infected pc #2

Hi bb team again

this is my pc #2 hjt report, after i ran spybot S&D and sorted some but i am having some stability problems before i switch pc i didn't copy spybot report just hjt but we can do that later if needed

thank all




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:34, on 24/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {646A09BC-AA36-450B-9044-A7B418C94F99} - C:\WINDOWS\System32\comui.dll
O2 - BHO: (no name) - {E50784CA-B541-4C6F-A5A3-FA6008517EDE} - C:\WINDOWS\System32\comui.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1219509294687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219509267843
O20 - Winlogon Notify: lgoablw - C:\WINDOWS\
O20 - Winlogon Notify: racsexe - racsexe.dll (file missing)

--
End of file - 2809 bytes

 

Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

ok couldn't do it how you ask but i hope it was ok to run in safe mode


ComboFix 08-08-23.03 - Administrator 2008-08-24 8:39:33.4 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.184 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\_003913_.tmp.dll
C:\WINDOWS\system32\_004078_.tmp.dll
C:\WINDOWS\system32\_004079_.tmp.dll
C:\WINDOWS\system32\_004080_.tmp.dll
C:\WINDOWS\system32\_004081_.tmp.dll
C:\WINDOWS\system32\_004088_.tmp.dll
C:\WINDOWS\system32\_004089_.tmp.dll
C:\WINDOWS\system32\_004090_.tmp.dll
C:\WINDOWS\system32\_004091_.tmp.dll
C:\WINDOWS\system32\_004093_.tmp.dll
C:\WINDOWS\system32\_004094_.tmp.dll
C:\WINDOWS\system32\_004097_.tmp.dll
C:\WINDOWS\system32\_004098_.tmp.dll
C:\WINDOWS\system32\_004100_.tmp.dll
C:\WINDOWS\system32\_004101_.tmp.dll
C:\WINDOWS\system32\_004102_.tmp.dll
C:\WINDOWS\system32\_004104_.tmp.dll
C:\WINDOWS\system32\_004105_.tmp.dll
C:\WINDOWS\system32\_004107_.tmp.dll
C:\WINDOWS\system32\_004108_.tmp.dll
C:\WINDOWS\system32\_004112_.tmp.dll
C:\WINDOWS\system32\_004113_.tmp.dll
C:\WINDOWS\system32\_004115_.tmp.dll
C:\WINDOWS\system32\_004116_.tmp.dll
C:\WINDOWS\system32\_004118_.tmp.dll
C:\WINDOWS\system32\_004120_.tmp.dll
C:\WINDOWS\system32\_004121_.tmp.dll
C:\WINDOWS\system32\_004122_.tmp.dll
C:\WINDOWS\system32\_004123_.tmp.dll
C:\WINDOWS\system32\_004124_.tmp.dll
C:\WINDOWS\system32\_004127_.tmp.dll
C:\WINDOWS\system32\_004128_.tmp.dll
C:\WINDOWS\system32\_004129_.tmp.dll
C:\WINDOWS\system32\_004130_.tmp.dll
C:\WINDOWS\system32\_004131_.tmp.dll
C:\WINDOWS\system32\_004136_.tmp.dll
C:\WINDOWS\system32\_004138_.tmp.dll
C:\WINDOWS\system32\browseu.dll
C:\WINDOWS\system32\cmprop.dll
C:\WINDOWS\system32\cnetcf.dll
C:\WINDOWS\system32\comui.dll
C:\WINDOWS\system32\d3dim70.dll
C:\WINDOWS\system32\drivers\Oty84.sys
C:\WINDOWS\system32\MYBHO.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OTY84
-------\Legacy_TCPSR
-------\Service_Oty84
-------\Service_tcpsr


