Full Member
hey there,
at night, i was about to check my email, i noticed the icons on mycomputer and windows explorer was missing. After a few minutes of use, a popup popped up. It said the programs name such as (iTunes.exe-Bad Image)
the pop up says " the application of DLL C:\WINDOWS\system32\skqnbib.dll is not a valid Windows image. Please check this against your installation diskette.
i have no clue what this is... and it pops up for every program i use such as skype, windows messenger, maplestory, etc
everything works fine but its just that i have to click the pop ups until it disappears
after that more comes up, but those are the ones that always pop up; the DLLUP: ntum.exe and cmd.exe
i dont know what i can do to get rid of this and i dont have a installation diskete so... please help me out thanks
Full Member
well, i was just researching all this and some said to run combofix.exe
i got it and it did its thing. now i only get pop ups when i run a program but no more constant popping up. it only pops up when i click an icon such as skype etc
well heres the log of the combofix if u wanna see it
ComboFix 08-06-20.4 - Xing-Guo Sun MD 06/25/2008 1142.1 - FAT32x86
Running from: C:\Downloads\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section not completed
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b128.exe.bin
C:\WINDOWS\b129.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\system32\aitlasys.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\axmsawin.exe
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\ciwdaapi.sys
C:\WINDOWS\system32\etshabty.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\fstlbsys.sys
C:\WINDOWS\system32\fzmsbwin.sys
C:\WINDOWS\system32\ghwxattb.exe
C:\WINDOWS\system32\gpsgajba.sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\isdsasrv.exe
C:\WINDOWS\system32\ismhasrv.exe
C:\WINDOWS\system32\jashbbty.sys
C:\WINDOWS\system32\lojxadwd.exe
C:\WINDOWS\system32\lpsgajba.exe
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\MMHADPQG1097.dll
C:\WINDOWS\system32\mnmhgsrv.dll
C:\WINDOWS\system32\mpwdeapi.dll
C:\WINDOWS\system32\newxbttb.sys
C:\WINDOWS\system32\oswxdttb.dll
C:\WINDOWS\system32\ozfyebyt.dll
C:\WINDOWS\system32\pjjxedwd.dll
C:\WINDOWS\system32\s2da2f323.dll
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\simyaapi.exe
C:\WINDOWS\system32\siwdaapi.exe
C:\WINDOWS\system32\skqncbib.dll
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\spmybapi.sys
C:\WINDOWS\system32\spwdbapi.sys
C:\WINDOWS\system32\tiwxattb.sys
C:\WINDOWS\system32\toqnabib.sys
C:\WINDOWS\system32\xfztbmsn.sys
C:\WINDOWS\system32\xzcsbhlp.sys
C:\WINDOWS\system32\ysjxbdwd.sys
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\yxcschlp.dll
C:\WINDOWS\system32\zaztamsn.exe
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\zxcsahlp.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt
----- BITS: Possible infected sites -----
hxxp://reispam01.labiomed.org
Infected copy of C:\WINDOWS\explorer.exe was found & disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.
2008-06-25 11:16 . 2008-06-21 04:58 <DIR> d-------- C:\327882R2FWJFW
2008-06-24 23:21 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\yotk.exe
2008-06-24 23:21 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\ktlu.exe
2008-06-24 23:05 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\vymp.exe
2008-06-24 22:52 . 2008-06-24 22:52 17,070 --------- C:\WINDOWS\system32\rmfw22.exe
2008-06-24 22:39 . 2004-08-04 00:56 1,032,192 --a------ C:\WINDOWS\ziio.exe
2008-06-24 22:36 . 2008-06-24 22:36 17,707 --------- C:\WINDOWS\system32\dgkd0.exe
2008-06-24 22:20 . 2008-06-24 22:20 <DIR> d--hs---- C:\FOUND.000
2008-06-24 18:24 . 2008-06-24 18:24 24,576 --a------ C:\WINDOWS\system32\womsoy.dll
2008-06-24 18:24 . 2008-06-24 18:24 11,264 --a------ C:\WINDOWS\system32\womsoyk.exe
2008-06-24 18:23 . 2008-06-24 18:23 24 --a------ C:\WINDOWS\system32\ngjxakin.sys
2008-06-24 18:23 . 2008-06-24 18:23 24 --a------ C:\WINDOWS\system32\ijzhatde.sys
2008-06-09 17:04 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-09 16:58 . 2008-06-09 16:58 <DIR> d-------- C:\WINDOWS\Logs
2008-05-30 02:17 . 2008-05-30 02:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VOL_TOOLBAR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-25 17:43 98,304 --sh--w C:\WINDOWS\system32\yzztkmsn.dll
2008-05-30 21:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 21:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 21:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 21:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 21:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 21:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 21:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 23:31 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Motive
2008-05-21 23:11 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Verizon
2008-05-21 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Verizon
2008-05-21 23:10 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-21 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-05-21 23:08 --------- d-----w C:\Program Files\vol_toolbar
2008-05-21 23:08 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\vol_toolbar
2008-05-21 22:57 --------- d-----w C:\Program Files\Verizon
2008-01-27 19:34 154,024 ----a-w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\GDIPFONTCACHEV1.DAT
2007-12-22 03:13 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-30 00:35 5,120 ----a-w C:\Program Files\pythonw.exe
2006-03-30 00:35 4,608 ----a-w C:\Program Files\w9xpopen.exe
2006-03-30 00:35 4,608 ----a-w C:\Program Files\python.exe
2006-03-29 20:24 245,894 ----a-w C:\Program Files\NEWS.txt
2006-03-23 17:47 13,755 ----a-w C:\Program Files\LICENSE.txt
2006-03-13 21:51 51,999 ----a-w C:\Program Files\README.txt
2005-10-29 03:15 766 ----a-w C:\Program Files\pyc.ico
2005-10-29 03:15 766 ----a-w C:\Program Files\py.ico
2004-01-30 02:16 114,984 ------w C:\Documents and Settings\xgsun\Application Data\GDIPFONTCACHEV1.DAT
2004-01-04 23:33 32,768 ------w C:\Documents and Settings\xgsun\index.dat
2002-08-04 11:23 234 ------w C:\Program Files\INSTALL.LOG
2001-09-18 01:00 82,206 ------w C:\Program Files\installScreen.jpg
2001-09-07 00:02 91,469 ------w C:\Program Files\installScreen2.jpg
2000-12-12 18:17 100,432 ------w C:\Program Files\Win2000PPAHotfix.exe
2004-08-08 18:17 513,544 --sh--w C:\WINDOWS\system32\apsggjba.dll
2004-08-08 17:42 15,129 --sh--w C:\WINDOWS\system32\tjfyabyt.exe
2004-08-08 17:46 17,228 --sh--w C:\WINDOWS\system32\lpzhatde.exe
2004-08-08 17:46 140,288 --sh--w C:\WINDOWS\system32\opshcbty.dll
2004-08-08 17:46 433,152 --sh--w C:\WINDOWS\system32\apzhctde.dll
2004-08-08 18:13 15,973 --sh--w C:\WINDOWS\system32\dfqnabib.exe
2004-08-08 18:17 534,024 --sh--w C:\WINDOWS\system32\mndshsrv.dll
2004-08-08 17:42 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
2004-08-08 17:46 1,040 --sh--w C:\WINDOWS\system32\gpzhatde.sys
2004-08-08 01:23 520 --sh--w C:\WINDOWS\system32\erjxakin.sys
2004-08-08 18:13 520 --sh--w C:\WINDOWS\system32\aoqnabib.sys
2004-08-08 18:17 1,040 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 05:45 537,608 --sh--w C:\WINDOWS\system32\zxmsdwin.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E0A74E-30FD-6E54-A349-6BE33DE5FCE8}]
C:\WINDOWS\system32\gjcwptw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32023698-6984-8541-9654-698745012523}]
