Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple infections hard to remove


  • This topic is locked This topic is locked

#1
gassmann

gassmann

    New Member

  • Member
  • Pip
  • 7 posts
I have had multiple infections on my pc and have been trying to remove them for 3 days solid. I have run many different programs to find and remove them, but I still don't think they are all gone. I am having a major slowdown of my system and my mcafee pops up that I have an infection, but it cannot clean it. I have followed the required steps, plus done an ad-aware and spybot scan. Below you will find my logs. Please help me as I NEED my pc daily. Thank you!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:35:17 AM 2/11/2007

+ Scan result:



Nothing found.


::Report end


SUPERAntiSpyware Scan Log
Generated 02/11/2007 at 04:51 PM

Application Version : 3.5.1016

Core Rules Database Version : 3182
Trace Rules Database Version: 1192

Scan type : Complete Scan
Total Scan Time : 01:39:52

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 8030
Registry threats detected : 3
File items scanned : 114550
File threats detected : 27

Adware.Vundo Variant
HKCR\CLSID\{68D5CF1D-EC5C-4BDD-A9EF-F0E517565D50}
HKCR\CLSID\{68D5CF1D-EC5C-4BDD-A9EF-F0E517565D50}\InprocServer32
HKCR\CLSID\{68D5CF1D-EC5C-4BDD-A9EF-F0E517565D50}\InprocServer32#ThreadingModel

Adware.VSToolbar
C:\Program Files\VSAdd-in

Trojan.Downloader-Gen/LIB
C:\VUNDOFIX BACKUPS\AFEPBCKP.DLL.BAD
C:\VUNDOFIX BACKUPS\BDCVCWWF.DLL.BAD

Trojan.Downloader-WBRock
C:\VUNDOFIX BACKUPS\AWTRRST.DLL.BAD
C:\VUNDOFIX BACKUPS\AWTTUVU.DLL.BAD
C:\VUNDOFIX BACKUPS\CBXVSQR.DLL.BAD
C:\VUNDOFIX BACKUPS\EFCAAXV.DLL.BAD
C:\VUNDOFIX BACKUPS\FCCBYYV.DLL.BAD
C:\VUNDOFIX BACKUPS\FCCYAXY.DLL.BAD
C:\VUNDOFIX BACKUPS\GEBYABY.DLL.BAD
C:\VUNDOFIX BACKUPS\GEBYVUU.DLL.BAD
C:\VUNDOFIX BACKUPS\IIFCBBB.DLL.BAD
C:\VUNDOFIX BACKUPS\IIFDAYV.DLL.BAD
C:\VUNDOFIX BACKUPS\IIFFFDC.DLL.BAD
C:\VUNDOFIX BACKUPS\JKKLKHF.DLL.BAD
C:\VUNDOFIX BACKUPS\LJJIGHE.DLL.BAD
C:\VUNDOFIX BACKUPS\MLJJKKI.DLL.BAD
C:\VUNDOFIX BACKUPS\OPNKIGG.DLL.BAD
C:\VUNDOFIX BACKUPS\OPNMLKL.DLL.BAD
C:\VUNDOFIX BACKUPS\RQRRQQN.DLL.BAD
C:\VUNDOFIX BACKUPS\SSQRSRO.DLL.BAD
C:\VUNDOFIX BACKUPS\TUVVURR.DLL.BAD
C:\VUNDOFIX BACKUPS\VTUSQOO.DLL.BAD
C:\VUNDOFIX BACKUPS\WVUROLJ.DLL.BAD
C:\VUNDOFIX BACKUPS\XXYXXWU.DLL.BAD

Trojan.Downloader-SpyTool
C:\WINDOWS\SYSTEM32\ECIDTRNW.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\MLLMM.DLL

PANDA:

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lisa Gassmann\My Documents\scanning stuff\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\idypshlg.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\jwfbirry.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\SYSTEM32\cssbmmkf.exe
Virus:Trj/Downloader.MQN Disinfected C:\WINDOWS\SYSTEM32\rundll32.exe.tmp
Logfile of HijackThis v1.99.1
Scan saved at 8:58:14 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\PhoneTray\PhoneTray.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Lisa Gassmann\My Documents\scanning stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lisascandles.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;127.0.0.1
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows] rundll32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\RunServices: [Windows] rundll32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PhoneTray - Unknown owner - C:\Program Files\PhoneTray\PhoneTray.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Thank you! Thank you! Thank you!....in advance!