((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 08:00 . 2008-08-24 08:00 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-24 07:49 . 2008-08-24 07:49 79,360 --ah----- C:\WINDOWS\system32\qbtu.exe
2008-08-24 07:39 . 2008-08-24 07:39 21,504 --a------ C:\WINDOWS\system32\racsexe.dll
2008-08-24 07:38 . 2007-08-08 12:12 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-08-24 07:38 . 2007-08-08 12:13 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-08-23 23:56 . 2008-08-23 23:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 22:20 . 2008-08-23 22:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-23 22:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 22:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 22:19 . 2008-08-23 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 22:19 . 2008-08-23 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 22:19 . 2008-08-23 22:19 44 --a------ C:\WINDOWS\system32\80.tmp
2008-08-23 22:19 . 2008-08-23 22:19 18 --a------ C:\WINDOWS\system32\82.tmp
2008-08-23 22:08 . 2008-08-23 22:08 64,903 --a------ C:\WINDOWS\system32\sgeltyamkwdfpih.exe
2008-08-23 21:54 . 2008-08-23 21:54 95 --a------ C:\WINDOWS\wininit.ini
2008-08-23 21:34 . 2008-08-23 21:34 145,112 --a------ C:\WINDOWS\system32\70.tmp
2008-08-23 21:34 . 2008-08-23 21:34 44 --a------ C:\WINDOWS\system32\6F.tmp
2008-08-23 21:34 . 2008-08-23 21:34 18 --a------ C:\WINDOWS\system32\71.tmp
2008-08-23 21:09 . 2008-08-23 21:09 145,112 --a------ C:\WINDOWS\system32\66.tmp
2008-08-23 21:09 . 2008-08-23 21:09 44 --a------ C:\WINDOWS\system32\65.tmp
2008-08-23 21:09 . 2008-08-23 21:09 18 --a------ C:\WINDOWS\system32\67.tmp
2008-08-23 20:49 . 2008-08-23 20:49 44 --a------ C:\WINDOWS\system32\55.tmp
2008-08-23 20:49 . 2008-08-23 20:49 18 --a------ C:\WINDOWS\system32\58.tmp
2008-08-23 20:48 . 2008-08-23 20:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-23 20:48 . 2008-08-23 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 20:31 . 2004-08-03 14:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-08-23 20:08 . 2003-03-31 13:00 74,752 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-08-23 20:08 . 2003-03-31 13:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-08-23 20:08 . 2003-03-31 13:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-08-23 20:06 . 2003-03-31 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-23 20:05 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-08-23 20:04 . 2003-03-31 13:00 1,007,616 --a--c--- C:\WINDOWS\system32\dllcache\conf.exe
2008-08-23 20:03 . 2004-08-03 14:07 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-08-23 19:55 . 2003-03-31 13:00 2,049,999 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-08-23 19:10 . 2008-04-14 05:42 1,703,936 --a------ C:\WINDOWS\system32\SET2D2.tmp
2008-08-23 19:09 . 2008-04-14 05:42 584,704 --a------ C:\WINDOWS\system32\SET246.tmp
2008-08-23 19:08 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET217.tmp
2008-08-23 19:07 . 2008-04-14 05:42 442,368 --a------ C:\WINDOWS\system32\SET1F1.tmp
2008-08-23 19:07 . 2008-04-14 05:42 180,800 --a------ C:\WINDOWS\system32\SET1EF.tmp
2008-08-23 19:07 . 2008-04-14 05:42 171,008 --a------ C:\WINDOWS\system32\SET1EC.tmp
2008-08-23 19:07 . 2008-04-13 22:56 90,112 --a------ C:\WINDOWS\system32\SET1F0.tmp
2008-08-23 19:07 . 2008-04-14 05:42 75,264 --a------ C:\WINDOWS\system32\SET1F3.tmp
2008-08-23 19:07 . 2008-04-14 05:42 71,680 --a------ C:\WINDOWS\system32\SET1E6.tmp
2008-08-23 19:07 . 2008-04-14 05:42 57,856 --a------ C:\WINDOWS\system32\SET1F2.tmp
2008-08-23 19:07 . 2008-04-14 05:42 34,816 --a------ C:\WINDOWS\system32\SET1E7.tmp
2008-08-23 19:05 . 2008-04-14 05:42 727,040 --a------ C:\WINDOWS\system32\SET19D.tmp
2008-08-23 19:03 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002681_.tmp
2008-08-23 19:02 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-23 19:00 . 2003-03-31 13:00 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2008-08-23 18:59 . 2008-08-23 18:59 <DIR> d-------- C:\WINDOWS\EHome
2008-08-23 18:57 . 2008-08-23 18:57 62,168 --a------ C:\WINDOWS\system32\om.exe
2008-08-23 18:55 . 2008-08-23 19:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 18:02 . 2008-08-23 18:11 <DIR> d-------- C:\ada7d5935165ca62ae5054965a9b
2008-08-23 18:01 . 2008-08-24 08:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-23 17:35 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-08-23 17:35 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-23 17:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-23 17:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-23 17:35 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-23 17:33 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-08-23 17:33 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-08-23 17:33 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-08-23 17:33 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-08-23 17:33 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-08-23 17:10 . 2008-08-23 17:10 80,090 --a------ C:\Documents and Settings\Owner\Application Data\SMBIOSSP.exe
2008-08-23 16:41 . 2008-08-23 16:41 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-08-23 16:41 . 2008-08-23 16:41 <DIR> d-------- C:\Program Files\Analog Devices
2008-08-23 16:41 . 2001-10-04 14:50 991,232 --a------ C:\WINDOWS\system32\virtear.dll
2008-08-23 16:41 . 2004-11-19 10:00 126,976 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-08-23 16:41 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-08-23 16:41 . 2003-08-19 18:36 65,536 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-08-23 16:40 . 2008-08-23 17:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-23 16:40 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-23 16:40 . 2008-08-23 16:40 <DIR> d-------- C:\dell
2008-08-23 16:40 . 2001-09-19 12:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-08-23 16:40 . 2004-09-17 09:02 732,928 --a------ C:\WINDOWS\system32\drivers\senfilt.sys
2008-08-23 16:40 . 2004-09-23 07:55 311,296 --a------ C:\WINDOWS\system32\Edcrypt.dll
2008-08-23 16:40 . 2005-01-27 15:31 260,352 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-08-23 16:40 . 2002-04-17 14:05 155,648 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-08-23 16:40 . 2004-10-05 16:10 23,040 --a------ C:\WINDOWS\system32\PostProc.dll
2008-08-23 14:43 . 2008-08-23 16:10 <DIR> d-------- C:\Westwood
2008-08-20 22:58 . 2008-08-20 22:58 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-08-20 22:21 . 2008-08-20 22:22 310,272 --ah----- C:\WINDOWS\system32\rocg.exe
2008-08-20 22:20 . 2008-08-20 22:21 156,435 --a------ C:\WINDOWS\system32\wmsoft83883.exe
2008-08-20 22:20 . 2008-08-20 22:22 69,632 --ah----- C:\WINDOWS\system32\oggf.exe
2008-08-20 22:19 . 2008-08-20 22:19 123 --a------ C:\WINDOWS\system32\xjzz.bat
2008-08-20 22:18 . 2008-08-20 22:20 189,990 --a------ C:\WINDOWS\system32\wmsoft15827.exe
2008-08-20 22:18 . 2008-08-20 22:21 69,632 --ah----- C:\WINDOWS\system32\lbzgc.exe
2008-08-20 22:18 . 2008-08-20 22:19 69,632 --ah----- C:\WINDOWS\system32\ihztgzx.exe
2008-08-20 22:18 . 2008-08-20 22:20 79 --a------ C:\WINDOWS\system32\i
2008-08-20 22:15 . 2008-08-20 22:22 91,136 --ah----- C:\WINDOWS\system32\gdhpwh.exe
2008-08-20 22:15 . 2008-08-20 22:23 84,784 --ah----- C:\WINDOWS\system32\cnbtup.exe
2008-08-20 22:15 . 2008-08-20 22:20 79,360 --ah----- C:\WINDOWS\system32\kypaacbm.exe
2008-08-20 22:06 . 2001-08-17 14:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-20 22:04 . 2008-08-20 21:12 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-08-20 22:03 . 2008-08-23 19:55 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-08-20 22:03 . 2008-08-23 20:11 <DIR> d--h----- C:\Documents and Settings\Default User
2008-08-20 22:03 . 2008-08-20 21:14 <DIR> d-------- C:\Documents and Settings\All Users
2008-08-20 22:03 . 2008-08-24 08:00 <DIR> d-------- C:\Documents and Settings
2008-08-20 22:03 . 2008-08-23 19:03 708,306 --a------ C:\WINDOWS\setupapi.old
2008-08-20 22:03 . 2008-08-23 20:08 288 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 20:48 --------- d-----w C:\Program Files\Intel
2008-08-20 20:22 --------- d-----w C:\Program Files\Huawei technologies
2008-08-20 20:15 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