C:\WINDOWS\system32\skqncbib.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32596546-2036-9451-6058-658402589723}]
2004-08-08 10:46 140288 ---hs---- C:\WINDOWS\system32\opshcbty.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}]
C:\WINDOWS\system32\yxcschlp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}]
2004-08-08 10:46 433152 ---hs---- C:\WINDOWS\system32\apzhctde.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43512378-9874-5641-1025-985420368734}]
C:\WINDOWS\system32\oswxdttb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}]
C:\WINDOWS\system32\zptlcsys.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54FAE856-AD58-20CB-A025-CD4895FA6E45}]
C:\WINDOWS\system32\pjjxedwd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55694105-5108-9405-3695-954187462155}]
C:\WINDOWS\system32\mpwdeapi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]
C:\WINDOWS\system32\ozfyebyt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A041F13-A111-12A3-B0CF-F99818AA68A7}]
2004-08-07 22:45 537608 ---hs---- C:\WINDOWS\system32\zxmsdwin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]
C:\WINDOWS\system32\mnmhgsrv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD45A54-9875-698F-E56E-65102358FDF7}]
2004-08-08 11:17 513544 ---hs---- C:\WINDOWS\system32\apsggjba.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87FD640A-158F-48AC-FD14-1597F14A9778}]
2004-08-08 11:17 534024 ---hs---- C:\WINDOWS\system32\mndshsrv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}]
C:\WINDOWS\system32\s2da2f323.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
2008-06-25 10:43 98304 ---hs---- C:\WINDOWS\system32\yzztkmsn.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Microsoft AUT Update"="MSlti16.exe" []
"Skype"="D:\sam's games\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"IpWins"="C:\Program Files\Ipwindows\ipwins.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-08-03 19:21 1409024]
"OfficeScanNT Monitor"="C:\OFFICESCAN NT\pccntmon.exe" [2006-09-01 17:58 356429]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE " [2001-08-18 05:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScI nst.exe" [ ]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT \TINTSETP.EXE" [ ]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TIN TSETP.EXE" [ ]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-02-10 09:27 4501504]
"nwiz"="nwiz.exe" [2003-02-10 09:27 323584 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2005-07-22 19:18 188416]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11 24576]
"V0230Mon.exe"="C:\WINDOWS\system32\V0230Mon.e xe" [2006-07-19 09:00 36961]
"runner1"="C:\WINDOWS\retadpu11.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 11:30 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20 2061816]
"combofix"="C:\WINDOWS\system32\CF30727.exe" [2004-08-04 00:56 388608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Microsoft AUT Update"="MSlti16.exe" []
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B490415F-65F8-B5C5-D8BA-9405FB12054B}"= C:\WINDOWS\system32\yzztkmsn.dll [2008-06-25 10:43 98304]
"{55694105-5108-9405-3695-954187462155}"= C:\WINDOWS\system32\mpwdeapi.dll [ ]
"{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"= C:\WINDOWS\system32\mnmhgsrv.dll [ ]
"{5A069845-2036-6084-9054-6087502480A5}"= C:\WINDOWS\system32\ozfyebyt.dll [ ]
"{32596546-2036-9451-6058-658402589723}"= C:\WINDOWS\system32\opshcbty.dll [2004-08-08 10:46 140288]
"{7A041F13-A111-12A3-B0CF-F99818AA68A7}"= C:\WINDOWS\system32\zxmsdwin.dll [2004-08-07 22:45 537608]
"{3D698451-2015-6358-9871-2015987452D3}"= C:\WINDOWS\system32\apzhctde.dll [2004-08-08 10:46 433152]
"{A629FF4F-ACDB-5C90-A098-FACB3456A26A}"= C:\WINDOWS\system32\s2da2f323.dll [ ]
"{32023698-6984-8541-9654-698745012523}"= C:\WINDOWS\system32\skqncbib.dll [ ]
"{7FD45A54-9875-698F-E56E-65102358FDF7}"= C:\WINDOWS\system32\apsggjba.dll [2004-08-08 11:17 513544]
"{87FD640A-158F-48AC-FD14-1597F14A9778}"= C:\WINDOWS\system32\mndshsrv.dll [2004-08-08 11:17 534024]
"{54FAE856-AD58-20CB-A025-CD4895FA6E45}"= C:\WINDOWS\system32\pjjxedwd.dll [ ]
"{35671234-7890-ABCD-CDEF-567801237653}"= C:\WINDOWS\system32\yxcschlp.dll [ ]
"{43512378-9874-5641-1025-985420368734}"= C:\WINDOWS\system32\oswxdttb.dll [ ]
