Forum Home
Press F1
Thread ID: 85813	2007-12-23 01:37:00	My PC is infected by printer.exe and possibly ultimate defender	ineedhelp2008 (13207)	Press F1

Post ID	Timestamp	Content	User
623767	2007-12-24 00:35:00	I closed teatimer.exe in task manager before I run combofix I am now trying it again	ineedhelp2008 (13207)
623768	2007-12-24 00:42:00	ineedhelp2008 This should help . . . . Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions . It's IMPORTANT to carry out the instructions in the sequence listed below . 1 . Close any open browsers . 2 . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Open *notepad* and copy/paste the text in the quotebox below into it: KillAll:: File:: C:\WINDOWS\system32\geedd . dll C:\WINDOWS\system32\geedd . exe C:\WINDOWS\system32\geedd . exe . vir C:\WINDOWS\system32\geedd . dll . vir C:\WINDOWS\system32\spoolvs . exe . vir C:\WINDOWS\system32\printer . exe . vir C:\WINDOWS\system32\ddeeg . ini2 . vir C:\WINDOWS\system32\ddeeg . ini . vir C:\Program Files\lsass . exe C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\awtuttq . dll . vir C:\WINDOWS\system32\winexi32 . dll C:\WINDOWS\system32\printer . exe C:\WINDOWS\system32\spoolvs . exe Folder:: C:\FOUND . 006 C:\Program Files\Bwfzeple Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{103BE4BD-AEF6-46BC-879F-73483D202639}] [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=- [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc . dll, schannel . dll, digest . dll, msnsspc . dll, wowfx . dll [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv] Save this as CFScript . txt, in the same location as ComboFix . exe which is on the Desktop . . pandora . be/bluepatchy/miekiemoes/images/CFScript . gif" target="_blank">users . pandora . be Refering to the picture above, drag CFScript . txt into ComboFix . exe Restart your computer . When finished, it shall produce a log for you at C:\ComboFix . txt Please copy and paste the ComboFix . txt along with a fresh HijackThis log in your next reply please . *Note: Do not mouseclick combofix's window whilst it's running . That may cause it to stall*	Pancake (6359)
623769	2007-12-24 00:49:00	Pancake, combofix will not do anything for me. It could be because the wowfx.dll is considered a sevurity provider. I can't delete it from the registry as it too comes right back Are you running Vista ???	Pancake (6359)
623770	2007-12-24 01:45:00	Pancake, I do what you told me in safe mode and then closed all process that is not needed to run window in safe mode as I don't really sure which process would interfere with combofix . Thanks for the help . Sorry it takes quit a while here is the log ComboFix 07-12-21 . 4 - Lap Yin Leung 2007-12-23 17:27:29 . 3 - FAT32x86 MINIMAL Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 343 [GMT -8:00] Running from: C:\Documents and Settings\Lap Yin Leung\Desktop\ComboFix . exe Command switches used :: C:\Documents and Settings\Lap Yin Leung\Desktop\CFScript . txt FILE C:\Program Files\lsass . exe C:\WINDOWS\system32\awtuttq . dll . vir C:\WINDOWS\system32\ddeeg . ini . vir C:\WINDOWS\system32\ddeeg . ini2 . vir C:\WINDOWS\system32\geedd . dll C:\WINDOWS\system32\geedd . dll . vir C:\WINDOWS\system32\geedd . exe C:\WINDOWS\system32\geedd . exe . vir C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\printer . exe C:\WINDOWS\system32\printer . exe . vir C:\WINDOWS\system32\spoolvs . exe C:\WINDOWS\system32\spoolvs . exe . vir C:\WINDOWS\system32\winexi32 . dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\FOUND . 006 C:\FOUND . 006\FILE0000 . CHK C:\FOUND . 006\FILE0001 . CHK C:\FOUND . 006\FILE0002 . CHK C:\FOUND . 006\FILE0003 . CHK C:\Program Files\Bwfzeple C:\Program Files\lsass . exe C:\WINDOWS\system32\awtuttq . dll . vir C:\WINDOWS\system32\ddeeg . ini C:\WINDOWS\system32\ddeeg . ini . vir C:\WINDOWS\system32\ddeeg . ini2 C:\WINDOWS\system32\ddeeg . ini2 . vir C:\WINDOWS\system32\geedd . dll C:\WINDOWS\system32\geedd . dll . vir C:\WINDOWS\system32\geedd . exe C:\WINDOWS\system32\geedd . exe . vir C:\WINDOWS\system32\printer . exe . vir C:\WINDOWS\system32\spoolvs . exe . vir C:\WINDOWS\system32\winexi32 . dll . ((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 ))))))))))))))))))))))))))))))) . 2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\GiPo@Utilities 2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared 2007-12-23 13:56 . 2007-12-23 13:56 <DIR> d-------- C:\Program Files\CrossLoop 2007-12-22 16:00 . 2007-12-22 16:00 <DIR> d-------- C:\Program Files\CCleaner 2007-12-22 15:46 . 2007-12-22 15:46 <DIR> d-------- C:\Program Files\RogueRemover FREE 2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Grisoft 2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-22 15:38 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln . sys 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Program Files\Trojan Remover 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Simply Super Software 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2007-12-22 12:19 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36 . dll 2007-12-22 12:19 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3 . dll 2007-12-22 12:19 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26 . dll 2007-12-22 12:19 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2 . dll 2007-12-22 12:19 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet . dll 2007-12-22 11:52 . 2007-12-22 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot2 2007-12-22 11:29 . 2007-12-22 11:54 23,392 --a------ C:\WINDOWS\system32\nscompat . tlb 2007-12-22 11:29 . 2007-12-22 11:54 16,832 --a------ C:\WINDOWS\system32\amcompat . tlb 2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-22 10:19 . 2007-12-22 10:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-22 00:46 . 2007-12-22 00:46 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-21 23:29 . 2007-12-21 23:29 5,706 --a------ C:\WINDOWS\system32\tmp . reg 2007-12-21 20:31 . 2007-12-23 16:56 15,360 --a------ C:\WINDOWS\system32\ctfmon . exe 2007-12-21 20:30 . 2007-12-21 20:30 337,920 --a------ C:\WINDOWS\system32\RCX57 . tmp 2007-12-21 20:30 . 2007-12-23 16:56 118,784 --a------ C:\WINDOWS\system32\igfxpers . exe 2007-12-21 20:30 . 2007-12-23 16:56 94,208 --a------ C:\WINDOWS\system32\igfxtray . exe 2007-12-21 20:30 . 2007-12-22 12:35 77,824 --a------ C:\WINDOWS\system32\hkcmd . exe 2007-12-21 20:30 . 2007-12-23 16:56 40,960 --a------ C:\WINDOWS\VM_STI . EXE 2007-12-21 16:13 . 2007-12-22 10:54 143 --a------ C:\WINDOWS\system32\mcrh . tmp 2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\WINDOWS\system32\njprckha 2007-12-21 14:22 . 2007-12-21 14:22 0 --a------ C:\Install 2007-11-24 23:01 . 2007-11-24 23:01 <DIR> d-------- C:\Program Files\iPod . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-24 01:24 457,728 ----a-w C:\WINDOWS\system32\igfxpers . exe 2007-12-24 01:24 433,152 ----a-w C:\WINDOWS\system32\igfxtray . exe 2007-12-24 01:24 379,392 ----a-w C:\WINDOWS\Vm_sti . exe 2007-12-24 01:24 354,816 ----a-w C:\WINDOWS\system32\ctfmon . exe 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv . sys 2007-11-04 04:49 --------- d-----w C:\Documents and Settings\Lap Yin Leung\Application Data\XemiComputers 2007-11-04 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml . dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz . dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz . dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf . dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf . dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32 . dll 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet . dll 2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime . dll 2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck . dll 2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url . dll 2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache . dll 2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon . dll 2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie . dll 2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe . dll 2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs . dll 2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled . dll 2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds . dll 2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce . dll 2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32 . dll 2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr . dll 2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy . dll 2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil . dll 2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie . dll 2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans . dll 2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating . dll 2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng . dll 2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr . dll 2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack . dll 2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit . exe 2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore . exe 2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit . exe 2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui . dll . ((((((((((((((((((((((((((((( snapshot@2007-12-23_15 . 48 . 26 . 85 ))))))))))))))))))))))))))))))))))))))))) . - 2007-12-23 22:16:30 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE + 2007-12-24 00:56:18 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE - 2007-12-23 23:45:56 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE + 2007-12-24 01:24:34 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE - 2007-12-23 22:16:34 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe + 2007-12-24 00:56:16 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe + 2007-12-24 01:24:34 397,312 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe - 2007-12-23 18:42:06 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE + 2007-12-24 00:56:20 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE - 2004-08-11 04:00:00 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\tintsetp . exe + 2007-12-24 01:24:38 795,136 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B9A37E4-D412-4FE8-944F-26706EFB32A1}] 2007-12-23 17:37 334336 --a------ C:\WINDOWS\system32\geedd . dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon . exe"="C:\WINDOWS\system32\ctfmon . exe" [2007-12-23 17:37] "SpybotSD TeaTimer"="D:\Junk Software\Spybot - Search & Destroy\TeaTimer . exe" [2005-05-31 01:04] "PcSync"="D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2 . exe" [2006-06-27 16:21] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray . exe" [2007-12-23 17:24] "igfxpers"="C:\WINDOWS\system32\igfxpers . exe" [2007-12-23 17:24] "BluetoothAuthenticationAgent"="bthprops . cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops . cpl] "RTHDCPL"="RTHDCPL . EXE" [2006-06-28 14:54 C:\WINDOWS\RTHDCPL . exe] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel . exe" [2007-12-23 17:24] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh . exe" [2007-12-23 17:37] "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI . exe" [2007-12-23 17:24] "IMJPMIG8 . 1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG . exe" [2007-12-23 17:37] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe" [2007-12-23 17:24] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2007-12-23 17:24] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2007-12-23 17:24] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC . exe" [2007-12-23 17:24] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management . exe" [2007-12-23 17:24] "BigDogPath"="C:\WINDOWS\VM_STI . exe" [2007-12-23 17:24] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager . exe" [2007-12-23 17:25] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc . exe" [2007-12-23 17:25] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor . exe" [2007-12-23 17:25] "FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032 . exe" [2007-12-23 17:37] "DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon . exe" [2004-08-22 17:05] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan . exe" [2007-12-23 17:25] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7 . 5\avgas . exe" [2007-12-23 17:25] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched . exe" [2007-12-23 17:38] "LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e . dll" [2006-02-24 03:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale . msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale . theme [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\system32\geedd . exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd Notification Packages REG_MULTI_SZ scecli scecli [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc . dll, schannel . dll, digest . dll, msnsspc . dll, wowfx . dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch . lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch . lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun . exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun . exe backup=C:\WINDOWS\pss\autorun . exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar] 2007-10-19 11:08 3678208 --a------ D:\Program Files\XemiComputers\Active Desktop Calendar\ADC . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray . exe] 2005-10-24 16:45 2462208 --a------ C:\Acer\Empowering Technology\admtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet] D:\Program Files\BitComet\BitComet . exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] D:\Useless Software\bt\bittorrent . exe --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] D:\Useless Software\Demontool 4 . 08HE 32bit\DAEMON Tools\daemon . exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader] 2005-12-27 15:50 69632 --a------ C:\Acer\Empowering Technology\eDataSecurity\eDSloader . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] 2006-02-06 21:10 98304 --a------ C:\Program Files\Lexmark 2400 Series\ezprint . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy] D:\Program Files\Foxy\Foxy . exe -tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk . exe /autostart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-12-21 23:33 696320 --a------ C:\Program Files\iTunes\iTunesHelper . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] Alaunch [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon . exe] 2006-03-06 09:48 286720 --a------ C:\Program Files\Lexmark 2400 Series\lxcrmon . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\MSN Messenger\MsnMsgr . Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] D:\Junk Software\Nokia\Nokia PC Suite 6\LaunchApplication . exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask . exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] SkyTel . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched . exe -osboot [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\Setup . exe \Shell\setup\command - F:\setup . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec454-e231-11db-b963-0016d4621b5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32 . EXE Shell32 . DLL,ShellExec_RunDLL Recycled\ctfmon . exe \Shell\Open(&0)\command - Recycled\ctfmon . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec455-e231-11db-b963-0016d4621b5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32 . EXE Shell32 . DLL,ShellExec_RunDLL Recycled\ctfmon . exe \Shell\Open(&0)\command - Recycled\ctfmon . exe *Newly Created Service* - INT15 . SYS . ************************************************** ************************ catchme 0 . 3 . 1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2007-12-23 17:37:10 Windows 5 . 1 . 2600 Service Pack 2 FAT NTAPI scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer . EXE [6 . 00 . 2900 . 3156] -> C:\WINDOWS\system32\geedd . dll . Completion time: 2007-12-23 17:41:56 - machine was rebooted C:\ComboFix3 . txt . . . 2007-12-23 15:50 C:\ComboFix2 . txt . . . 2007-12-23 17:01 . 2007-12-12 09:27:52 --- E O F ---	ineedhelp2008 (13207)
623771	2007-12-24 01:45:00	Hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:45:37 PM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxpers .exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\WINDOWS\system32\igfxtray .exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\rundll32.exe D:\Program Files\D-Tools\daemon.exe C:\WINDOWS\VM_STI .EXE C:\Acer\Empowering Technology\ePower\ePower_DMC .exe D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Acer\Empowering Technology\eRecovery\Monitor .exe C:\PROGRA~1\LAUNCH~1\LManager .exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe C:\Program Files\Common Files\Real\Update_OB\realsched .exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Acer\Empowering Technology\admServ.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = us.rd.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.aceradvantage.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - cdn.scan.safety.live.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 10026 bytes	ineedhelp2008 (13207)
623772	2007-12-24 02:11:00	No problem . All is going well . . Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes . Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT . F3 - REG:win . ini: load=C:\WINDOWS\system32\geedd . exe =========================== Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions . It's IMPORTANT to carry out the instructions in the sequence listed below . 1 . Close any open browsers . 2 . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Open *notepad* and copy/paste the text in the quotebox below into it: KillAll:: File:: C:\WINDOWS\system32\mcrh . tmp Folder:: C:\WINDOWS\system32\njprckha Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B9A37E4-D412-4FE8-944F-26706EFB32A1}] [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=- [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] "Authentication Packages REG_MULTI_SZ msv1_0"=- [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc . dll, schannel . dll, digest . dll, msnsspc . dll, wowfx . dll Save this as CFScript . txt, in the same location as ComboFix . exe which is on the Desktop . . pandora . be/bluepatchy/miekiemoes/images/CFScript . gif" target="_blank">users . pandora . be Refering to the picture above, drag CFScript . txt into ComboFix . exe Restart your computer . When finished, it shall produce a log for you at C:\ComboFix . txt Please copy and paste the ComboFix . txt along with a fresh HijackThis log in your next reply please . *Note: Do not mouseclick combofix's window whilst it's running . That may cause it to stall*	Pancake (6359)