2003-03-31 13:00 1080832 f05ba4bbdde5e3cf325a4e09a8a1c28a C:\WINDOWS\explorer.exe
2003-03-31 13:00 1015296 87b0ac2233890a5d3579ab8e0756a9f7 C:\WINDOWS\system32\dllcache\explorer.exe

2003-03-31 13:00 24576 f2a4273126f893e194c6ed1d53d12130 C:\WINDOWS\system32\ctfmon.exe
2003-03-31 13:00 24576 f5d830590ff93cc58fd1485a4487cfd3 C:\WINDOWS\system32\dllcache\ctfmon.exe

2003-03-31 13:00 62464 c48a7b5654dc2a8423b73beb7b2903e5 C:\WINDOWS\system32\spoolsv.exe
2003-03-31 13:00 62464 99c8ef7c973b109674fc0added0a8f8f C:\WINDOWS\system32\dllcache\spoolsv.exe

2007-07-30 19:19 53080 5042abb5ddccf2c9afc51b690901a59f C:\WINDOWS\SoftwareDistribution\SelfUpdate\wuauclt.exe
2004-08-03 14:02 113944 5d393d3dc324e334753824dc63fc80d6 C:\WINDOWS\system32\wuauclt.exe
2003-03-31 13:00 151040 f0de86134e6e0e67843c80e4d57db7f2 C:\WINDOWS\system32\dllcache\wuauclt.exe

2003-03-31 13:00 33280 54ec872c8d6f646cadae760d709f4451 C:\WINDOWS\system32\userinit.exe
2003-03-31 13:00 98816 7f902588889d1513ea11f26d8b1550f8 C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-24_ 8.30.37.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 19:02:28 178,176 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 210,944 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-08-24 07:28:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-24 07:42:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-24 07:28:42 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-24 07:42:39 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-24 07:28:42 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-24 07:42:39 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 08:59 200704]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59 139264]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1581056]
"Windows DLL Loader "= "C:\WINDOWS\System32\qbtu.exe" [2008-08-24 07:49 79360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lgoablw]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\racsexe]
2008-08-24 07:39 21504 C:\WINDOWS\system32\racsexe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\System\\MSASP32.exe "=

.
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Window Title =
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://hotmail.com/
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O17 -: HKLM\CCS\Interface\{993E6DCB-96FE-4828-A4F8-D1E5BA087EF7}: NameServer = 4.2.2.3 4.2.2.4
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 08:43:09
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\racsexe.dll
.
Completion time: 2008-08-24 8:45:32 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-24 07:45:25

Pre-Run: 37,405,278,208 bytes free
Post-Run: 37,354,246,144 bytes free

250 --- E O F --- 2008-08-23 17:10:33

 

here's hjt



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:48:48, on 8/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\System32\qbtu.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1219509294687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219509267843
O17 - HKLM\System\CCS\Services\Tcpip\..\{993E6DCB-96FE-4828-A4F8-D1E5BA087EF7}: NameServer = 4.2.2.3 4.2.2.4
O20 - Winlogon Notify: lgoablw - C:\WINDOWS\
O20 - Winlogon Notify: racsexe - C:\WINDOWS\SYSTEM32\racsexe.dll

--
End of file - 3017 bytes

 

Safe mode run was fine. See if you can now get a run in normal mode and post the new log here.

 

my account is not available just this new one called "owner "
and it doesn't let me do anything I change its password so i can now log on to owner Acc but icons come & go and don't always work

 

just tried again, got a desk top with icons this time
when i clicked combo Error msg Incorrect function
when clicking C: Error msg is not accessible

also it was a bit quick so missed most of it but at the begging of cobofix run "group converter" failed

 

The Administrator account in XP Home is only available in safe mode. You need to place Combofix on the Owner account's desktop and run it from there.

If necessary, logon to the Admin account in safe mode and create a new account (with Administrative rights), then use it to run ComboFix, from that account's desktop, in normal mode. We can always go back to clean up the Owner account once the local machine is clean.

 

my Acc name is aministrator and its this Acc i ran combo in safe mode from first,
created new Acc with Admin in safe mode and now have 2 Acc at start up but doesn't work same error msg, but since creating new Acc it will let me delete the "owner" Acc

 

Again, the Administrator account is only available in safe mode. It is required that there be at least 1 other Administrative account on the machine for normal mode operation, which was the Owner account. By creating another, yes, the owner account can now be removed if so desired. Do not consider the Administrator account 'your account'. It is there for Administrative purposes only, when all other accounts fail to have the necessary permissions.

If ComboFix will not run from the desktop of the new account in normal mode, logon to the new account in safe mode and try running it again.

If you get any error messages, I'd like for you to post them, exactly as they appear.