"{50940F85-F015-14F1-A05F-F69858AC6D05}"= C:\WINDOWS\system32\zptlcsys.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2003-04-08 17:45 24666 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yzztkmsn.dll,skqncbib.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Temp.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Temp.lnk
backup=C:\WINDOWS\pss\Clean Temp.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gas Off.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Gas Off.lnk
backup=C:\WINDOWS\pss\Gas Off.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
C:\Program Files\Common Files\CMEII\CMESys.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\System32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
C:\Program Files\DownloadWare\dw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2001-08-18 05:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-06-14 16:54 254022 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--------- 2001-09-12 11:35 61440 C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
--------- 2001-01-17 17:33 45056 C:\Program Files\Iomega\Common\ImgStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoviePlace]
C:\Program Files\MoviePlace\MoviePlace.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--------- 2006-09-01 17:58 356429 C:\OfficeScan NT\pccntmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Real-Tens]
--------- 2002-01-16 18:04 87040 C:\Program Files\Real-Tens\Real-Tens.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--------- 2003-03-02 00:23 26624 C:\SthVCD\SysExplr.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"D:\\sam's games\\NEXON\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\sam's games\\Skype\\Phone\\Skype.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{57b7de60-8e06-11db-8854-0008740432dd}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 08:36:02 C:\WINDOWS\Tasks\backup-C+D(sony).job"
- C:\WINDOWS\system32\ntbackup.exeobackup
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 11:36:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\WINDOWS\SYSTEM32\CRYPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
C:\PROGRAM FILES\BORLAND\INTERBASE\BIN\IBGUARD.EXE
C:\PROGRAM FILES\IOMEGA\SYSTEM32\ACTIVITYDISK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\MSSQL7\BINN\SQLSERVR.EXE
C:\LAB4\MYSQL\BIN\MYSQLD-NT.EXE
C:\OFFICESCAN NT\NTRTSCAN.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\PROMISE\UTILITY\MSGAGT.EXE
C:\PROGRAM FILES\PROMISE\UTILITY\MSGSVR.EXE
C:\OFFICESCAN NT\TMLISTEN.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\OFFICESCAN NT\OFCPFWSVC.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\TEMP\MXECB9.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\sam's games\Skype\Plugin Manager\skypePM.exe
.
************************************************** ************************
.
Completion time: 2008-06-25 11:40:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 18:40:16
Pre-Run: 5,617,008,640 bytes free
Post-Run: 5,779,095,552 bytes free
356
Dedicated Member
Welcome
Please download and install the latest version of HijackThis v2.0.2:
CLICK HERE to download the HijackThis Installer:TrendSecure | Download TrendMicro HijackThis
1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Also...
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Full Member
hey neal, thnx for the information, ill do that soon
however, just wondering. what does hijackthis do?
this should get rid of the things right?
and also, was i suppose to use combofix because it did take out the problem. Now i just want to investigate what really happen
Full Member
nevermind, it still pops up when i run a program. But it used to pop up when i do anything such as open task manager but now, it only does it when i use things like skype, AIM and such
Full Member
hey neal, i did what u asked, about hjthis and such. but i have a problem with the saving the log this is what comes up when i click save log:
ERROR: The current date of Wednesday, June 25, 2008 is past the final
expiration date for your SAS system, which is Friday, September 28,
2007. Please contact your SAS Software Representative to obtain your
updated SETINIT information.
ERROR: Initialization of SETINIT information from SASHELP failed.
FATAL: Unable to initialize the options subsystem.
ERROR: (SASXKINI): PHASE 3 KERNEL INITIALIZATION FAILED.
UNABLE TO INITIALIZE THE SAS KERNEL
yeah.. weird. and i cant see the log. everytime i click it, it brings this up
Full Member
k heres a list of my add/remove
Ad-aware 6 Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Adobe Type Manager 4.0
Advanced Video FX Engine
Amos 7
AnswerWorks Runtime
Apple Mobile Device Support
Apple Software Update
AutoCAD 2006 - English
Autodesk DWF Viewer
Borland Delphi 5
Breeze Suite 6.2C
CatchUp V1.3
Chinese (Simplified) Language Support
Command
Corel Applications
Creative Live! Cam Center
Creative Live! Cam Video IM Pro Driver (1.00.07.0725)
Creative Software AutoUpdate
Creative System Information
DecoderBlaster 5
DigitalPrint 1.0
DivX 5.0.2 Pro Bundle
DVDExpress
DVgate
EPSON Printer Software
FlashGet(JetCar)
greenstreet Picture Browser
Hardlock Device Driver
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
hp deskjet 6122 series
Ink Monitor
InterActual Player
InterBase
Iomega App Services
IomegaWare
ISI ResearchSoft - Export Helper
iTunes
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment Standard Edition v1.3
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_09
Lame ACM MP3 Codec
LF8.5A for PWC
LimeWire 4.16.6
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LOTUS ScreenSaver
MapleStory
MAX_II
Media Bar 3.2.11
Media Library Management Wizard
MetaSoft
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Global IME for Office XP (Simplified Chinese)
Microsoft Global IME for Office XP (Traditional Chinese)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft SQL Server Desktop Engine
Motion JPEG Software Decoder
MoviePlace
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser
Music Visualizer Library 1.1
MyOLEDB Provider (20 February 2001)
Network Monitor
Norton Ghost
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module
Origin7
OTOY
PDF-to-Word 2.5 Demo
Personal License Update Wizard for Windows Media Player
PicoPlayer
PictureGear 5.1
Plus! MP3 Audio Converter LE
Promise Array Management
Python 2.4.3
Quicken 2002 New User Edition
QuickTime
RealPlayer
RealProducer Basic 8.5
Real-Tens
Reference Manager 10
RIS Web Helper
SAS 9.1
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB933566)
SigmaPlot 8.0
Skype™ 3.6
Smart Capture
SonicStage
SonicStage CD-R Writing Module
Sony Certificate PCH
Sony DV Shared Library
Sony on Yahoo!
SPSS 15.0 for Windows
SPSS 7.5 for Windows
SPSS Data Access Pack 4.4 for Windows
SPSS Dimensions Component Pack 3.5
SPSS-Python Integration Plug-In 15.0
Spybot - Search & Destroy 1.2
Support Actions Win2K,WinXP
Trend Micro OfficeScan Client
TurboFit 5.05
VAIO Action Setup
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Registration
VAIO Support
Vaio Tour
VAIOWorld
Verizon Broadband Toolbar
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
VisualFlow 2.1
Windows Internet Explorer 7
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Toolbar
by the way, most of the stuff on the computer is my dad's and i have no clue what half of them does.
Dedicated Member
I finally had time to go back thru the combofix log you posted and that sure is one messed up computer. After this is clean if it can be cleaned is you need to change all your passwords, if any onlone banking or credit card transactions have been done those companies need to be notified of possible identy theft.
Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE
File::
C:\WINDOWS\yotk.exe
C:\WINDOWS\ktlu.exe
C:\WINDOWS\vymp.exe
C:\WINDOWS\system32\rmfw22.exe
C:\WINDOWS\ziio.exe
C:\WINDOWS\system32\dgkd0.exe
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\womsoyk.exe
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\apsggjba.dll
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\lpzhatde.exe
C:\WINDOWS\system32\opshcbty.dll
C:\WINDOWS\system32\apzhctde.dll
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\mndshsrv.dll
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\zxmsdwin.dll
C:\WINDOWS\system32\gjcwptw.dll
C:\WINDOWS\system32\skqncbib.dll
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\pjjxedwd.dll
C:\WINDOWS\system32\mpwdeapi.dll
C:\WINDOWS\system32\ozfyebyt.dll
C:\WINDOWS\system32\mndshsrv.dll
C:\WINDOWS\system32\s2da2f323.dll
Folder::
C:\Program Files\Ipwindows
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15E0A74E-30FD-6E54-A349-6BE33DE5FCE8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32023698-6984-8541-9654-698745012523}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32596546-2036-9451-6058-658402589723}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35671234-7890-ABCD-CDEF-567801237653}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43512378-9874-5641-1025-985420368734}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50940F85-F015-14F1-A05F-F69858AC6D05}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54FAE856-AD58-20CB-A025-CD4895FA6E45}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55694105-5108-9405-3695-954187462155}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A069845-2036-6084-9054-6087502480A5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A041F13-A111-12A3-B0CF-F99818AA68A7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87FD640A-158F-48AC-FD14-1597F14A9778}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"IpWins"=-
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B490415F-65F8-B5C5-D8BA-9405FB12054B}"=-
"{55694105-5108-9405-3695-954187462155}"=-
"{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"=-
"{5A069845-2036-6084-9054-6087502480A5}"=-
"{32596546-2036-9451-6058-658402589723}"=-
"{7A041F13-A111-12A3-B0CF-F99818AA68A7}"=-
"{3D698451-2015-6358-9871-2015987452D3}"=-
"{A629FF4F-ACDB-5C90-A098-FACB3456A26A}"=-
"{32023698-6984-8541-9654-698745012523}"=-
"{7FD45A54-9875-698F-E56E-65102358FDF7}"=-
"{87FD640A-158F-48AC-FD14-1597F14A9778}"=-
"{54FAE856-AD58-20CB-A025-CD4895FA6E45}"=-
"{35671234-7890-ABCD-CDEF-567801237653}"=-
"{43512378-9874-5641-1025-985420368734}"=-
"{50940F85-F015-14F1-A05F-F69858AC6D05}"=-
Save this as CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
If you have problems still posting hijackthis log do this:
Right click on hijackthis.exe and select rename and rename it foolyou.exe and press enter.
Full Member
hey neal. i did all of the above and guess what?! all the pop ups stopped! man... you are a super computer genious! anywho. i still have to make sure that this is all gone and away from my computer. here's the log for combo fix
ComboFix 08-06-20.4 - Xing-Guo Sun MD 2008-06-27 13:42:45.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT -7:00]
Running from: C:\Documents and Settings\Xing-Guo Sun MD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Xing-Guo Sun MD\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\ktlu.exe
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\apsggjba.dll
C:\WINDOWS\system32\apzhctde.dll
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\dgkd0.exe
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gjcwptw.dll
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\lpzhatde.exe
C:\WINDOWS\system32\mndshsrv.dll
C:\WINDOWS\system32\mpwdeapi.dll
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\opshcbty.dll
C:\WINDOWS\system32\ozfyebyt.dll
C:\WINDOWS\system32\pjjxedwd.dll
C:\WINDOWS\system32\rmfw22.exe
C:\WINDOWS\system32\s2da2f323.dll
C:\WINDOWS\system32\skqncbib.dll
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\womsoyk.exe
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\zptlcsys.dll
C:\WINDOWS\system32\zxmsdwin.dll
C:\WINDOWS\vymp.exe
C:\WINDOWS\yotk.exe
C:\WINDOWS\ziio.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Xing-Guo Sun MD\Application Data\FNTS~1
C:\Documents and Settings\Xing-Guo Sun MD\Application Data\SMANTE~1
C:\Documents and Settings\Xing-Guo Sun MD\My Documents\CROSOF~1.NET
C:\WINDOWS\system32\aoqnabib.sys
C:\WINDOWS\system32\apsggjba.dll
C:\WINDOWS\system32\apzhctde.dll
C:\WINDOWS\system32\dfqnabib.exe
C:\WINDOWS\system32\dgkd0.exe
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\gpzhatde.sys
C:\WINDOWS\system32\ijzhatde.sys
C:\WINDOWS\system32\lpzhatde.exe
C:\WINDOWS\system32\mndshsrv.dll
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\opshcbty.dll
C:\WINDOWS\system32\rmfw22.exe
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tjfyabyt.exe
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\womsoyk.exe
C:\WINDOWS\system32\yzztkmsn.dll
C:\WINDOWS\system32\zxmsdwin.dll
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.
2008-06-26 00:11 . 2008-06-26 00:11 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-24 22:20 . 2008-06-24 22:20 <DIR> d--hs---- C:\FOUND.000
2008-06-09 17:04 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-06-09 16:58 . 2008-06-09 16:58 <DIR> d-------- C:\WINDOWS\Logs
2008-05-30 02:17 . 2008-05-30 02:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VOL_TOOLBAR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-30 21:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 21:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 21:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 21:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 21:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 21:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 21:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-21 23:31 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Motive
2008-05-21 23:11 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\Verizon
2008-05-21 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Verizon
2008-05-21 23:10 --------- d-----w C:\Program Files\Common Files\Motive
2008-05-21 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-05-21 23:08 --------- d-----w C:\Program Files\vol_toolbar
2008-05-21 23:08 --------- d-----w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\vol_toolbar
2008-05-21 22:57 --------- d-----w C:\Program Files\Verizon
2008-01-27 19:34 154,024 ----a-w C:\Documents and Settings\Xing-Guo Sun MD\Application Data\GDIPFONTCACHEV1.DAT
2007-12-22 03:13 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-30 00:35 5,120 ----a-w C:\Program Files\pythonw.exe
2006-03-30 00:35 4,608 ----a-w C:\Program Files\w9xpopen.exe
2006-03-30 00:35 4,608 ----a-w C:\Program Files\python.exe
2006-03-29 20:24 245,894 ----a-w C:\Program Files\NEWS.txt
2006-03-23 17:47 13,755 ----a-w C:\Program Files\LICENSE.txt
2006-03-13 21:51 51,999 ----a-w C:\Program Files\README.txt
2005-10-29 03:15 766 ----a-w C:\Program Files\pyc.ico
2005-10-29 03:15 766 ----a-w C:\Program Files\py.ico
2004-01-30 02:16 114,984 ------w C:\Documents and Settings\xgsun\Application Data\GDIPFONTCACHEV1.DAT
2004-01-04 23:33 32,768 ------w C:\Documents and Settings\xgsun\index.dat
2002-08-04 11:23 234 ------w C:\Program Files\INSTALL.LOG
2001-09-18 01:00 82,206 ------w C:\Program Files\installScreen.jpg
2001-09-07 00:02 91,469 ------w C:\Program Files\installScreen2.jpg
2000-12-12 18:17 100,432 ------w C:\Program Files\Win2000PPAHotfix.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-25_11.39.48.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 18:35:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 20:47:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-06-25 01:29:44 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
+ 2008-06-26 07:11:32 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
- 2008-06-25 17:41:40 8,535 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-06-27 20:31:06 8,535 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-06-27 20:47:46 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft AUT Update"="MSlti16.exe" []
"Skype"="D:\sam's games\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-08-03 19:21 1409024]
"OfficeScanNT Monitor"="C:\OFFICESCAN NT\pccntmon.exe" [2006-09-01 17:58 356429]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE " [2001-08-18 05:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScI nst.exe" [ ]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT \TINTSETP.EXE" [ ]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TIN TSETP.EXE" [ ]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-02-10 09:27 4501504]
"nwiz"="nwiz.exe" [2003-02-10 09:27 323584 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2005-07-22 19:18 188416]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11 24576]
"V0230Mon.exe"="C:\WINDOWS\system32\V0230Mon.e xe" [2006-07-19 09:00 36961]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 11:30 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20 2061816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Microsoft AUT Update"="MSlti16.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Temp.lnk - C:\Program Files\MedGraphics\Breeze\CleanTemp.exe [2002-06-14 09
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-05-02 17:52:04 10872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableCAD"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2003-04-08 17:45 24666 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=yzztkmsn.dll,skqncbib.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Temp.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Temp.lnk
backup=C:\WINDOWS\pss\Clean Temp.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gas Off.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Gas Off.lnk
backup=C:\WINDOWS\pss\Gas Off.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
C:\Program Files\Common Files\CMEII\CMESys.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\System32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
C:\Program Files\DownloadWare\dw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2001-08-18 05:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2001-06-14 16:54 254022 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--------- 2001-09-12 11:35 61440 C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Startup Options]
--------- 2001-01-17 17:33 45056 C:\Program Files\Iomega\Common\ImgStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoviePlace]
C:\Program Files\MoviePlace\MoviePlace.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--------- 2006-09-01 17:58 356429 C:\OfficeScan NT\pccntmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Real-Tens]
--------- 2002-01-16 18:04 87040 C:\Program Files\Real-Tens\Real-Tens.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysExplr]
--------- 2003-03-02 00:23 26624 C:\SthVCD\SysExplr.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"D:\\sam's games\\NEXON\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\sam's games\\Skype\\Phone\\Skype.exe"=
R0 fasttrak;fasttrak;C:\WINDOWS\system32\DRIVERS\fast trak.sys [2003-04-25 16:20]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
S2 Portio;Portio;C:\WINDOWS\system32\drivers\portio.s ys [2004-03-16 02:40]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys []
S3 oad;Visibroker Activation Daemon;C:\PROGRA~1\Borland\vbroker\bin\oad.exe [1998-03-12 16:57]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-04-08 10:44]
S3 osagent;VisiBroker Smart Agent;C:\PROGRA~1\Borland\vbroker\bin\osagent.exe [1998-03-12 16:58]
S3 sejt1;sejt1;C:\DOCUME~1\XING-G~1\LOCALS~1\Temp\Rar$EX00.357\AkumaEngine33\sejt. sys []
S3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\DRIVERS\V023 0Vfx.sys [2006-03-23 09:00]
S3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\DRIVERS\V0230VID.sys [2006-07-24 09:00]
S3 Vmaxcomm;Vmaxcomm;C:\WINDOWS\System32\drivers\Vmax comm.sys [2003-02-25 13:38]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{57b7de60-8e06-11db-8854-0008740432dd}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 08:36:02 C:\WINDOWS\Tasks\backup-C+D(sony).job"
- C:\WINDOWS\system32\ntbackup.exeobackup
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 13:48:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M ySql]
"ImagePath"="C:/LAB4/MYSQL/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\M ySql]
"ImagePath"="C:/LAB4/MYSQL/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\WINDOWS\SYSTEM32\CRYPSERV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
C:\PROGRAM FILES\BORLAND\INTERBASE\BIN\IBGUARD.EXE
C:\PROGRAM FILES\IOMEGA\SYSTEM32\ACTIVITYDISK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\MSSQL7\BINN\SQLSERVR.EXE
C:\LAB4\MYSQL\BIN\MYSQLD-NT.EXE
C:\OFFICESCAN NT\NTRTSCAN.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\PROMISE\UTILITY\MSGAGT.EXE
C:\PROGRAM FILES\PROMISE\UTILITY\MSGSVR.EXE
C:\OFFICESCAN NT\TMLISTEN.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\OFFICESCAN NT\OFCPFWSVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\GP27B4.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\sam's games\Skype\Plugin Manager\skypePM.exe
C:\OfficeScan NT\pccntupd.exe
.
************************************************** ************************
.
Completion time: 2008-06-27 13:52:41 - machine was rebooted [Xing-Guo Sun MD]
ComboFix-quarantined-files.txt 2008-06-27 20:52:34
ComboFix2.txt 2008-06-25 18:40:22
Pre-Run: 5,519,310,848 bytes free
Post-Run: 5,410,766,848 bytes free
311
k.. ummm hjthis or foolyou, still makes that same log thing. everytime i click the .log, it says the SAS thing... i dont know what that is.. well, see what u can do with all this
oh
despite all the problems the computer has, do you have any advise to speed up the comptuer?
Full Member
hey, the problem is fixed but do you know the cause of this lame virus-thing?