623773	2007-12-24 03:10:00	Here is combofix log ComboFix 07-12-21 . 4 - Lap Yin Leung 2007-12-23 18:44:08 . 4 - FAT32x86 MINIMAL Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 344 [GMT -8:00] Running from: C:\Documents and Settings\Lap Yin Leung\Desktop\ComboFix . exe Command switches used :: C:\Documents and Settings\Lap Yin Leung\Desktop\CFScript . txt FILE C:\WINDOWS\system32\mcrh . tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ddeeg . ini C:\WINDOWS\system32\ddeeg . ini2 C:\WINDOWS\system32\geedd . dll C:\WINDOWS\system32\mcrh . tmp C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\njprckha\bg1 . gif C:\WINDOWS\system32\njprckha\bgtop . gif C:\WINDOWS\system32\njprckha\bottom1 . gif C:\WINDOWS\system32\njprckha\essentials . gif C:\WINDOWS\system32\njprckha\icon1 . ico C:\WINDOWS\system32\njprckha\install1 . gif C:\WINDOWS\system32\njprckha\left1 . gif C:\WINDOWS\system32\njprckha\li . gif C:\WINDOWS\system32\njprckha\logo . gif C:\WINDOWS\system32\njprckha\main . htm C:\WINDOWS\system32\njprckha\mainframe . htm C:\WINDOWS\system32\njprckha\reinstall1 . gif C:\WINDOWS\system32\njprckha\right1 . gif C:\WINDOWS\system32\njprckha\s1 . htm C:\WINDOWS\system32\njprckha\s2 . htm C:\WINDOWS\system32\njprckha\s3 . htm C:\WINDOWS\system32\njprckha\SMTop1 . gif C:\WINDOWS\system32\njprckha\SMTop2 . gif C:\WINDOWS\system32\njprckha\SMTop3 . gif C:\WINDOWS\system32\njprckha\SMTop4 . gif C:\WINDOWS\system32\njprckha\soft1_off . gif C:\WINDOWS\system32\njprckha\soft1_off_ext . gif C:\WINDOWS\system32\njprckha\soft1_on . gif C:\WINDOWS\system32\njprckha\soft1_on_ext . gif C:\WINDOWS\system32\njprckha\soft2_off . gif C:\WINDOWS\system32\njprckha\soft2_off_ext . gif C:\WINDOWS\system32\njprckha\soft2_on . gif C:\WINDOWS\system32\njprckha\soft2_on_ext . gif C:\WINDOWS\system32\njprckha\soft3_off . gif C:\WINDOWS\system32\njprckha\soft3_off_ext . gif C:\WINDOWS\system32\njprckha\soft3_on . gif C:\WINDOWS\system32\njprckha\soft3_on_ext . gif C:\WINDOWS\system32\njprckha\softbottom_off . gif C:\WINDOWS\system32\njprckha\softbottom_on . gif C:\WINDOWS\system32\njprckha\softleft_off . gif C:\WINDOWS\system32\njprckha\softleft_on . gif C:\WINDOWS\system32\njprckha\top1 . gif C:\WINDOWS\system32\njprckha\top2 . gif C:\WINDOWS\system32\njprckha\turnoff1 . gif C:\WINDOWS\system32\njprckha\turnon1 . gif . ((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 ))))))))))))))))))))))))))))))) . 2007-12-23 17:38 . 2007-12-23 18:42 337,920 --a------ C:\WINDOWS\system32\geedd . exe 2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\GiPo@Utilities 2007-12-23 14:32 . 2007-12-23 14:32 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared 2007-12-23 13:56 . 2007-12-23 13:56 <DIR> d-------- C:\Program Files\CrossLoop 2007-12-22 16:00 . 2007-12-22 16:00 <DIR> d-------- C:\Program Files\CCleaner 2007-12-22 15:46 . 2007-12-22 15:46 <DIR> d-------- C:\Program Files\RogueRemover FREE 2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Grisoft 2007-12-22 15:38 . 2007-12-22 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-22 15:38 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln . sys 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Program Files\Trojan Remover 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\Lap Yin Leung\Application Data\Simply Super Software 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-22 12:19 . 2007-12-22 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2007-12-22 12:19 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36 . dll 2007-12-22 12:19 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3 . dll 2007-12-22 12:19 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26 . dll 2007-12-22 12:19 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2 . dll 2007-12-22 12:19 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet . dll 2007-12-22 11:52 . 2007-12-22 11:52 <DIR> d-------- C:\WINDOWS\system32\CatRoot2 2007-12-22 11:29 . 2007-12-22 11:54 23,392 --a------ C:\WINDOWS\system32\nscompat . tlb 2007-12-22 11:29 . 2007-12-22 11:54 16,832 --a------ C:\WINDOWS\system32\amcompat . tlb 2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-22 10:21 . 2007-12-22 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-22 10:19 . 2007-12-22 10:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-22 00:46 . 2007-12-22 00:46 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-21 23:29 . 2007-12-21 23:29 5,706 --a------ C:\WINDOWS\system32\tmp . reg 2007-12-21 20:31 . 2007-12-23 17:37 15,360 --a------ C:\WINDOWS\system32\ctfmon . exe 2007-12-21 20:30 . 2007-12-21 20:30 337,920 --a------ C:\WINDOWS\system32\RCX57 . tmp 2007-12-21 20:30 . 2007-12-23 18:53 118,784 --a------ C:\WINDOWS\system32\igfxpers . exe 2007-12-21 20:30 . 2007-12-23 18:53 94,208 --a------ C:\WINDOWS\system32\igfxtray . exe 2007-12-21 20:30 . 2007-12-22 12:35 77,824 --a------ C:\WINDOWS\system32\hkcmd . exe 2007-12-21 20:30 . 2007-12-23 18:53 40,960 --a------ C:\WINDOWS\VM_STI . EXE 2007-12-21 14:22 . 2007-12-21 14:22 0 --a------ C:\Install 2007-11-24 23:01 . 2007-11-24 23:01 <DIR> d-------- C:\Program Files\iPod . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-24 02:42 379,392 ----a-w C:\WINDOWS\Vm_sti . exe 2007-12-24 02:41 457,728 ----a-w C:\WINDOWS\system32\igfxpers . exe 2007-12-24 02:41 433,152 ----a-w C:\WINDOWS\system32\igfxtray . exe 2007-12-24 02:41 354,816 ----a-w C:\WINDOWS\system32\ctfmon . exe 2007-12-23 18:42 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig . exe 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv . sys 2007-11-04 04:49 --------- d-----w C:\Documents and Settings\Lap Yin Leung\Application Data\XemiComputers 2007-11-04 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml . dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz . dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz . dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf . dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf . dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32 . dll 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet . dll 2007-10-10 23:56 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime . dll 2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck . dll 2007-10-10 23:56 105,984 ----a-w C:\WINDOWS\system32\dllcache\url . dll 2007-10-10 23:56 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache . dll 2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon . dll 2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie . dll 2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe . dll 2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs . dll 2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled . dll 2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds . dll 2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce . dll 2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32 . dll 2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr . dll 2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy . dll 2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil . dll 2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie . dll 2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans . dll 2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating . dll 2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng . dll 2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr . dll 2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack . dll 2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit . exe 2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore . exe 2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit . exe 2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui . dll . ((((((((((((((((((((((((((((( snapshot@2007-12-23_15 . 48 . 26 . 85 ))))))))))))))))))))))))))))))))))))))))) . - 2007-12-23 22:16:30 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE + 2007-12-24 02:53:36 208,952 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE - 2007-12-23 23:45:56 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE + 2007-12-24 02:41:44 548,352 ----a-w C:\WINDOWS\ime\imjp8_1\IMJPMIG . EXE - 2007-12-23 22:16:34 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe + 2007-12-24 01:37:20 59,392 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe + 2007-12-24 02:41:44 397,312 ----a-w C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe - 2007-12-23 18:42:06 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE + 2007-12-24 01:37:22 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE - 2004-08-11 04:00:00 455,168 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\tintsetp . exe + 2007-12-24 02:41:48 795,136 ----a-w C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D4C844F-09C4-4692-9D79-699007AF68FA}] 2007-12-23 18:53 334336 --a------ C:\WINDOWS\system32\geedd . dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon . exe"="C:\WINDOWS\system32\ctfmon . exe" [2007-12-23 18:53] "SpybotSD TeaTimer"="D:\Junk Software\Spybot - Search & Destroy\TeaTimer . exe" [2005-05-31 01:04] "PcSync"="D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2 . exe" [2006-06-27 16:21] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray . exe" [2007-12-23 18:53] "igfxpers"="C:\WINDOWS\system32\igfxpers . exe" [2007-12-23 18:53] "BluetoothAuthenticationAgent"="bthprops . cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops . cpl] "RTHDCPL"="RTHDCPL . EXE" [2006-06-28 14:54 C:\WINDOWS\RTHDCPL . exe] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel . exe" [2007-12-23 18:53] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh . exe" [2007-12-23 18:53] "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI . exe" [2007-12-23 18:53] "IMJPMIG8 . 1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG . exe" [2004-08-10 20:00] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe" [2004-08-10 20:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-10 20:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-10 20:00] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC . exe" [2007-12-23 18:53] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management . exe" [2007-12-23 18:42] "BigDogPath"="C:\WINDOWS\VM_STI . exe" [2007-12-23 18:42] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager . exe" [2007-12-23 18:42] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc . exe" [2007-12-23 18:54] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor . exe" [2007-12-23 18:54] "FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032 . exe" [2007-12-23 18:54] "DAEMON Tools-1033"="D:\Program Files\D-Tools\daemon . exe" [2004-08-22 17:05] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan . exe" [2007-12-23 18:42] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7 . 5\avgas . exe" [2007-12-23 18:42] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched . exe" [2007-12-23 18:54] "LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e . dll" [2006-02-24 03:54] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale . msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale . theme [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "DisableRegistryTools"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] "load"=C:\WINDOWS\system32\geedd . exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd Notification Packages REG_MULTI_SZ scecli scecli [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc . dll, schannel . dll, digest . dll, msnsspc . dll, wowfx . dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch . lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch . lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun . exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun . exe backup=C:\WINDOWS\pss\autorun . exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Lap Yin Leung^Start Menu^Programs^Startup^findfast . exe] path=C:\Documents and Settings\Lap Yin Leung\Start Menu\Programs\Startup\findfast . exe backup=C:\WINDOWS\pss\findfast . exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar] 2007-10-19 11:08 3678208 --a------ D:\Program Files\XemiComputers\Active Desktop Calendar\ADC . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray . exe] 2005-10-24 16:45 2462208 --a------ C:\Acer\Empowering Technology\admtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet] D:\Program Files\BitComet\BitComet . exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] D:\Useless Software\bt\bittorrent . exe --force_start_minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] D:\Useless Software\Demontool 4 . 08HE 32bit\DAEMON Tools\daemon . exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader] 2005-12-27 15:50 69632 --a------ C:\Acer\Empowering Technology\eDataSecurity\eDSloader . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-05 13:56 64512 --a------ C:\WINDOWS\ehome\ehtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] 2006-02-06 21:10 98304 --a------ C:\Program Files\Lexmark 2400 Series\ezprint . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foxy] D:\Program Files\Foxy\Foxy . exe -tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] C:\Program Files\Google\Google Talk\googletalk . exe /autostart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2006-10-27 00:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-12-21 23:33 696320 --a------ C:\Program Files\iTunes\iTunesHelper . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] Alaunch [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon . exe] 2006-03-06 09:48 286720 --a------ C:\Program Files\Lexmark 2400 Series\lxcrmon . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\MSN Messenger\MsnMsgr . Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] D:\Junk Software\Nokia\Nokia PC Suite 6\LaunchApplication . exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask . exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] SkyTel . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched . exe -osboot [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\Setup . exe \Shell\setup\command - F:\setup . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec454-e231-11db-b963-0016d4621b5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32 . EXE Shell32 . DLL,ShellExec_RunDLL Recycled\ctfmon . exe \Shell\Open(&0)\command - Recycled\ctfmon . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{22cec455-e231-11db-b963-0016d4621b5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32 . EXE Shell32 . DLL,ShellExec_RunDLL Recycled\ctfmon . exe \Shell\Open(&0)\command - Recycled\ctfmon . exe *Newly Created Service* - INT15 . SYS . ************************************************** ************************ catchme 0 . 3 . 1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2007-12-23 18:53:26 Windows 5 . 1 . 2600 Service Pack 2 FAT NTAPI scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer . EXE [6 . 00 . 2900 . 3156] -> C:\WINDOWS\system32\geedd . dll . Completion time: 2007-12-23 18:58:14 - machine was rebooted C:\ComboFix3 . txt . . . 2007-12-23 17:01 C:\ComboFix2 . txt . . . 2007-12-23 17:41 . 2007-12-12 09:27:52 --- E O F ---	ineedhelp2008 (13207)
623774	2007-12-24 03:12:00	Hijackthis log the geedd.exe simply won't go away Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:11:28 PM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray .exe C:\Program Files\Synaptics\SynTP\SynTPEnh .exe C:\WINDOWS\system32\igfxpers .exe D:\Program Files\D-Tools\daemon.exe C:\WINDOWS\system32\rundll32.exe C:\Acer\Empowering Technology\ePower\ePower_DMC .exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe C:\WINDOWS\VM_STI .EXE C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe C:\PROGRA~1\LAUNCH~1\LManager .exe C:\Acer\Empowering Technology\eRecovery\Monitor .exe C:\Program Files\Common Files\Real\Update_OB\realsched .exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe C:\Acer\Empowering Technology\admServ.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\DOCUME~1\LAPYIN~1\LOCALS~1\Temp\RtkBtMnt.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.aceradvantage.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll F3 - REG:win.ini: load=C:\WINDOWS\system32\geedd.exe O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtim e.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Junk Software\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [PcSync] D:\Junk Software\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - cdn.scan.safety.live.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 9699 bytes	ineedhelp2008 (13207)
623775	2007-12-24 03:39:00	The file is dead so there is nothing to worry about but something is holding it back in HJT . Did you uninstall TeaTimer ? . . lets hit it with this . Hi . . . Please download The Avenger ( . geekstogo . com/avenger . zip" target="_blank">swandog46 . geekstogo . com) to your Desktop and unzip it . Copy all the text contained in the code box below ( including the words "files to delete" ) by highlighting it and right clicking and selecting "Copy" Files to delete: C:\WINDOWS\system32\geedd . exe Now, start The Avenger program by clicking on its icon on your desktop . Look under "Script file to execute" and click on "Input Script Manually" . Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script" . Position your mouse inside the box, rightclick and choose Paste . All the text above in the code box should now appear there . Click Done and click on the Green Light to begin execution of the script . Answer "Yes" twice when prompted . The Avenger will restart your computer . (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice . ) When you have rebooted, a black command window briefly opens on your desktop, this is normal . A logfile will be created that records all actions that The Avenger performed . This log file is saved to C:\avenger . txt . The deleted files will be backed up and saved to C:\avenger\backup . zip . Once your computer has rebooted, please post back the contents of C:\avenger . txt, a new Hijack This log . =============================== Copy the bold text below to notepad . Save it as fixreg . reg to your desktop . Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry . [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\SecurityProviders] "SecurityProviders"=- [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] SecurityProviders msapsspc . dll, schannel . dll, digest . dll, msnsspc . dll, wowfx . dll	Pancake (6359)
623776	2007-12-24 04:04:00	I must admit that I have never seen this file stick like this before. Download VundoFix.exe (www.atribune.org)to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log, from normal mode, in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. If Vundofix does not find and delete the files, please try running it bit differently: Double-click VundoFix.exe to run it. You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK. When VundoFix re-opens, click Scan for Vundo button. Once the scan is complete, right-click inside the listbox (white box) and click Add more files? Copy & paste the 2 entries below into the top 2 boxes: C:\WINDOWS\system32\geedd.exe C:\WINDOWS\system32\ddeeg.* Click Add Files and click Close Window. Click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES. Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt	Pancake (6359)
1 2 3 4 5 6 7 8