 

smax4pnp.exe - Application Error
failed to initialize properly (0xc000001c). click on OK to terminate the application
(after log on)

ComboFix 08-08-23.03 - me 2008-08-24 19:46:54.6 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.178 [GMT 1:00]
Running from: C:\Documents and Settings\me\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 19:23 . 2008-08-24 19:23 <DIR> d-------- C:\Documents and Settings\me
2008-08-24 08:00 . 2008-08-24 08:00 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-24 07:49 . 2008-08-24 07:49 79,360 --ah----- C:\WINDOWS\system32\qbtu.exe
2008-08-24 07:39 . 2008-08-24 07:39 21,504 --a------ C:\WINDOWS\system32\racsexe.dll
2008-08-24 07:38 . 2007-08-08 12:12 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-08-24 07:38 . 2007-08-08 12:13 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-08-23 23:56 . 2008-08-23 23:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 22:20 . 2008-08-23 22:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-23 22:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 22:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 22:19 . 2008-08-23 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 22:19 . 2008-08-23 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 22:19 . 2008-08-23 22:19 44 --a------ C:\WINDOWS\system32\80.tmp
2008-08-23 22:19 . 2008-08-23 22:19 18 --a------ C:\WINDOWS\system32\82.tmp
2008-08-23 22:08 . 2008-08-23 22:08 64,903 --a------ C:\WINDOWS\system32\sgeltyamkwdfpih.exe
2008-08-23 21:54 . 2008-08-23 21:54 95 --a------ C:\WINDOWS\wininit.ini
2008-08-23 21:34 . 2008-08-23 21:34 145,112 --a------ C:\WINDOWS\system32\70.tmp
2008-08-23 21:34 . 2008-08-23 21:34 44 --a------ C:\WINDOWS\system32\6F.tmp
2008-08-23 21:34 . 2008-08-23 21:34 18 --a------ C:\WINDOWS\system32\71.tmp
2008-08-23 21:09 . 2008-08-23 21:09 145,112 --a------ C:\WINDOWS\system32\66.tmp
2008-08-23 21:09 . 2008-08-23 21:09 44 --a------ C:\WINDOWS\system32\65.tmp
2008-08-23 21:09 . 2008-08-23 21:09 18 --a------ C:\WINDOWS\system32\67.tmp
2008-08-23 20:49 . 2008-08-23 20:49 44 --a------ C:\WINDOWS\system32\55.tmp
2008-08-23 20:49 . 2008-08-23 20:49 18 --a------ C:\WINDOWS\system32\58.tmp
2008-08-23 20:48 . 2008-08-23 20:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-23 20:48 . 2008-08-23 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 20:31 . 2004-08-03 14:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-08-23 20:08 . 2003-03-31 13:00 74,752 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-08-23 20:08 . 2003-03-31 13:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-08-23 20:08 . 2003-03-31 13:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-08-23 20:06 . 2003-03-31 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-23 20:05 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-08-23 20:04 . 2003-03-31 13:00 1,007,616 --a--c--- C:\WINDOWS\system32\dllcache\conf.exe
2008-08-23 20:03 . 2004-08-03 14:07 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-08-23 19:55 . 2003-03-31 13:00 2,049,999 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-08-23 19:10 . 2008-04-14 05:42 1,703,936 --a------ C:\WINDOWS\system32\SET2D2.tmp
2008-08-23 19:09 . 2008-04-14 05:42 584,704 --a------ C:\WINDOWS\system32\SET246.tmp
2008-08-23 19:08 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET217.tmp
2008-08-23 19:07 . 2008-04-14 05:42 442,368 --a------ C:\WINDOWS\system32\SET1F1.tmp
2008-08-23 19:07 . 2008-04-14 05:42 180,800 --a------ C:\WINDOWS\system32\SET1EF.tmp
2008-08-23 19:07 . 2008-04-14 05:42 171,008 --a------ C:\WINDOWS\system32\SET1EC.tmp
2008-08-23 19:07 . 2008-04-13 22:56 90,112 --a------ C:\WINDOWS\system32\SET1F0.tmp
2008-08-23 19:07 . 2008-04-14 05:42 75,264 --a------ C:\WINDOWS\system32\SET1F3.tmp
2008-08-23 19:07 . 2008-04-14 05:42 71,680 --a------ C:\WINDOWS\system32\SET1E6.tmp
2008-08-23 19:07 . 2008-04-14 05:42 57,856 --a------ C:\WINDOWS\system32\SET1F2.tmp
2008-08-23 19:07 . 2008-04-14 05:42 34,816 --a------ C:\WINDOWS\system32\SET1E7.tmp
2008-08-23 19:05 . 2008-04-14 05:42 727,040 --a------ C:\WINDOWS\system32\SET19D.tmp
2008-08-23 19:03 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002681_.tmp
2008-08-23 19:02 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-23 19:00 . 2003-03-31 13:00 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2008-08-23 18:59 . 2008-08-23 18:59 <DIR> d-------- C:\WINDOWS\EHome
2008-08-23 18:57 . 2008-08-23 18:57 62,168 --a------ C:\WINDOWS\system32\om.exe
2008-08-23 18:55 . 2008-08-23 19:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 18:02 . 2008-08-23 18:11 <DIR> d-------- C:\ada7d5935165ca62ae5054965a9b
2008-08-23 18:01 . 2008-08-24 08:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-23 17:35 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-08-23 17:35 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-23 17:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-23 17:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-23 17:35 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-23 17:33 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-08-23 17:33 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-08-23 17:33 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-08-23 17:33 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-08-23 17:33 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-08-23 17:10 . 2008-08-23 17:10 80,090 --a------ C:\Documents and Settings\Owner\Application Data\SMBIOSSP.exe
2008-08-23 16:41 . 2008-08-23 16:41 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-08-23 16:41 . 2008-08-23 16:41 <DIR> d-------- C:\Program Files\Analog Devices
2008-08-23 16:41 . 2001-10-04 14:50 991,232 --a------ C:\WINDOWS\system32\virtear.dll
2008-08-23 16:41 . 2004-11-19 10:00 126,976 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-08-23 16:41 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-08-23 16:41 . 2003-08-19 18:36 65,536 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-08-23 16:40 . 2008-08-23 17:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-23 16:40 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-23 16:40 . 2008-08-23 16:40 <DIR> d-------- C:\dell
2008-08-23 16:40 . 2001-09-19 12:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-08-23 16:40 . 2004-09-17 09:02 732,928 --a------ C:\WINDOWS\system32\drivers\senfilt.sys
2008-08-23 16:40 . 2004-09-23 07:55 311,296 --a------ C:\WINDOWS\system32\Edcrypt.dll
2008-08-23 16:40 . 2005-01-27 15:31 260,352 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-08-23 16:40 . 2002-04-17 14:05 155,648 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-08-23 16:40 . 2004-10-05 16:10 23,040 --a------ C:\WINDOWS\system32\PostProc.dll
2008-08-23 14:43 . 2008-08-23 16:10 <DIR> d-------- C:\Westwood
2008-08-20 22:58 . 2008-08-20 22:58 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-08-20 22:21 . 2008-08-20 22:22 310,272 --ah----- C:\WINDOWS\system32\rocg.exe
2008-08-20 22:20 . 2008-08-20 22:21 156,435 --a------ C:\WINDOWS\system32\wmsoft83883.exe
2008-08-20 22:20 . 2008-08-20 22:22 69,632 --ah----- C:\WINDOWS\system32\oggf.exe
2008-08-20 22:19 . 2008-08-20 22:19 123 --a------ C:\WINDOWS\system32\xjzz.bat
2008-08-20 22:18 . 2008-08-20 22:20 189,990 --a------ C:\WINDOWS\system32\wmsoft15827.exe
2008-08-20 22:18 . 2008-08-20 22:21 69,632 --ah----- C:\WINDOWS\system32\lbzgc.exe
2008-08-20 22:18 . 2008-08-20 22:19 69,632 --ah----- C:\WINDOWS\system32\ihztgzx.exe
2008-08-20 22:18 . 2008-08-20 22:20 79 --a------ C:\WINDOWS\system32\i
2008-08-20 22:15 . 2008-08-20 22:22 91,136 --ah----- C:\WINDOWS\system32\gdhpwh.exe
2008-08-20 22:15 . 2008-08-20 22:23 84,784 --ah----- C:\WINDOWS\system32\cnbtup.exe
2008-08-20 22:15 . 2008-08-20 22:20 79,360 --ah----- C:\WINDOWS\system32\kypaacbm.exe
2008-08-20 22:06 . 2001-08-17 14:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-20 22:04 . 2008-08-20 21:12 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-08-20 22:03 . 2008-08-23 19:55 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-08-20 22:03 . 2008-08-24 08:45 <DIR> d--h----- C:\Documents and Settings\Default User
2008-08-20 22:03 . 2008-08-20 21:14 <DIR> d-------- C:\Documents and Settings\All Users
2008-08-20 22:03 . 2008-08-24 19:23 <DIR> d-------- C:\Documents and Settings
2008-08-20 22:03 . 2008-08-23 19:03 708,306 --a------ C:\WINDOWS\setupapi.old
2008-08-20 22:03 . 2008-08-23 20:08 288 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 20:48 --------- d-----w C:\Program Files\Intel
2008-08-20 20:22 --------- d-----w C:\Program Files\Huawei technologies
2008-08-20 20:15 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

2003-03-31 13:00 1080832 f05ba4bbdde5e3cf325a4e09a8a1c28a C:\WINDOWS\explorer.exe
2003-03-31 13:00 1015296 87b0ac2233890a5d3579ab8e0756a9f7 C:\WINDOWS\system32\dllcache\explorer.exe

2003-03-31 13:00 24576 f2a4273126f893e194c6ed1d53d12130 C:\WINDOWS\system32\ctfmon.exe
2003-03-31 13:00 24576 f5d830590ff93cc58fd1485a4487cfd3 C:\WINDOWS\system32\dllcache\ctfmon.exe

2003-03-31 13:00 62464 c48a7b5654dc2a8423b73beb7b2903e5 C:\WINDOWS\system32\spoolsv.exe
2003-03-31 13:00 62464 99c8ef7c973b109674fc0added0a8f8f C:\WINDOWS\system32\dllcache\spoolsv.exe

2007-07-30 19:19 53080 5042abb5ddccf2c9afc51b690901a59f C:\WINDOWS\SoftwareDistribution\SelfUpdate\wuauclt.exe
2004-08-03 14:02 113944 5d393d3dc324e334753824dc63fc80d6 C:\WINDOWS\system32\wuauclt.exe
2003-03-31 13:00 151040 f0de86134e6e0e67843c80e4d57db7f2 C:\WINDOWS\system32\dllcache\wuauclt.exe

2003-03-31 13:00 33280 54ec872c8d6f646cadae760d709f4451 C:\WINDOWS\system32\userinit.exe
2003-03-31 13:00 98816 7f902588889d1513ea11f26d8b1550f8 C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-24_ 8.30.37.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 07:00:00 101,792 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 07:00:00 396,704 ----a-w C:\WINDOWS\fdsv.exe
- 2000-08-31 07:00:00 173,568 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 07:00:00 370,176 ----a-w C:\WINDOWS\swreg.exe
- 2000-08-31 07:00:00 223,744 ----a-w C:\WINDOWS\swxcacls.exe
+ 2000-08-31 07:00:00 354,816 ----a-w C:\WINDOWS\swxcacls.exe
- 2008-08-24 07:28:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-24 18:50:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-24 07:28:42 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-24 18:50:12 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-24 07:28:42 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-24 18:50:12 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-03-31 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\actmovie.exe
+ 2003-03-31 12:00:00 48,128 -c--a-w C:\WINDOWS\system32\dllcache\actmovie.exe
- 2003-03-31 12:00:00 246,272 -c--a-w C:\WINDOWS\system32\dllcache\agentsvr.exe
+ 2003-03-31 12:00:00 279,552 -c--a-w C:\WINDOWS\system32\dllcache\agentsvr.exe
- 2003-03-31 12:00:00 102,912 -c--a-w C:\WINDOWS\system32\dllcache\ahui.exe
+ 2003-03-31 12:00:00 136,192 -c--a-w C:\WINDOWS\system32\dllcache\ahui.exe
- 2003-03-31 12:00:00 53,248 -c--a-w C:\WINDOWS\system32\dllcache\alg.exe
+ 2003-03-31 12:00:00 86,528 -c--a-w C:\WINDOWS\system32\dllcache\alg.exe
- 2003-03-31 12:00:00 30,720 -c--a-w C:\WINDOWS\system32\dllcache\arp.exe
+ 2003-03-31 12:00:00 63,488 -c--a-w C:\WINDOWS\system32\dllcache\arp.exe
- 2003-03-31 12:00:00 21,504 -c--a-w C:\WINDOWS\system32\dllcache\atmadm.exe
+ 2003-03-31 12:00:00 54,272 -c--a-w C:\WINDOWS\system32\dllcache\atmadm.exe
- 2003-03-31 12:00:00 22,528 -c--a-w C:\WINDOWS\system32\dllcache\attrib.exe
+ 2003-03-31 12:00:00 55,808 -c--a-w C:\WINDOWS\system32\dllcache\attrib.exe
- 2002-05-14 11:08:54 28,727 -c--a-w C:\WINDOWS\system32\dllcache\author.exe
+ 2002-05-14 11:08:54 61,495 -c--a-w C:\WINDOWS\system32\dllcache\author.exe
- 2000-08-31 07:00:00 79,360 ----a-w C:\WINDOWS\zip.exe
+ 2000-08-31 07:00:00 112,640 ----a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 08:59 200704]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59 139264]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1581056]
"Windows DLL Loader "= "C:\WINDOWS\System32\qbtu.exe" [2008-08-24 07:49 79360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lgoablw]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\racsexe]
2008-08-24 07:39 21504 C:\WINDOWS\system32\racsexe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\System\\MSASP32.exe "=

.
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Window Title =
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://hotmail.com/
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 19:50:47
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\racsexe.dll
.
Completion time: 2008-08-24 19:53:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 18:53:01
ComboFix2.txt 2008-08-24 07:45:33

Pre-Run: 37,191,299,072 bytes free
Post-Run: 37,145,796,608 bytes free

219 --- E O F --- 2008-08-23 17:10:33

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/malware-virus-removal/76246-infected-pc-2-a.html#post412867

Suspect::[22]
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\qbtu.exe
C:\WINDOWS\system32\racsexe.dll
C:\WINDOWS\system32\sgeltyamkwdfpih.exe
C:\WINDOWS\system32\rocg.exe
C:\WINDOWS\system32\wmsoft83883.exe
C:\WINDOWS\system32\oggf.exe
C:\WINDOWS\system32\xjzz.bat
C:\WINDOWS\system32\wmsoft15827.exe
C:\WINDOWS\system32\lbzgc.exe
C:\WINDOWS\system32\ihztgzx.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\gdhpwh.exe
C:\WINDOWS\system32\cnbtup.exe
C:\WINDOWS\system32\kypaacbm.exe
File::
C:\WINDOWS\system32\80.tmp
C:\WINDOWS\system32\82.tmp
C:\WINDOWS\system32\70.tmp
C:\WINDOWS\system32\6F.tmp
C:\WINDOWS\system32\71.tmp
C:\WINDOWS\system32\66.tmp
C:\WINDOWS\system32\65.tmp
C:\WINDOWS\system32\67.tmp
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\58.tmp
C:\WINDOWS\system32\SET2D2.tmp
C:\WINDOWS\system32\SET246.tmp
C:\WINDOWS\system32\SET217.tmp
C:\WINDOWS\system32\SET1F1.tmp
C:\WINDOWS\system32\SET1EF.tmp
C:\WINDOWS\system32\SET1EC.tmp
C:\WINDOWS\system32\SET1F0.tmp
C:\WINDOWS\system32\SET1F3.tmp
C:\WINDOWS\system32\SET1E6.tmp
C:\WINDOWS\system32\SET1F2.tmp
C:\WINDOWS\system32\SET1E7.tmp
C:\WINDOWS\system32\SET19D.tmp
C:\WINDOWS\002681_.tmp
C:\Program Files\Common Files\System\MSASP32.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lgoablw]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
 "Notification Packages "=hex(7):73,63,65,63,6c,69,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
 "C:\\Program Files\\Common Files\\System\\MSASP32.exe "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "SoundMAXPnP "=-
 "Windows DLL Loader "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Let me know if this fails to happen please.
Thanks!

 

it getting on my nerves now, if i chuck it ou of my top floor window would this help?
i think not just make me feel better.... any way

this time should work

first and second time couldn't get internet connection


Query will the first log & zip for upload be different from the one i'm going to do now, if so how should i procede

 

If ComboFix ran through to completion the first time, and created the zip file on the desktop, don't run the script again. Instead, go to my submission channel, browse to and select the zip, then click Send File.

Post the log at C:\ComboFix.txt

 

hi

ComboFix 08-08-23.03 - Administrator 2008-08-24 20:56:38.8 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.178 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Common Files\System\MSASP32.exe
C:\WINDOWS\002681_.tmp
C:\WINDOWS\system32\55.tmp
C:\WINDOWS\system32\58.tmp
C:\WINDOWS\system32\65.tmp
C:\WINDOWS\system32\66.tmp
C:\WINDOWS\system32\67.tmp
C:\WINDOWS\system32\6F.tmp
C:\WINDOWS\system32\70.tmp
C:\WINDOWS\system32\71.tmp
C:\WINDOWS\system32\80.tmp
C:\WINDOWS\system32\82.tmp
C:\WINDOWS\system32\SET19D.tmp
C:\WINDOWS\system32\SET1E6.tmp
C:\WINDOWS\system32\SET1E7.tmp
C:\WINDOWS\system32\SET1EC.tmp
C:\WINDOWS\system32\SET1EF.tmp
C:\WINDOWS\system32\SET1F0.tmp
C:\WINDOWS\system32\SET1F1.tmp
C:\WINDOWS\system32\SET1F2.tmp
C:\WINDOWS\system32\SET1F3.tmp
C:\WINDOWS\system32\SET217.tmp
C:\WINDOWS\system32\SET246.tmp
C:\WINDOWS\system32\SET2D2.tmp
.

((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-24 20:47 . 2008-08-24 20:47 88,064 --ah----- C:\WINDOWS\system32\gtqbjgml.exe
2008-08-24 20:47 . 2008-08-24 20:47 79,360 --ah----- C:\WINDOWS\system32\mykdrafn.exe
2008-08-24 19:23 . 2008-08-24 19:23 <DIR> d-------- C:\Documents and Settings\me
2008-08-24 08:00 . 2008-08-24 08:00 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-24 07:49 . 2008-08-24 07:49 79,360 --ah----- C:\WINDOWS\system32\qbtu.exe
2008-08-24 07:39 . 2008-08-24 07:39 21,504 --a------ C:\WINDOWS\system32\racsexe.dll
2008-08-24 07:38 . 2007-08-08 12:12 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-08-24 07:38 . 2007-08-08 12:13 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-08-23 23:56 . 2008-08-23 23:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 22:20 . 2008-08-23 22:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-23 22:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 22:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 22:19 . 2008-08-23 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 22:19 . 2008-08-23 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 21:54 . 2008-08-23 21:54 95 --a------ C:\WINDOWS\wininit.ini
2008-08-23 20:48 . 2008-08-23 20:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-23 20:48 . 2008-08-23 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 20:31 . 2004-08-03 14:03 167,704 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-08-23 20:08 . 2003-03-31 13:00 150,016 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-08-23 20:08 . 2003-03-31 13:00 74,752 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-08-23 20:08 . 2003-03-31 13:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-08-23 20:08 . 2003-03-31 13:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-08-23 20:06 . 2003-03-31 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-23 20:05 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-08-23 20:04 . 2003-03-31 13:00 1,007,616 --a--c--- C:\WINDOWS\system32\dllcache\conf.exe
2008-08-23 20:03 . 2004-08-03 14:07 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-08-23 19:55 . 2003-03-31 13:00 2,049,999 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-08-23 19:10 . 2008-04-14 05:42 1,287,168 --a------ C:\WINDOWS\system32\SET29D.tmp
2008-08-23 19:09 . 2008-04-14 05:42 399,360 --a------ C:\WINDOWS\system32\SET245.tmp
2008-08-23 19:08 . 2008-04-14 05:42 1,499,136 --a------ C:\WINDOWS\system32\SET218.tmp
2008-08-23 19:06 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET1CD.tmp
2008-08-23 19:05 . 2008-04-14 05:42 666,112 --a------ C:\WINDOWS\system32\SET17B.tmp
2008-08-23 19:02 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-23 19:00 . 2003-03-31 13:00 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2008-08-23 18:59 . 2008-08-23 18:59 <DIR> d-------- C:\WINDOWS\EHome
2008-08-23 18:57 . 2008-08-23 18:57 62,168 --a------ C:\WINDOWS\system32\om.exe
2008-08-23 18:55 . 2008-08-23 19:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 18:02 . 2008-08-23 18:11 <DIR> d-------- C:\ada7d5935165ca62ae5054965a9b
2008-08-23 18:01 . 2008-08-24 20:45 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-23 17:35 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-08-23 17:35 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-23 17:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-23 17:35 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-23 17:35 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-23 17:33 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-08-23 17:33 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-08-23 17:33 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-08-23 17:33 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-08-23 17:33 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-08-23 17:10 . 2008-08-23 17:10 80,090 --a------ C:\Documents and Settings\Owner\Application Data\SMBIOSSP.exe
2008-08-23 16:41 . 2008-08-23 16:41 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-08-23 16:41 . 2008-08-23 16:41 <DIR> d-------- C:\Program Files\Analog Devices
2008-08-23 16:41 . 2001-10-04 14:50 991,232 --a------ C:\WINDOWS\system32\virtear.dll
2008-08-23 16:41 . 2004-11-19 10:00 126,976 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-08-23 16:41 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-08-23 16:41 . 2003-08-19 18:36 65,536 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-08-23 16:40 . 2008-08-23 17:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-23 16:40 . 2008-08-23 17:24 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-23 16:40 . 2008-08-23 16:40 <DIR> d-------- C:\dell
2008-08-23 16:40 . 2001-09-19 12:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-08-23 16:40 . 2004-09-17 09:02 732,928 --a------ C:\WINDOWS\system32\drivers\senfilt.sys
2008-08-23 16:40 . 2004-09-23 07:55 311,296 --a------ C:\WINDOWS\system32\Edcrypt.dll
2008-08-23 16:40 . 2005-01-27 15:31 260,352 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-08-23 16:40 . 2002-04-17 14:05 155,648 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-08-23 16:40 . 2004-10-05 16:10 23,040 --a------ C:\WINDOWS\system32\PostProc.dll
2008-08-23 14:43 . 2008-08-23 16:10 <DIR> d-------- C:\Westwood
2008-08-20 22:58 . 2008-08-20 22:58 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-08-20 22:21 . 2008-08-20 22:22 310,272 --ah----- C:\WINDOWS\system32\rocg.exe
2008-08-20 22:20 . 2008-08-20 22:21 156,435 --a------ C:\WINDOWS\system32\wmsoft83883.exe
2008-08-20 22:20 . 2008-08-20 22:22 69,632 --ah----- C:\WINDOWS\system32\oggf.exe
2008-08-20 22:19 . 2008-08-20 22:19 123 --a------ C:\WINDOWS\system32\xjzz.bat
2008-08-20 22:18 . 2008-08-20 22:20 189,990 --a------ C:\WINDOWS\system32\wmsoft15827.exe
2008-08-20 22:18 . 2008-08-20 22:21 69,632 --ah----- C:\WINDOWS\system32\lbzgc.exe
2008-08-20 22:18 . 2008-08-20 22:19 69,632 --ah----- C:\WINDOWS\system32\ihztgzx.exe
2008-08-20 22:18 . 2008-08-20 22:20 79 --a------ C:\WINDOWS\system32\i
2008-08-20 22:15 . 2008-08-20 22:22 91,136 --ah----- C:\WINDOWS\system32\gdhpwh.exe
2008-08-20 22:15 . 2008-08-20 22:23 84,784 --ah----- C:\WINDOWS\system32\cnbtup.exe
2008-08-20 22:15 . 2008-08-20 22:20 79,360 --ah----- C:\WINDOWS\system32\kypaacbm.exe
2008-08-20 22:06 . 2001-08-17 14:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-20 22:04 . 2008-08-20 21:12 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-08-20 22:03 . 2008-08-23 19:55 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-08-20 22:03 . 2008-08-24 08:45 <DIR> d--h----- C:\Documents and Settings\Default User
2008-08-20 22:03 . 2008-08-20 21:14 <DIR> d-------- C:\Documents and Settings\All Users
2008-08-20 22:03 . 2008-08-24 19:23 <DIR> d-------- C:\Documents and Settings
2008-08-20 22:03 . 2008-08-23 19:03 708,306 --a------ C:\WINDOWS\setupapi.old
2008-08-20 22:03 . 2008-08-23 20:08 288 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 20:48 --------- d-----w C:\Program Files\Intel
2008-08-20 20:22 --------- d-----w C:\Program Files\Huawei technologies
2008-08-20 20:15 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

2003-03-31 13:00 1080832 f05ba4bbdde5e3cf325a4e09a8a1c28a C:\WINDOWS\explorer.exe
2003-03-31 13:00 1015296 87b0ac2233890a5d3579ab8e0756a9f7 C:\WINDOWS\system32\dllcache\explorer.exe

2003-03-31 13:00 24576 f2a4273126f893e194c6ed1d53d12130 C:\WINDOWS\system32\ctfmon.exe
2003-03-31 13:00 24576 f5d830590ff93cc58fd1485a4487cfd3 C:\WINDOWS\system32\dllcache\ctfmon.exe

2003-03-31 13:00 62464 c48a7b5654dc2a8423b73beb7b2903e5 C:\WINDOWS\system32\spoolsv.exe
2003-03-31 13:00 62464 99c8ef7c973b109674fc0added0a8f8f C:\WINDOWS\system32\dllcache\spoolsv.exe

2007-07-30 19:19 53080 5042abb5ddccf2c9afc51b690901a59f C:\WINDOWS\SoftwareDistribution\SelfUpdate\wuauclt.exe
2004-08-03 14:02 113944 5d393d3dc324e334753824dc63fc80d6 C:\WINDOWS\system32\wuauclt.exe
2003-03-31 13:00 151040 f0de86134e6e0e67843c80e4d57db7f2 C:\WINDOWS\system32\dllcache\wuauclt.exe

2003-03-31 13:00 33280 54ec872c8d6f646cadae760d709f4451 C:\WINDOWS\system32\userinit.exe
2003-03-31 13:00 98816 7f902588889d1513ea11f26d8b1550f8 C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2008-08-24_19.52.20.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 07:00:00 370,176 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 07:00:00 173,568 ----a-w C:\WINDOWS\swreg.exe
- 2008-08-24 18:50:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-24 19:53:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-24 18:50:12 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-24 19:53:16 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-24 18:50:12 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-24 19:53:16 278,528 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-03-31 12:00:00 279,552 -c--a-w C:\WINDOWS\system32\dllcache\agentsvr.exe
+ 2003-03-31 12:00:00 312,320 -c--a-w C:\WINDOWS\system32\dllcache\agentsvr.exe
- 2003-03-31 12:00:00 63,488 -c--a-w C:\WINDOWS\system32\dllcache\arp.exe
+ 2003-03-31 12:00:00 96,256 -c--a-w C:\WINDOWS\system32\dllcache\arp.exe
- 2003-03-31 12:00:00 54,272 -c--a-w C:\WINDOWS\system32\dllcache\atmadm.exe
+ 2003-03-31 12:00:00 87,040 -c--a-w C:\WINDOWS\system32\dllcache\atmadm.exe
- 2003-03-31 12:00:00 55,808 -c--a-w C:\WINDOWS\system32\dllcache\attrib.exe
+ 2003-03-31 12:00:00 88,576 -c--a-w C:\WINDOWS\system32\dllcache\attrib.exe
- 2002-05-14 11:08:54 61,495 -c--a-w C:\WINDOWS\system32\dllcache\author.exe
+ 2002-05-14 11:08:54 94,263 -c--a-w C:\WINDOWS\system32\dllcache\author.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 08:59 200704]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59 139264]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\racsexe]
2008-08-24 07:39 21504 C:\WINDOWS\system32\racsexe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll


*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 20:58:19
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\racsexe.dll
.
Completion time: 2008-08-24 20:59:33
ComboFix-quarantined-files.txt 2008-08-24 19:59:24
ComboFix2.txt 2008-08-24 19:45:40
ComboFix3.txt 2008-08-24 18:53:09
ComboFix4.txt 2008-08-24 07:45:33

Pre-Run: 37,044,518,912 bytes free
Post-Run: 37,022,810,112 bytes free

202 --- E O F --- 2008-08-23 17:10:33

 

hello again


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:03, on 8/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1219509294687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1219509267843
O20 - Winlogon Notify: racsexe - C:\WINDOWS\SYSTEM32\racsexe.dll

--
End of file - 2763 bytes

 

The files you uploaded are infected with Virut. Virut is an extremely nasty file infector. It attempts to (and generally succeeds) inject code into every exe file on the drive. It has already infected many of your system files. I've yet to see a system successfully cleaned of Virut without causing serious instability or even making the system unbootable. Therefore, my recommendation is to boot from an XP cd, delete the partition, create a new partition, format it and install a fresh operating system. Don't bother trying to save anything and don't attempt a re-install rather than a clean install. It would be a waste of time.

 

cool no problem,

 

no its back, i did as you said so is this a fresh infection,
because i,ve only been to Dell website




my pc is Dell gx260 intel4
when i install xp there are 4 yellow warnings in device manager

graphics (which it can find it self)
ethernet
SMBus controler
audio
these are the only thing i downloaded,

 

Are you saying the infection is back after a full format as described above? What makes you think so?

It would not be unusual to have the warnings in device manager prior to installing drivers.