Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Multiple malware problems [RESOLVED]


  • This topic is locked This topic is locked

#1
mbh511

mbh511

    New Member

  • Member
  • Pip
  • 7 posts
Hi,

I have an older Dell Dimension 4600 with Windows XP SP2. I have McAfee Security Center 8.0 with VirusScan 12.0, Personal Firewall 9.0 and Site Advisor 2.6. My problems started about 2 weeks ago when we somehow became infected with w32/Trats virus, and then multiple malware, including Winfixer, Adware, dropper.agent.dgo, and vundo (from what I can tell). McAfee seems to have finally contained the w32/Trats virus, but we are still having bad problems with the Malware.

I have followed the instructions in the "You must read this..." post, and I am pasting the logs below. I could not do the HijackThis uninstall list -- everytime I did this part, the program closed when I clicked the "Save" button.

I hope all this gibberish means something to one of you!!! If you need me to type in the HijackThis Uninstall list, I can certainly do it. I would greatly appreciate some help before I throw this computer out the window!!!

Thanks,
Melissa

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:28:20 AM 1/29/2008

+ Scan result:



C:\Documents and Settings\Jason\Local Settings\Temp\RCX95.tmp -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000120.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000132.exe -> Dropper.Agent.dgo : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000135.exe -> Dropper.Agent.dgo : Cleaned.
C:\WINDOWS\SYSTEM32\vtutr.exe -> Dropper.Agent.dgo : Cleaned.
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jason\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jason\Cookies\[email protected][2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Jason\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end
------------------------------------------------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/29/2008 at 10:29 AM

Application Version : 3.9.1008

Core Rules Database Version : 3390
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 03:19:31

Memory items scanned : 392
Memory threats detected : 3
Registry items scanned : 8187
Registry threats detected : 22
File items scanned : 139818
File threats detected : 28

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTUTR.DLL
C:\WINDOWS\SYSTEM32\VTUTR.DLL
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{FEA78137-9104-4BAF-A88C-75ADDFC0B1D4}
HKCR\CLSID\{FEA78137-9104-4BAF-A88C-75ADDFC0B1D4}
HKCR\CLSID\{FEA78137-9104-4BAF-A88C-75ADDFC0B1D4}\InprocServer32
HKCR\CLSID\{FEA78137-9104-4BAF-A88C-75ADDFC0B1D4}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FEA78137-9104-4BAF-A88C-75ADDFC0B1D4}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\NMMJQQKU.DLL
C:\WINDOWS\SYSTEM32\NMMJQQKU.DLL
HKLM\Software\Classes\CLSID\{572976b1-ddc4-4fda-945e-b1c8ce405051}
HKCR\CLSID\{572976B1-DDC4-4FDA-945E-B1C8CE405051}
HKCR\CLSID\{572976B1-DDC4-4FDA-945E-B1C8CE405051}\InprocServer32
HKCR\CLSID\{572976B1-DDC4-4FDA-945E-B1C8CE405051}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HSREXFLO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{572976b1-ddc4-4fda-945e-b1c8ce405051}

Trojan.Vundo/Variant-Installer/A
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
[SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001132.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001140.EXE
C:\WINDOWS\Prefetch\SUPERANTISPYWARE.EXE-28713C90.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\WSQIMIZV.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jason\cookies\[email protected][2].txt
C:\Documents and Settings\Jason\cookies\[email protected][2].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][2].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][2].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][2].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt
C:\Documents and Settings\Jason\cookies\[email protected][1].txt

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\UUUQ\UUUQD\CLASS-BARREL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\RTUTV.INI2

------------------------------------------------------------------------------------------------------------------------------------------
ActiveScan log

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtutr.dll
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Jason\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jason\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jason\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jason\Cookies\[email protected][2].txt
Adware:Adware/Startpage.ACY Not disinfected C:\Program Files\support.com\adelphia\scripts\IEconfig.vbs
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\dkmkdknx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\iefkrcxb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\kvorkwjh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\mdwnenlj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vaedmpim.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vtutr.exe
------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:56 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\2F2B2F323334363.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [3F3B3F42434446414] 2F2B2F323334363.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uuuq] C:\PROGRA~1\COMMON~1\uuuq\uuuqm.exe
O4 - HKCU\..\Run: [6082ac77] rundll32.exe "C:\WINDOWS\system32\qrmlqpnx.dll",b
O4 - Global Startup: Image Transfer.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///F:/CDVIEWER/CdViewer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8162 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello mbh511

Welcome to G2Go. :)
================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
mbh511

mbh511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you Kahdah for your quick reply. I did ask you asked, here are the 2 logs. I will say that so far my system seems fixed/greatly improved!!! :)


ComboFix 08-02.03.1 - Jason 2008-02-02 19:29:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\xapqsizc.dll
C:\Program Files\inetget2
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\mcroso~1.net
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aszcnhlw.dllbox
C:\WINDOWS\SYSTEM32\dbhrpbbr.ini
C:\WINDOWS\SYSTEM32\dehtjivp.ini
C:\WINDOWS\system32\dkmkdknx.dll
C:\WINDOWS\SYSTEM32\fopfxpfm.ini
C:\WINDOWS\system32\gekntoto.dll
C:\WINDOWS\system32\gzqkcqwd.dllbox
C:\WINDOWS\system32\hodkgypx.dllbox
C:\WINDOWS\system32\icnmpovt.dll
C:\WINDOWS\system32\iefkrcxb.dll
C:\WINDOWS\system32\kcmctxqv.dll
C:\WINDOWS\SYSTEM32\kgitdctx.ini
C:\WINDOWS\system32\kvorkwjh.dll
C:\WINDOWS\system32\lebehjej.dll
C:\WINDOWS\system32\mdwnenlj.dll
C:\WINDOWS\SYSTEM32\ototnkeg.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\pvijthed.dll
C:\WINDOWS\system32\qfaymaga.dll
C:\WINDOWS\SYSTEM32\rtutv.ini
C:\WINDOWS\SYSTEM32\rtutv.ini2
C:\WINDOWS\SYSTEM32\ucghfwpv.ini
C:\WINDOWS\SYSTEM32\ukqqjmmn.ini
C:\WINDOWS\system32\vaedmpim.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vtutr.exe
C:\WINDOWS\system32\whlpqcgr.dllbox
C:\WINDOWS\system32\wsqimizv.dllbox
C:\WINDOWS\system32\xapqsizc.dll
C:\WINDOWS\system32\xapqsizc.dllbox
C:\WINDOWS\SYSTEM32\xnpqlmrq.ini
C:\WINDOWS\ymante~1

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-29 18:11 . 2008-01-29 20:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-29 18:11 . 2008-01-29 18:28 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-29 18:11 . 2008-01-29 18:28 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-29 18:11 . 2008-01-29 18:28 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-27 10:06 . 2008-01-27 10:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 19:58 . 2008-01-23 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 05:53 . 2008-01-23 05:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-23 05:53 . 2008-01-23 05:53 <DIR> d-------- C:\Temp\cXzz9
2008-01-22 21:09 . 2008-01-22 21:09 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Grisoft
2008-01-22 21:08 . 2008-01-22 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-22 21:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-22 18:29 . 2008-01-22 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-22 18:28 . 2008-01-29 20:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-22 18:28 . 2008-01-22 18:28 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\SUPERAntiSpyware.com
2008-01-22 03:59 . 2008-01-22 03:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\DDD9DDE0E1E2E4D
2008-01-22 03:59 . 2007-12-14 07:40 120,832 --a------ C:\WINDOWS\SYSTEM32\2F2B2F323334363.exe
2008-01-22 00:14 . 2008-01-22 00:14 <DIR> d-------- C:\WINDOWS\uuuq
2008-01-22 00:14 . 2008-01-22 18:08 <DIR> d-------- C:\Program Files\Common Files\uuuq
2008-01-21 09:30 . 2008-01-22 04:07 646 --ahs---- C:\WINDOWS\SYSTEM32\uotqlwmw.ini
2008-01-19 10:23 . 2008-01-27 13:00 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-19 10:22 . 2008-01-22 20:37 94,208 --a------ C:\WINDOWS\SM1BG .EXE
2008-01-19 10:22 . 2008-01-22 20:37 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2008-01-19 10:21 . 2008-01-22 20:37 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2008-01-17 21:28 . 2008-01-17 21:28 <DIR> d-------- C:\Ripped Movie

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 00:39 --------- d-----w C:\Documents and Settings\Jason\Application Data\SiteAdvisor
2008-02-03 00:10 --------- d-----w C:\Documents and Settings\Jason\Application Data\RipIt4Me
2008-02-03 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-29 23:01 --------- d-----w C:\Program Files\McAfee
2008-01-26 15:53 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-24 00:58 --------- d-----w C:\Program Files\Lavasoft
2008-01-24 00:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 01:43 --------- d-----w C:\Program Files\QuickTime
2008-01-23 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-19 18:29 --------- d-----w C:\Program Files\DellSupport
2008-01-02 01:03 --------- d-----w C:\Documents and Settings\Jason\Application Data\U3
2007-12-30 15:59 --------- d-----w C:\Documents and Settings\Jason\Application Data\Canon
2007-12-20 22:52 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-16 23:16 --------- d-----w C:\Program Files\Palm
2007-12-16 23:05 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-12-16 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 23:02 --------- d-----w C:\Program Files\Common Files\Epocrates
2007-11-07 15:31 60,968 ----a-w C:\Documents and Settings\Jason\GoToAssistDownloadHelper.exe
2006-01-26 02:32 18,698 -c--a-w C:\Program Files\PalmEKG.prc
2006-01-19 01:07 56,699,392 -c--a-w C:\Program Files\Palm.msi
2006-01-19 01:06 3,584 -c--a-w C:\Program Files\1033.MST
2004-04-12 02:08 1,760,378 -c--a-w C:\Program Files\aaw6.exe
2004-03-12 03:22 19,585,304 -c--a-w C:\Program Files\GalleryRemote.1.3.1.Win32.VM.exe
2004-03-12 03:18 2,956,909 -c--a-w C:\Program Files\PIXresizer.zip
2004-03-12 03:17 7,979,601 -c--a-w C:\Program Files\gallery_remote-0.3-win32-VM.exe
2004-01-31 02:55 4,155,667 -c--a-w C:\Program Files\jezzball.exe
2004-01-30 23:30 1,311,021 -c--a-w C:\Program Files\RefugeGangImaging.exe
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
.
<pre>
----a-w			50,688 2008-01-23 01:37:29  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w		   151,600 2008-01-23 01:37:25  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   155,648 2008-01-23 01:37:25  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w		   135,264 2008-01-23 01:37:31  C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w		   204,800 2008-01-23 01:37:32  C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w		   460,784 2008-01-19 18:24:09  C:\Program Files\DellSupport\DSAgnt .exe
----a-w		   221,184 2008-01-23 01:37:22  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   582,992 2008-02-02 15:41:19  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w		   282,624 2008-01-23 03:17:51  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   282,624 2008-01-23 01:32:20  C:\Program Files\QuickTime\qttask		.exe
----a-w		   282,624 2008-01-22 04:48:36  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   282,624 2008-01-22 04:48:37  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   282,624 2008-01-21 04:14:47  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   282,624 2008-01-19 18:40:08  C:\Program Files\QuickTime\qttask	.exe
----a-w		   282,624 2008-01-19 20:34:40  C:\Program Files\QuickTime\qttask   .exe
----a-w		   282,624 2008-01-19 20:34:42  C:\Program Files\QuickTime\qttask  .exe
----a-w		   282,624 2008-01-19 20:34:43  C:\Program Files\QuickTime\qttask .exe
----a-w			49,152 2008-01-23 01:37:25  C:\Program Files\ScanSoft\OmniPageSE\opware32 .exe
----a-w			36,904 2008-01-23 01:37:28  C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
----a-w		 1,318,912 2008-01-29 11:58:09  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   102,400 2008-01-23 01:37:30  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
----a-w			94,208 2008-01-23 01:37:29  C:\WINDOWS\SM1BG .EXE
----a-w			90,112 2008-01-23 01:37:29  C:\WINDOWS\UpdReg .EXE
----a-w			15,360 2008-01-27 18:00:09  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w			28,672 2008-01-23 01:37:25  C:\WINDOWS\SYSTEM32\DSentry .exe
----a-w		   114,744 2008-01-23 01:37:22  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"uuuq"="C:\PROGRA~1\COMMON~1\uuuq\uuuqm.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [ ]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"3F3B3F42434446414"="2F2B2F323334363.exe" [2007-12-14 07:40 120832 C:\WINDOWS\SYSTEM32\2F2B2F323334363.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-04-15 08:46:40 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aszcnhlw]
aszcnhlw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-11-07 10:32 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzqkcqwd]
gzqkcqwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hodkgypx]
hodkgypx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\whlpqcgr]
whlpqcgr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wsqimizv]
wsqimizv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk
backup=C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2005-08-02 14:33 159832 C:\Program Files\Common Files\AOL\1134697008\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-12-03 05:40 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Web Companion]
--a--c--- 2005-01-05 11:13 1601536 C:\PROGRA~1\COMMON~1\MOBIPO~1\webcomp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-04-13 17:36 1470464 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41]
S3 TibClass;OLYMPUS MAUSB-4W Class Driver;C:\WINDOWS\system32\DRIVERS\TibClass.sys [2001-03-14 14:33]
S3 TibUsb;OLYMPUS MAUSB-4W USB Driver;C:\WINDOWS\system32\DRIVERS\TibUsb.sys [2001-03-14 14:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ece20e64-1acf-11dc-89bf-00194747b9f7}]
\Shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 19:46:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
.
**************************************************************************
.
Completion time: 2008-02-02 19:54:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 00:54:00
.
2008-01-09 08:03:53 --- E O F ---

----------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:04 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\2F2B2F323334363.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [3F3B3F42434446414] 2F2B2F323334363.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uuuq] C:\PROGRA~1\COMMON~1\uuuq\uuuqm.exe
O4 - Global Startup: Image Transfer.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///F:/CDVIEWER/CdViewer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aszcnhlw - aszcnhlw.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O20 - Winlogon Notify: gzqkcqwd - gzqkcqwd.dll (file missing)
O20 - Winlogon Notify: hodkgypx - hodkgypx.dll (file missing)
O20 - Winlogon Notify: whlpqcgr - whlpqcgr.dll (file missing)
O20 - Winlogon Notify: wsqimizv - wsqimizv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8784 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Still have a bit to go.
The type of infection that you have is called a patch infection.
It overwrites legit files and makes the legitimate files malware.
This run with Combofix should clear up all of the overwritten files back to their normal state.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\2F2B2F323334363.exe
C:\WINDOWS\SYSTEM32\uotqlwmw.ini
Folder::
C:\WINDOWS\SYSTEM32\nGpxx01
C:\Temp\cXzz9
C:\WINDOWS\SYSTEM32\DDD9DDE0E1E2E4D
C:\WINDOWS\uuuq
C:\Program Files\Common Files\uuuq
C:\Program Files\Viewpoint
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uuuq"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"=-
"3F3B3F42434446414"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aszcnhlw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hodkgypx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\whlpqcgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wsqimizv]
RenV::
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\QuickTime\qttask		 .exe
C:\Program Files\QuickTime\qttask		.exe
C:\Program Files\QuickTime\qttask	   .exe
C:\Program Files\QuickTime\qttask	  .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\QuickTime\qttask	.exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\ScanSoft\OmniPageSE\opware32 .exe
C:\Program Files\SiteAdvisor\6253\SiteAdv .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
C:\WINDOWS\SM1BG .EXE
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\SYSTEM32\ctfmon .exe
C:\WINDOWS\SYSTEM32\DSentry .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
mbh511

mbh511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK, here it is...

ComboFix 08-02.03.1 - Jason 2008-02-02 21:20:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT -5:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\2F2B2F323334363.exe
C:\WINDOWS\SYSTEM32\uotqlwmw.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\uuuq
C:\Program Files\Common Files\uuuq\uuuqa.lck
C:\Program Files\Common Files\uuuq\uuuqh
C:\Program Files\Common Files\uuuq\uuuql.lck
C:\Program Files\Common Files\uuuq\uuuqm.lck
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\header.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\no.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\updates.html
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\yes.gif
C:\Program Files\Viewpoint\Viewpoint Manager\Read_Me.txt
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Temp\cXzz9
C:\WINDOWS\SYSTEM32\2F2B2F323334363.exe
C:\WINDOWS\SYSTEM32\DDD9DDE0E1E2E4D
C:\WINDOWS\SYSTEM32\DDD9DDE0E1E2E4D\262226292A2B2D2
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\uotqlwmw.ini
C:\WINDOWS\uuuq
C:\WINDOWS\uuuq\uuuq.dat
C:\WINDOWS\uuuq\wu

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-29 18:11 . 2008-01-29 20:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-29 18:11 . 2008-01-29 18:28 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-29 18:11 . 2008-01-29 18:28 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-29 18:11 . 2008-01-29 18:28 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-27 10:06 . 2008-01-27 10:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 19:58 . 2008-01-23 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 21:09 . 2008-01-22 21:09 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\Grisoft
2008-01-22 21:08 . 2008-01-22 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-22 21:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-01-22 18:29 . 2008-01-22 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-22 18:28 . 2008-02-02 21:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-22 18:28 . 2008-01-22 18:28 <DIR> d-------- C:\Documents and Settings\Jason\Application Data\SUPERAntiSpyware.com
2008-01-19 10:23 . 2008-01-27 13:00 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-19 10:23 . 2008-01-27 13:00 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-19 10:22 . 2008-01-22 20:37 94,208 --a------ C:\WINDOWS\SM1BG.EXE
2008-01-19 10:22 . 2008-01-22 20:37 90,112 --a------ C:\WINDOWS\UpdReg.EXE
2008-01-19 10:21 . 2008-01-22 20:37 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2008-01-17 21:28 . 2008-01-17 21:28 <DIR> d-------- C:\Ripped Movie

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-03 02:27 --------- d-----w C:\Program Files\McAfee
2008-02-03 02:20 --------- d-----w C:\Program Files\QuickTime
2008-02-03 02:20 --------- d-----w C:\Program Files\DellSupport
2008-02-03 02:15 --------- d-----w C:\Documents and Settings\Jason\Application Data\SiteAdvisor
2008-02-03 00:10 --------- d-----w C:\Documents and Settings\Jason\Application Data\RipIt4Me
2008-02-03 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-26 15:53 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-01-24 00:58 --------- d-----w C:\Program Files\Lavasoft
2008-01-24 00:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 01:03 --------- d-----w C:\Documents and Settings\Jason\Application Data\U3
2007-12-30 15:59 --------- d-----w C:\Documents and Settings\Jason\Application Data\Canon
2007-12-20 22:52 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-16 23:16 --------- d-----w C:\Program Files\Palm
2007-12-16 23:05 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-12-16 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 23:02 --------- d-----w C:\Program Files\Common Files\Epocrates
2007-11-07 15:31 60,968 ----a-w C:\Documents and Settings\Jason\GoToAssistDownloadHelper.exe
2006-01-26 02:32 18,698 -c--a-w C:\Program Files\PalmEKG.prc
2006-01-19 01:07 56,699,392 -c--a-w C:\Program Files\Palm.msi
2006-01-19 01:06 3,584 -c--a-w C:\Program Files\1033.MST
2004-04-12 02:08 1,760,378 -c--a-w C:\Program Files\aaw6.exe
2004-03-12 03:22 19,585,304 -c--a-w C:\Program Files\GalleryRemote.1.3.1.Win32.VM.exe
2004-03-12 03:18 2,956,909 -c--a-w C:\Program Files\PIXresizer.zip
2004-03-12 03:17 7,979,601 -c--a-w C:\Program Files\gallery_remote-0.3-win32-VM.exe
2004-01-31 02:55 4,155,667 -c--a-w C:\Program Files\jezzball.exe
2004-01-30 23:30 1,311,021 -c--a-w C:\Program Files\RefugeGangImaging.exe
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-01-19 13:24 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-27 13:00 15360]
"uuuq"="C:\PROGRA~1\COMMON~1\uuuq\uuuqm.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-22 20:37 221184]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-22 20:37 155648]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-22 20:37 204800]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2008-01-22 20:37 135264]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-22 20:37 151600]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2008-01-22 20:37 49152]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2008-01-22 20:37 50688]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2008-01-22 20:37 36904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-02-02 10:41 582992]
"3F3B3F42434446414"="2F2B2F323334363.exe" []
"combofix"="C:\ComboFix\kmd.exe" [2004-08-04 02:56 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-04-15 08:46:40 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aszcnhlw]
aszcnhlw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-11-07 10:32 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzqkcqwd]
gzqkcqwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hodkgypx]
hodkgypx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\whlpqcgr]
whlpqcgr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wsqimizv]
wsqimizv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
path=C:\Documents and Settings\Jason\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk
backup=C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-27 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2005-08-02 14:33 159832 C:\Program Files\Common Files\AOL\1134697008\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a--c--- 2003-12-03 05:40 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Web Companion]
--a--c--- 2005-01-05 11:13 1601536 C:\PROGRA~1\COMMON~1\MOBIPO~1\webcomp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-04-13 17:36 1470464 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 21:41]
S3 TibClass;OLYMPUS MAUSB-4W Class Driver;C:\WINDOWS\system32\DRIVERS\TibClass.sys [2001-03-14 14:33]
S3 TibUsb;OLYMPUS MAUSB-4W USB Driver;C:\WINDOWS\system32\DRIVERS\TibUsb.sys [2001-03-14 14:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ece20e64-1acf-11dc-89bf-00194747b9f7}]
\Shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 06:00:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 21:38:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-02-02 21:46:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 02:46:22
ComboFix2.txt 2008-02-03 00:54:05
.
2008-01-09 08:03:53 --- E O F ---

----------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:07 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///F:/CDVIEWER/CdViewer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O20 - Winlogon Notify: gzqkcqwd - gzqkcqwd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8791 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
mbh511

mbh511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Kaspersky is scanning now. It looks like it will take several hours, so I will probably post the log in the morning. Thanks again for taking the time to help me. :)

Melissa
  • 0

#8
mbh511

mbh511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sunday, February 03, 2008 7:44:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 546149


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 120273
Number of viruses found 6
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 02:01:38

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{41B54C5A-074B-4CE8-95E4-53F84EB8EB26}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{54FC511A-8076-4627-968D-622156ACF271}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A4E6A665-BC51-4339-96D3-7C9353811F21}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

C:\Documents and Settings\Jason\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

C:\Documents and Settings\Jason\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Application Data\ApplicationHistory\TransferAgent.exe.91f03f4d.ini.inuse Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\History\History.IE5\MSHist012008020220080203\index.dat Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Temp\~DF897F.tmp Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Temp\~DFC273.tmp Object is locked skipped

C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jason\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jason\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\2F2B2F323334363.exe.vir Infected: Trojan-Downloader.Win32.VB.chy skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dkmkdknx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\icnmpovt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iefkrcxb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kcmctxqv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kvorkwjh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mdwnenlj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pvijthed.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vaedmpim.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xapqsizc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\catchme2008-02-02_194603.98.zip/vtutr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped

C:\QooBox\Quarantine\catchme2008-02-02_194603.98.zip/xapqsizc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\QooBox\Quarantine\catchme2008-02-02_194603.98.zip ZIP: infected - 2 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0002451.exe Infected: Trojan-Downloader.Win32.VB.chy skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\change.log Object is locked skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001171.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002296.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002298.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002299.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002301.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002303.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002318.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002319.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0002323.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{79493043-8C71-4741-B632-6FF23C55C8D2}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_A9jTSWPXhsLM5Ps Object is locked skipped

C:\WINDOWS\Temp\mcafee_rWlwf4EXuPQXpd1 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_Cczqh5Nu1SA6AMy Object is locked skipped

C:\WINDOWS\Temp\mcmsc_ko0wv3qFXPPbEXd Object is locked skipped

C:\WINDOWS\Temp\mcmsc_M68jdnggHmFoK0l Object is locked skipped

C:\WINDOWS\Temp\mcmsc_OofTDDf8LskYQ9v Object is locked skipped

C:\WINDOWS\Temp\mcmsc_RdgE2jrx4cTtxIh Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Looks good a few more steps to go and you are on your way. :)
==========================================
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzqkcqwd]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hodkgypx]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\whlpqcgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wsqimizv]
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.

You can delete this after it merges with the registry.
================================
After that Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over (except for Hijackthis.)
===================================
Post back with a final Hijackthis log and let me know how things are running?
  • 0

#10
mbh511

mbh511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Things look good, internet is fast with no pop-ups, etc, computer has none of those wierd error messages. Question before I post the hijackthis log -- as part of this whole process, I now have AVG anti-spyware, Super antispyware, Ad-Aware and Hijack this on my computer. Which, if any, should I leave on? Will they interfere with McAfee? And is it worth paying for th full version or is the free version enough??

Also, what if I discover next week or down the road that there is still a problem? Do I reply to this post or start another, and direct it to your attention??

Thank you so much for your expert help and precious time. I am amazed that my computer could be saved!! :) Melissa

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:27 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Image Transfer.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///F:/CDVIEWER/CdViewer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9097 bytes
  • 0

#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Have Hijackthis fix these 2 entries below:

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Then close Hijackthis.
===============
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
=========================
I personally don't like Mcafee but that is my opinion.
As long as you have an uptodate antivirus then you are good to go.
As far as the other programs you can now uninstall AVG Antispyware SUPERantispyware and Hijackthis.
If you get tired of McAfee and want to swtich there are good (if not better) antivirus programs that are free as well.
Avast
or
AVG free

Both of these are very good and detecting and preventing things like this from happening.

IF you would like a real time antispyware I suggest Windows Defender it is also free and will help with spyware detections and removals.

If you should have any other problems down the road you can start another thread.
If you want you can pm me or let someone else help either way it is up to you.

Safe surfing. :)
  • 0

#12
mbh511

mbh511

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I can't thank you enough and will be making a donation to the site. One last question--if I have Windows Defender, will it interfere with McAfee?

Thanks again and have a great rest of the weekend,
Melissa
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Nope it will not iterfere as long as that is all that you have uninstall the rest of the Antispyware programs and you will be good to go.

You are welcome :) and enjoy your weekend as well.


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP