\WINDOWS\system32\dllcache\scr111.sys
2007-10-31 03:08    16,640  --a------   C:\WINDOWS\system32\dllcache\scmstcs.sys
2007-10-31 03:08    11,648  --a------   C:\WINDOWS\system32\dllcache\scsiprnt.sys
2007-10-31 03:08    10,880  --a------   C:\WINDOWS\system32\dllcache\scsiscan.sys
2007-10-31 03:08    6,912   --a------   C:\WINDOWS\system32\dllcache\seaddsmc.sys
2007-10-31 03:07    43,136  --a------   C:\WINDOWS\system32\dllcache\sbp2port.sys
2007-10-31 03:07    23,936  --a------   C:\WINDOWS\system32\dllcache\sccmn50m.sys
2007-10-31 03:06    495,616 --a------   C:\WINDOWS\system32\dllcache\sblfx.dll
2007-10-31 03:06    245,632 --a------   C:\WINDOWS\system32\dllcache\s3savmx.dll
2007-10-31 03:06    210,496 --a------   C:\WINDOWS\system32\dllcache\s3mvirge.dll
2007-10-31 03:06    198,400 --a------   C:\WINDOWS\system32\dllcache\s3sav4.dll
2007-10-31 03:06    179,264 --a------   C:\WINDOWS\system32\dllcache\s3sav3d.dll
2007-10-31 03:06    77,824  --a------   C:\WINDOWS\system32\dllcache\s3sav4m.sys
2007-10-31 03:06    75,392  --a------   C:\WINDOWS\system32\dllcache\s3savmxm.sys
2007-10-31 03:06    61,504  --a------   C:\WINDOWS\system32\dllcache\s3sav3dm.sys
2007-10-31 02:40    66,048  --a------   C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-31 02:40    32,827  --a------   C:\WINDOWS\system32\dllcache\tcptest.exe
2007-10-31 02:40    20,536  --a------   C:\WINDOWS\system32\dllcache\shtml.dll
2007-10-31 02:40    16,437  --a------   C:\WINDOWS\system32\dllcache\shtml.exe
2007-10-31 02:40    16,384  --a------   C:\WINDOWS\system32\dllcache\tcptsat.dll
2007-10-31 02:21    88,008  --a------   C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-10-31 02:20    112,840 --a------   C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-10-31 02:19    67,784  --a------   C:\WINDOWS\system32\drivers\MpFilter.sys
2007-10-31 01:58    <DIR>    d--------   C:\Program Files\Microsoft Windows OneCare Live
2007-10-30 00:58    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\Application Data\GlarySoft
2007-10-30 00:41    <DIR>    d--------   C:\Program Files\Registry Repair
2007-10-29 13:19    32,256  --a------   C:\WINDOWS\system32\iifgdeb.dll
2007-10-29 13:18    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\.housecall6.6
2007-10-29 13:18    102,664 --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-29 13:13    <DIR>    d--------   C:\WINDOWS\BDOSCAN8
2007-10-29 13:10    32,256  --a------   C:\WINDOWS\system32\mljhhhh.dll
2007-10-29 12:52    32,256  --a------   C:\WINDOWS\system32\urqnlmk.dll.vir
2007-10-29 12:40    <DIR>    d--------   C:\WINDOWS\system32\ActiveScan
2007-10-29 12:20    <DIR>    d--------   C:\VundoFix Backups
2007-10-29 12:01    <DIR>    d--------   C:\Program Files\Trend Micro
2007-10-29 02:47    32,256  --a------   C:\WINDOWS\system32\yayxvsq.dll.vir
2007-10-29 02:45    258,048 --a------   C:\whatever.exe
2007-10-25 10:26    53,248  --a------   C:\WINDOWS\bdoscandel.exe
2007-10-24 21:27    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\Application Data\AdobeAUM
2007-10-21 15:54    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\.DownloadManager
2007-10-21 14:01    <DIR>    d--------   C:\Documents and Settings\Owner\Application Data\Intuit
2007-10-16 21:02    <DIR>    d--------   C:\Program Files\Tudou
2007-10-16 17:07    <DIR>    d--------   C:\WINDOWS\QLU
2007-10-16 17:07    <DIR>    d--------   C:\Program Files\QLU
2007-10-16 09:42    <DIR>    d--------   C:\Program Files\MSECache
2007-10-12 20:35    <DIR>    d--------   C:\Program Files\Magic Video Converter
2007-10-12 20:35    719,872 --a------   C:\WINDOWS\system32\devil.dll
2007-10-12 20:35    544,768 --a------   C:\WINDOWS\system32\msvcr71d.dll
2007-10-12 20:35    314,368 --a------   C:\WINDOWS\system32\avisynth.dll
2007-10-11 08:08    194,933 --a------   C:\WINDOWS\system32\drivers\usbVM31b.sys
2007-10-11 08:08    94,208  --a------   C:\WINDOWS\VMCap.exe
2007-10-11 08:08    61,440  --a------   C:\WINDOWS\system32\VM31bSTI.dll
2007-10-11 08:08    57,344  --a------   C:\WINDOWS\StillCap.exe
2007-10-11 08:08    40,960  --a------   C:\WINDOWS\VM_STI.EXE
2007-10-11 08:08    24,576  --a------   C:\WINDOWS\RunSetup.dll
2007-10-11 07:21    <DIR>    d--------   C:\WINDOWS\EffectResources
2007-10-11 07:21    <DIR>    d--------   C:\WINDOWS\CatRoot
2007-10-11 07:21    <DIR>    d--------   C:\Program Files\Vimicro
2007-10-11 07:21    390,379 --a------   C:\WINDOWS\system32\drivers\usbVM305.sys
2007-10-11 07:21    307,200 --a------   C:\WINDOWS\vidcap32.Exe
2007-10-11 07:21    114,688 --a------   C:\WINDOWS\VM305Cap.exe
2007-10-11 07:21    81,920  --a------   C:\WINDOWS\system32\VM305Sti.dll
2007-10-11 07:21    61,440  --a------   C:\WINDOWS\VM305_STI.exe
2007-10-11 07:21    53,248  --a------   C:\WINDOWS\Sti305.exe
2007-10-11 07:21    49,152  --a------   C:\WINDOWS\amcap.exe
2007-10-04 01:27    <DIR>    d--------   C:\Program Files\Skype
2007-10-04 01:27    <DIR>    d--------   C:\Program Files\Common Files\Skype
2007-10-04 01:27    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\Application Data\Skype
2007-10-04 01:27    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Skype
2007-10-03 07:13    <DIR>    d--------   C:\Program Files\iPod
2007-09-30 18:31    <DIR>    d--------   C:\divx
2007-09-29 22:43    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\Application Data\DivX
2007-09-26 20:02    <DIR>    d--------   C:\Program Files\FontTwister
2007-09-26 12:08    129,784 --a------   C:\WINDOWS\system32\pxafs.dll
2007-09-26 12:08    120,056 --a------   C:\WINDOWS\system32\pxcpyi64.exe
2007-09-26 12:08    118,520 --a------   C:\WINDOWS\system32\pxinsi64.exe
2007-09-25 21:42    <DIR>    d--------   C:\Program Files\Veoh Networks
2007-09-25 17:15    99,328  --a------   C:\WINDOWS\system32\srusd.dll
2007-09-25 17:15    99,328  --a------   C:\WINDOWS\system32\dllcache\srusd.dll
2007-09-25 17:15    71,680  --a------   C:\WINDOWS\system32\fnfilter.dll
2007-09-25 17:15    71,680  --a------   C:\WINDOWS\system32\dllcache\fnfilter.dll
2007-09-25 17:15    6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2007-09-25 17:15    6,784   --a------   C:\WINDOWS\system32\dllcache\serscan.sys
2007-09-21 21:21    <DIR>    d--------   C:\Program Files\iTunes
2007-09-21 21:20    <DIR>    d--------   C:\Program Files\Common Files\Apple
2007-09-21 21:14    <DIR>    d--------   C:\Program Files\Apple Software Update
2007-09-21 21:14    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple
2007-09-21 20:46    <DIR>    d--hs----   C:\Documents and Settings\NetworkService\Temporary Internet Files
2007-09-21 20:46    <DIR>    d--hs----   C:\Documents and Settings\NetworkService\History
2007-09-21 11:08    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\Application Data\Apple Computer
2007-09-21 11:05    <DIR>    d--------   C:\Program Files\QuickTime
2007-09-21 11:04    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 10:55    <DIR>    d--------   C:\Program Files\WinXMedia
2007-09-21 10:55    <DIR>    d--------   C:\Program Files\Common Files\Download Manager
2007-09-21 06:48    64  --a------   C:\WINDOWS\sysdat.dll
2007-09-17 23:02    <DIR>    d--------   C:\Documents and Settings\Sondra Hicks\Application Data\Creative
2007-09-17 23:01    <DIR>    d--------   C:\Program Files\Ulead Systems


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 09:24    ---------   d-----w C:\Documents and Settings\Sondra Hicks\Application Data\uTorrent
2007-10-21 21:02    ---------   d-----w C:\Program Files\Quicken
2007-10-21 19:44    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-09-30 22:52    ---------   d-----w C:\Program Files\DivX
2007-09-27 17:13    ---------   d-----w C:\Program Files\HP
2007-09-18 04:39    ---------   d-----w C:\Program Files\Common Files\Sonic Shared
2007-09-18 04:33    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-09-18 04:13    ---------   d-----w C:\Program Files\Sonic
2007-09-17 23:36    ---------   d-----w C:\Program Files\Windows Media Connect 2
2007-09-12 01:55    ---------   d-----w C:\Program Files\Jasc Software Inc
2007-09-08 00:53    ---------   d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-05 05:16    ---------   d-----w C:\Documents and Settings\Sondra Hicks\Application Data\VersionTracker Pro
2007-09-05 03:48    ---------   d-----w C:\Program Files\badcdrepair
2007-09-04 16:52    ---------   d-----w C:\Program Files\MSN Messenger
2007-09-01 06:43    ---------   d-----w C:\Documents and Settings\Sondra Hicks\Application Data\Jasc Software Inc
2007-09-01 06:00    ---------   d-----w C:\Program Files\Common Files\Adobe
2007-09-01 05:28    ---------   d-----w C:\Program Files\Network Stumbler
2007-08-31 07:55    ---------   d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-31 07:51    ---------   d-----w C:\Program Files\Bonjour
2007-08-31 07:44    ---------   d-----w C:\Program Files\Common Files\Macrovision Shared
2007-08-30 00:28    ---------   d-----w C:\Program Files\Common Files\L&H
2007-08-30 00:27    ---------   d-----w C:\Program Files\Microsoft ActiveSync
2007-08-30 00:26    ---------   d-----w C:\Program Files\Microsoft.NET
2007-08-30 00:24    ---------   d-----w C:\Program Files\MagicDisc
2007-08-29 17:17    ---------   d-----w C:\Program Files\PowerISO
2007-08-29 10:04    ---------   d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-29 10:01    ---------   d-----w C:\Program Files\MagicISO
2007-08-29 07:47    ---------   d-----w C:\Program Files\Common Files\Macromedia Shared
2007-08-29 07:46    ---------   d-----w C:\Program Files\Macromedia
2007-08-29 07:46    ---------   d-----w C:\Program Files\Common Files\Macromedia
2007-08-29 07:31    ---------   d-----w C:\Program Files\TechTracker
2007-08-29 07:30    ---------   d-----w C:\Program Files\XP Smoker
2007-08-29 07:28    ---------   d-----w C:\Program Files\Dachshund Software
2007-08-29 07:25    ---------   d-----w C:\Program Files\IObit
2007-08-29 07:07    ---------   d-----w C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-08-29 02:18    ---------   d-----w C:\Documents and Settings\Sondra Hicks\Application Data\Yahoo!
2007-08-29 00:36    ---------   d-----w C:\Program Files\uTorrent
2007-08-28 23:40    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-08-28 11:34    ---------   d-----w C:\Program Files\Symantec
2007-08-28 11:34    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-08-28 11:34    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-28 11:06    ---------   d-----w C:\Program Files\MSXML 4.0
2007-08-28 08:37    ---------   d-----w C:\Program Files\Alwil Software
2007-08-28 08:35    ---------   d-----w C:\Documents and Settings\Sondra Hicks\Application Data\GlobalSCAPE
2007-08-28 08:33    ---------   d-----w C:\Program Files\GlobalSCAPE
2007-08-28 08:18    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-08-28 08:17    ---------   d-----w C:\Program Files\Yahoo!
2007-08-28 08:04    1,724   --sha-r C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Pavilion dv9000 (RG564AV#ABA)_YN_0Pavi_QCNF6410RJ1_E432248001_46_I30B9_SQuanta_V65.20_BF.18_T060913_WXH2_L409_M991_J80_7AMD_8Turion 64 X2 Technology TL-50_91.61_#060916_N14E44311_(RG564AV#ABA).MRK
2007-08-28 07:59    ---------   d-----w C:\Program Files\HPQ
2007-08-28 07:56    ---------   d-----w C:\Documents and Settings\Sondra Hicks\Application Data\Netscape
2007-08-28 07:06    ---------   d-----w C:\Program Files\Java
2005-09-24 15:49    12,288  -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-10-01 09:53]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 12:48]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-20 16:30]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"LockTaskbar"=1 (0x1)
"NoSimpleStartMenu"=0 (0x0)
"NoFavoritesMenu"=1 (0x1)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoResolveSearch"=1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=1 (0x1)


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqq.dll


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTracker Pro.lnk]
backup=C:\WINDOWS\pss\VersionTracker Pro.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sondra Hicks^Start Menu^Programs^StartUp^AntiCrash.lnk]
backup=C:\WINDOWS\pss\AntiCrash.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sondra Hicks^Start Menu^Programs^StartUp^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sondra Hicks^Start Menu^Programs^StartUp^RocketDock.lnk]
path=C:\Documents and Settings\Sondra Hicks\Start Menu\Programs\StartUp\RocketDock.lnk
backup=C:\WINDOWS\pss\RocketDock.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sondra Hicks^Start Menu^Programs^StartUp^TransBar.lnk]
path=C:\Documents and Settings\Sondra Hicks\Start Menu\Programs\StartUp\TransBar.lnk
backup=C:\WINDOWS\pss\TransBar.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sondra Hicks^Start Menu^Programs^StartUp^Vongo Tray.lnk]
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sondra Hicks^Start Menu^Programs^StartUp^Y'z Shadow.lnk]
path=C:\Documents and Settings\Sondra Hicks\Start Menu\Programs\StartUp\Y'z Shadow.lnk
backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera (ZC0301PL)


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
CHDAudPropShortcut.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /nodetect


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlu]
C:\Program Files\QLU\qlu.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
"C:\Program Files\HP\QuickPlay\QPService.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
C:\Windows\SMINST\RecGuard.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\CREATOR\Remind_XP.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
"c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"


R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam  ;C:\WINDOWS\system32\Drivers\5U870CAP.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command - G:\autorun.exe
directx\command - G:\Support\DirectX\dxsetup.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c45b0b3e-5d0d-11dc-b44e-0014a5f269e3}]
AutoRun\command - G:\LaunchU3.exe -a


.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 04:58:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************


catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 13:00:41
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-10-31 13:01:56 - machine was rebooted
.
--- E O F ---

Edited by pritaeas: Fixed formatting

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.