Lisa
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello and welcome to Geeks To Go

Some malware has the ability to hide when interrogated by HijackThis; I believe this may be true in your case. Please right click on hijackthis.exe and rename it to crusty.exe

Now please rescan with the newly named file and post the log into this thread by using the ADD REPLY button on the bottom right of this post, and I'll have a fresh look.

From now on, you will have to use crusty.exe to produce a HJT log.

Please ensure that you post logs created in normal mode only.
  • 0

#3
gassmann

gassmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I did the rename, but the log still says hijackthis. It doesn't look any different to me, but maybe you'll see something I don't. Thanks!!!

Lisa

Logfile of HijackThis v1.99.1
Scan saved at 7:58:22 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\PhoneTray\PhoneTray.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lisa Gassmann\My Documents\scanning stuff\crusty.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lisascandles.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;127.0.0.1
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows] rundll32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\RunServices: [Windows] rundll32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PhoneTray - Unknown owner - C:\Program Files\PhoneTray\PhoneTray.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Lisa and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post quickly; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

It looks as though renaming HJT did not produce the 02 BHO’s I was hoping for, never mind. Please delete one of the .exe from crusty.exe.exe as it will likely be picked up as a virus by an AV programme, since double suffixes are a sign of a virus.

Please Disable Spyware Doctor. From within Spyware Doctor, click the OnGuard button on the left side. Uncheck Activate OnGuard

Please disable SUPERantispyware real-time scanning as it will hinder our attempts to change anything.

Please uninstall Incredimail as their privacy policy allows them to bundle third party software to you without your further permission, following your acceptance of their terms and conditions.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
combofix.exe

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues


Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I am a little concerned about the Panda scan result. Most of it is benign, but two files need attention. Firstly, please delete this file:

C:\WINDOWS\SYSTEM32\cssbmmkf.exe

This next one is too close to call, as it appears to be legitimate except for the final suffix:

C:\WINDOWS\SYSTEM32\rundll32.exe.tmp

It has been disinfected, but I think you still have a Trojan with a similar name on your system, and I want to make sure I get it right.

Please do a search of your PC for this file: rundll32.exe

Please ensure that you scan all files and folders, and that you scan hidden files too.

Please paste the results into your reply.

Post back a fresh HijackThis log (from normal mode) plus the ComboFix log, and search of rundll32.exe result, and I will take another look.
  • 0

#5
gassmann

gassmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
In my search for rundll32 I found the following:

rundll32 in C:\I386
RUNDLL32.EXE-3D2B6136.PF IN C:\WINDOWS\Prefetch
RUNDLL32.EXE-405E817D.PF IN C:\WINDOWS\Prefetch
RUNDLL32.EXE-5EDFBB4F.PF IN C:\WINDOWS\Prefetch
rundll32 in C:\WINDOWS\SYSTEM32
rundll32 in C:\Program Files\MUSICMATCH\Musicmatch Jukebox

COMBOFIX LOG:
"Lisa Gassmann" - 07-02-12 10:36:39 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Lisa Gassmann\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll


((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


2007-02-11 17:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-02-11 15:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-11 15:06 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\SUPERAntiSpyware.com
2007-02-11 15:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-11 15:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-02-10 22:49 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-02-10 22:49 <DIR> d-------- C:\Program Files\AVG Anti-Spyware 7.5
2007-02-10 22:11 999,245 --ahs---- C:\WINDOWS\SYSTEM32\hjjlm.bak2
2007-02-10 20:00 990,117 --ahs---- C:\WINDOWS\SYSTEM32\hjjlm.bak1
2007-02-10 15:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\ParetoLogic Anti-Spyware
2007-02-10 12:37 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-02-10 12:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-10 12:04 <DIR> d-------- C:\DOCUME~1\LISAGA~1\.housecall6.6
2007-02-10 01:48 <DIR> d-------- C:\Program Files\CCleaner
2007-02-10 01:45 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2007-02-10 01:12 <DIR> d-------- C:\Program Files\Windows Defender
2007-02-10 00:09 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-02-10 00:09 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\WholeSecurity
2007-02-09 23:41 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-02-09 22:22 51,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikhlayer.sys
2007-02-09 22:22 30,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikhfile.sys
2007-02-09 22:21 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-02-09 22:21 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\PC Tools
2007-02-09 21:51 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-02-09 03:53 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\ImgBurn
2007-02-09 00:56 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\DVD Flick
2007-02-09 00:54 <DIR> d-------- C:\Program Files\DVD Flick
2007-02-08 20:21 0 --a------ C:\WINDOWS\SYSTEM32\sysupdate.exe
2007-02-08 17:59 5,306 --a------ C:\WINDOWS\SYSTEM32\systemupdate.exe
2007-02-08 17:14 87,608 --a------ C:\DOCUME~1\LISAGA~1\Application Data\ezpinst.exe
2007-02-08 17:14 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2007-02-08 17:14 47,360 --a------ C:\DOCUME~1\LISAGA~1\Application Data\pcouffin.sys
2007-02-08 17:14 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\Vso
2007-02-08 16:51 <DIR> d-------- C:\Program Files\MagicISO
2007-02-04 22:51 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2007-02-04 22:45 <DIR> d-------- C:\Program Files\intelliScore Polyphonic WAV to MIDI Converter Demo
2007-02-04 17:51 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\RipIt4Me
2007-01-29 18:15 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\InstallShield
2007-01-26 22:48 94,263 --a------ C:\WINDOWS\DLA.EXE
2007-01-26 22:48 89,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DRVMCDB.SYS
2007-01-26 22:48 61,500 --a------ C:\WINDOWS\SYSTEM32\DLAAPI_W.DLL
2007-01-26 22:48 5,660 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DLACDBHM.SYS
2007-01-26 22:48 40,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DRVNDDM.SYS
2007-01-26 22:48 22,684 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DLARTL_N.SYS
2007-01-26 22:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\dla
2007-01-26 22:34 <DIR> d-------- C:\Intel
2007-01-26 19:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-23 21:46 40,960 --a------ C:\WINDOWS\SYSTEM32\dlcqvs.dll
2007-01-23 21:46 344,064 --a------ C:\WINDOWS\SYSTEM32\dlcqcoin.dll
2007-01-23 21:45 991,232 --a------ C:\WINDOWS\SYSTEM32\dlcqusb1.dll
2007-01-23 21:45 983,121 --a------ C:\WINDOWS\SYSTEM32\dlcqgf.dll
2007-01-23 21:45 94,208 --a------ C:\WINDOWS\SYSTEM32\dlcqpplc.dll
2007-01-23 21:45 86,016 --a------ C:\WINDOWS\SYSTEM32\dlcqcub.dll
2007-01-23 21:45 77,824 --a------ C:\WINDOWS\SYSTEM32\DLCQcfg.dll
2007-01-23 21:45 73,728 --a------ C:\WINDOWS\SYSTEM32\dlcqcu.dll
2007-01-23 21:45 696,320 --a------ C:\WINDOWS\SYSTEM32\dlcqhbn3.dll
2007-01-23 21:45 692,224 --a------ C:\WINDOWS\SYSTEM32\dlcqdrs.dll
2007-01-23 21:45 684,032 --a------ C:\WINDOWS\SYSTEM32\dlcqcomc.dll
2007-01-23 21:45 65,536 --a------ C:\WINDOWS\SYSTEM32\dlcqcaps.dll
2007-01-23 21:45 643,072 --a------ C:\WINDOWS\SYSTEM32\dlcqpmui.dll
2007-01-23 21:45 61,440 --a------ C:\WINDOWS\SYSTEM32\dlcqcnv4.dll
2007-01-23 21:45 585,728 --a------ C:\WINDOWS\SYSTEM32\dlcqlmpm.dll
2007-01-23 21:45 537,480 --a------ C:\WINDOWS\SYSTEM32\dlcqcoms.exe
2007-01-23 21:45 454,656 --a------ C:\WINDOWS\SYSTEM32\dlcqutil.dll
2007-01-23 21:45 421,888 --a------ C:\WINDOWS\SYSTEM32\dlcqcomm.dll
2007-01-23 21:45 413,696 --a------ C:\WINDOWS\SYSTEM32\dlcqinpa.dll
2007-01-23 21:45 397,312 --a------ C:\WINDOWS\SYSTEM32\dlcqiesc.dll
2007-01-23 21:45 385,928 --a------ C:\WINDOWS\SYSTEM32\dlcqih.exe
2007-01-23 21:45 381,832 --a------ C:\WINDOWS\SYSTEM32\dlcqcfg.exe
2007-01-23 21:45 36,864 --a------ C:\WINDOWS\SYSTEM32\dlcqcur.dll
2007-01-23 21:45 323,584 --a------ C:\WINDOWS\SYSTEM32\DLCQhcp.dll
2007-01-23 21:45 274,432 --a------ C:\WINDOWS\SYSTEM32\DLCQinst.dll
2007-01-23 21:45 188,416 --a------ C:\WINDOWS\SYSTEM32\dlcqgrd.dll
2007-01-23 21:45 176,128 --a------ C:\WINDOWS\SYSTEM32\dlcqinsb.dll
2007-01-23 21:45 176,128 --a------ C:\WINDOWS\SYSTEM32\dlcqins.dll
2007-01-23 21:45 163,840 --a------ C:\WINDOWS\SYSTEM32\dlcqprox.dll
2007-01-23 21:45 139,264 --a------ C:\WINDOWS\SYSTEM32\dlcqjswr.dll
2007-01-23 21:45 106,496 --a------ C:\WINDOWS\SYSTEM32\dlcqinsr.dll
2007-01-23 21:45 1,224,704 --a------ C:\WINDOWS\SYSTEM32\dlcqserv.dll
2007-01-23 21:45 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 966
2007-01-23 21:13 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\Corel
2007-01-23 21:10 <DIR> d-------- C:\Program Files\Corel
2007-01-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-01-23 20:38 <DIR> d-------- C:\Program Files\DellConnect
2007-01-23 20:24 <DIR> d--hs---- C:\WINDOWS\CSC
2007-01-23 14:20 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\DellFaxCtr
2007-01-23 14:12 <DIR> d-------- C:\Program Files\dl_cats
2007-01-23 14:11 87,040 --a------ C:\WINDOWS\SYSTEM32\wiafbdrv.dll
2007-01-23 14:11 15,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2007-01-23 14:06 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-01-23 14:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\BVRP Software
2007-01-23 14:03 98,345 --a------ C:\WINDOWS\SYSTEM32\IMHOST32.DLL
2007-01-23 14:03 40,960 --a------ C:\WINDOWS\SYSTEM32\DLPRMON.DLL
2007-01-23 14:03 339,968 --a------ C:\WINDOWS\SYSTEM32\IMGMAN32.DLL
2007-01-23 14:03 32,768 --a------ C:\WINDOWS\SYSTEM32\DLPMONUI.DLL
2007-01-23 14:02 <DIR> d-------- C:\Program Files\Dell PC Fax
2007-01-23 14:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\DellFaxCtr
2007-01-22 18:23 <DIR> d-------- C:\DOCUME~1\LISAGA~1\Application Data\WinRAR
2007-01-22 18:09 765,952 --a------ C:\WINDOWS\SYSTEM32\xvidcore.dll
2007-01-22 18:09 180,224 --a------ C:\WINDOWS\SYSTEM32\xvidvfw.dll
2007-01-22 18:09 <DIR> d-------- C:\Program Files\Xvid
2007-01-15 19:47 <DIR> d-------- C:\Program Files\uTorrent


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 17:57 -------- d-------- C:\Program Files\phonetray
2007-02-09 22:15 -------- d-------- C:\Program Files\spywareblaster
2007-02-08 23:38 33 --a------ C:\DOCUME~1\LISAGA~1\Application Data\pcouffin.log
2007-02-08 23:38 1144 --a------ C:\DOCUME~1\LISAGA~1\Application Data\pcouffin.inf
2007-02-08 23:38 1074 --a------ C:\DOCUME~1\LISAGA~1\Application Data\pcouffin.cat
2007-02-08 17:46 -------- d-------- C:\Program Files\turbotax
2007-02-08 17:42 -------- d--h----- C:\Program Files\installshield installation information
2007-02-08 15:54 -------- d-------- C:\DOCUME~1\LISAGA~1\Application Data\ahead
2007-02-05 14:24 -------- d-------- C:\Program Files\yahoo!
2007-02-05 14:24 -------- d-------- C:\Program Files\Common Files\scanner
2007-02-05 14:22 -------- d-------- C:\Program Files\Common Files\adobe
2007-02-05 14:21 -------- d-------- C:\Program Files\evideoshare
2007-02-04 17:39 -------- d-------- C:\Program Files\dvdfab
2007-01-31 17:41 -------- d-------- C:\Program Files\quicktime
2007-01-31 17:40 -------- d-------- C:\Program Files\apple software update
2007-01-31 17:09 -------- d-------- C:\Program Files\bodog poker
2007-01-29 18:23 -------- d-------- C:\Program Files\quicken
2007-01-26 22:48 -------- d-------- C:\Program Files\sonic
2007-01-26 19:16 -------- d-------- C:\DOCUME~1\LISAGA~1\Application Data\adobeum
2007-01-23 21:45 -------- d-------- C:\Program Files\dell
2007-01-19 17:07 -------- d-------- C:\DOCUME~1\LISAGA~1\Application Data\adobe
2007-01-07 00:37 -------- d-------- C:\Program Files\webshots
2007-01-07 00:37 -------- d-------- C:\DOCUME~1\LISAGA~1\Application Data\webshots
2007-01-06 13:31 -------- d-------- C:\Program Files\Common Files\answerworks 4.0
2007-01-03 20:43 -------- d-------- C:\Program Files\kodak picture cd
2006-12-07 00:40 2362184 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSKAGENTEXE"="c:\\PROGRA~1\\mcafee\\SPAMKI~1\\mskagent.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"CTSysVol"="C:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"MSKAGENTEXE"="C:\\PROGRA~1\\mcafee\\SPAMKI~1\\mskagent.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"DLCQCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLCQtime.dll,[email protected]"
"!AVG Anti-Spyware"="\"C:\\Program Files\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Windows"="rundll32.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows"="rundll32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=dword:00000002
"ose"=dword:00000003
"NetSvc"=dword:00000003
"MDM"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BFACBC52-B6D2-4F84-A486-37A921169F28}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (GASSMANN-Lisa Gassmann).job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

cmd.exe [9944]

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 10:46:58


Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 1:25:15 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\PhoneTray\PhoneTray.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lisa Gassmann\My Documents\scanning stuff\crusty.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;127.0.0.1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows] rundll32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\RunServices: [Windows] rundll32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PhoneTray - Unknown owner - C:\Program Files\PhoneTray\PhoneTray.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Also, the CCleaner wanted to know if I wanted to keep a backup of what it cleaned. I didn't know so I said yes, should I delete it or keep it?

Thanks so much!

Lisa
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Lisa

I see you have chosen not to uninstall Incredimail; that is your choice, at least I have made you aware that it is a possible source of malware. My recommendation is to uninstall it.

Also, the CCleaner wanted to know if I wanted to keep a backup of what it cleaned. I didn't know so I said yes, should I delete it or keep it?

It really is up to you; I don't personally as I trust it implicitly, but I have used it three times a day for the last two years.

We have some bad files to delete and a couple of complete folders too. I will make some HJT adjustments to the malware and also remove from start-up the antimalware programmes that you have too many of.

Go to Start > Run and type or copy & paste this into the Run box:

sc delete SDhelper

Hit ENTER

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKLM\..\Run: [Windows] rundll32.exe
O4 - HKLM\..\RunServices: [Windows] rundll32.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


Click on Fix Checked when finished and exit HijackThis.

Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Incredimail

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Enigma Software Group\
C:\Program Files\bodog poker\

Please delete these files (if present) using Windows Explorer:

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\rundll32.exe
C:\WINDOWS\SYSTEM32\hjjlm.bak2
C:\WINDOWS\SYSTEM32\hjjlm.bak1

Close Windows Explorer and Reboot normally

Cont/.................

Edited by Crustyoldbloke, 12 February 2007 - 03:57 PM.

  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Gremlins are not allowing me to post the full version.................................

Finally, this is more of a precaution than anything else, there was a hidden file with far too many ????? for my liking. I'd like to check that is not a rootkit.

Please download: AVG Anti-Rootkit Beta and save it to your desktop.

Double click the file to install it. Accept the licence and follow the prompts to install and reboot. After rebooting, you should see the icon for AVG Anti-Rootkit Beta on your desktop. Double click it to open the programme. You will see a window with 3 buttons at the bottom of it. Click Search For Rootkits and the programme will start a scan, you will see the progress bar moving from left to right, but it may appear that the programme is frozen and not doing anything, this is normal, please be patient. When the scan is complete, a small window will open alerting you to the result. If anything was found, click Save Result To File and post that in your reply.

If nothing was found, please click the Perform in-depth Search saving anything found to file as before.

Post back a fresh HijackThis log, from normal mode, and I will take another look.
  • 0

#8
gassmann

gassmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, got all the things off the hijack this log except "O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe" as it wasn't there anymore!

IN the add/remove programs these are the following things I don't recognize:
confidence online for web applications
mIRC
MSXML 4.0 SP2
My Way Search Assistant

I deleted the bodog poker because you said to, but my husband is not going to be happy when I found out I did. Is it really that bad? Cuz he's gonna want it back when I tell him it's gone.


The following files were nowhere to be found:
C:\WINDOWS\SYSTEM32\hjjlm.bak2
C:\WINDOWS\SYSTEM32\hjjlm.bak1


And the AVG found nothing in either search!

Is my pc healed?

Thanks again!

Lisa

Logfile of HijackThis v1.99.1
Scan saved at 5:56:33 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Documents and Settings\Lisa Gassmann\My Documents\scanning stuff\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lisascandles.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;127.0.0.1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PhoneTray - Unknown owner - C:\Program Files\PhoneTray\PhoneTray.exe
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Lisa

OoPs, Bodog is known as an entry point for malware, it had to go. If you get more malware, blame it on him!

Please uninstall: My Way Search Assistant

I view it as spyware although Dell actually install it.

I sincerely hope everything is OK

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\SYSTEM32\hjjlm.bak2
C:\WINDOWS\SYSTEM32\hjjlm.bak1

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, start The Avenger programme by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • Upon reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy & paste the content of c:\avenger.txt into your reply by using Add Reply

I don't need to see another HJT log
  • 0

#10
gassmann

gassmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
There was no avenger.txt file created, but this is what it said (I wrote it down just in case).

The system cannot find the file specified.
Could not find C:\avenger\*.reg
1 file(s) copied
zip warning: C:/backup.zip not found or empty
adding: avenger/avenger.txt (188 bytes security) (deflated 67%)
adding: avenger/backup.reg (188 bytes security) (stored 0%)
adding: avenger/hjjlm.bak1 (124 bytes security) (deflated 71%)
adding: avenger/hjjlm.bak2 (124 bytes security) (deflated 70%)

Then I got a pop up window that said:
There is no disk in the drive. Please insert a disk into drive.
and gave me try buttons to choose from: cancel try again continue

Then it froze and I had to restart it because it wouldn't do anything.


anything else?

also, this spyware doctor I have....what are your feelings on it? It takes forever to load so I'm wondering if it's worth keeping or not.

Thanks once again!

Lisa

Edited by gassmann, 12 February 2007 - 11:46 PM.

  • 0

Advertisements


#11
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Lisa

The Avenger error looks like it has been blocked by your AV. Please try it again, but just before you run it, disable your McAfee AV programme. It will enable itself when Avenger reboots.

I am not keen on Spyware Doctor as I think it exaggerates the importance of things it finds. We have people coming here thinking that they are beyond repair due to its findings, but really the stuff it finds is unimportant. I believe the best two antimalware programmes to be Webroots SpySweeper ans AVG 7.5 antispyware.
  • 0

#12
gassmann

gassmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, finally I'm back. Sorry about the delay, I've been really busy for the last couple of days. Now I have time to work on this again.

Here is the log from avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mjjilafs

*******************

Script file located at: \??\C:\Documents and Settings\acqakurn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\SYSTEM32\hjjlm.bak2 not found!
Deletion of file C:\WINDOWS\SYSTEM32\hjjlm.bak2 failed!

Could not process line:
C:\WINDOWS\SYSTEM32\hjjlm.bak2
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\hjjlm.bak1 not found!
Deletion of file C:\WINDOWS\SYSTEM32\hjjlm.bak1 failed!

Could not process line:
C:\WINDOWS\SYSTEM32\hjjlm.bak1
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Thanks for you patience!

Lisa
  • 0

#13
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Lisa

Avenger reports the files are gone, and I have high confidence in that tool.

Congratulations! your new log is clean. :whistling: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check *Turn off System Restore*.
  • Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :blink:

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.
  • 0

#14
gassmann

gassmann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you sooooo much! I have followed your instructions and hope to never have to ask for help again. You're an angel. My problems are all solved to the best of my knowledge. You may close this topic. Thanks again.
  • 0

#15
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
You are welcome to the help.

I will leave this thread open for a few days in case of misfortune.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP