Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dont delete anything?! How long before I get a reply? [RESOLVED]


  • This topic is locked This topic is locked

#1
angigonefishin

angigonefishin

    New Member

  • Member
  • Pip
  • 8 posts
Ive been working on this for a week. Downloading SpySweeper, Avira, Autoruns, Hijackthis, VundoFix.

Avira Antivir seemed to catch the most after a 4 hour scan. Rebooted, Ran Hijack again, alot has been deledted by Avira according from the first Hijack scan I ran which didnt get rid of most if not all.

One of the problems Im having other not knowing what the [bleep] Im doing is: Which Exe's do I need? For Starup and Process Runs? I know that a few that are in quarantine, I looked up and could be infected but yet essential to my running process.
I did turn off system restore before downloading and running the anitvir.
Ok, heres my logs
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:46 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] "C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Ceedo AutoDetect] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe" /active
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8551 bytes



Avira Anitvir Log:



AntiVir PersonalEdition Classic
Report file date: Sunday, February 03, 2008 07:08

Scanning for 1089295 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name:

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 12:07:32
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 1/25/2008 12:07:32
ANTIVIR3.VDF : 7.0.2.82 259072 Bytes 2/1/2008 12:07:32
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/3/2008 12:07:33
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/3/2008 12:07:33
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, February 03, 2008 07:08

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'mcvsshld.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ssu.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'mcuimgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Playlist.exe' - '1' Module(s) have been scanned
Scan process 'AutoDetect .exe' - '1' Module(s) have been scanned
Scan process 'apdproxy .exe' - '1' Module(s) have been scanned
Scan process 'jusched .exe' - '1' Module(s) have been scanned
Scan process 'RxMon .exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI .exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx .exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k .exe' - '1' Module(s) have been scanned
Scan process 'AutoDetect.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe'
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe'
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe'
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'RxMon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe'
Scan process 'hpqcmon .exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Multimedia Card Reader\shwicon2k.exe'
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe'
Scan process 'ehtray .exe' - '1' Module(s) have been scanned
Scan process 'hpqcmon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe'
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'mcagent.exe' - '1' Module(s) have been scanned
Scan process 'k2server.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'MpfSrv.exe' - '1' Module(s) have been scanned
Scan process 'mcsysmon.exe' - '1' Module(s) have been scanned
Scan process 'Mcshield.exe' - '1' Module(s) have been scanned
Scan process 'RedirSvc.exe' - '1' Module(s) have been scanned
Scan process 'mcpromgr.exe' - '1' Module(s) have been scanned
Scan process 'mcods.exe' - '1' Module(s) have been scanned
Scan process 'McNASvc.exe' - '1' Module(s) have been scanned
Scan process 'mcmscsvc.exe' - '1' Module(s) have been scanned
Scan process 'HWAPI.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'ehsched.exe' - '1' Module(s) have been scanned
Scan process 'k2admin.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

64 processes with 64 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\hp\KBD\KBD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e9b1a3.qua'!
C:\hp\KBD\KBD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\hp\bin\AUTOTKIT.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47f9b1ba.qua'!
C:\hp\bin\AUTOTKIT.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\WINDOWS\SMINST\RECGUARD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e8b1af.qua'!
C:\WINDOWS\SMINST\RECGUARD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '31' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Local Settings\Temp\AutoDetect.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Documents and Settings\Administrator\My Documents\My eBooks\BlockingBetter2Dollars.zip
[0] Archive type: ZIP
--> FreeSpeedDrillsEbook_e.hta
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '4814ba34.qua'!
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d7c1c1312323370.bup
[DETECTION] Contains detection pattern of the exploits EXP/Office.Dropper.Gen
[INFO] The file was moved to '47dcbe4c.qua'!
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d822103933c0.bup
[DETECTION] Contains detection pattern of the exploits EXP/Office.Dropper.Gen
[INFO] The file was moved to '47ddbe4e.qua'!
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d822103b6d0.bup
[DETECTION] Contains detection pattern of the exploits EXP/Office.Dropper.Gen
[INFO] The file was moved to '43357d17.qua'!
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was moved to '481fc70a.qua'!
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480cc7a0.qua'!
C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819c873.qua'!
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480dc914.qua'!
C:\Program Files\iTunes\iTunesHelper.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '481acb81.qua'!
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819d348.qua'!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819d349.qua'!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819d34a.qua'!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '497b433b.qua'!
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480cd37d.qua'!
C:\Program Files\Sony\SonicStage\SsAAD.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e6d3ab.qua'!
C:\sj655\HPD873~1 .EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e9d459.qua'!
C:\VundoFix Backups\ekwqbmci.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '481cd47b.qua'!
C:\VundoFix Backups\hkcmd.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4808d47d.qua'!
C:\VundoFix Backups\hphmon05.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480dd482.qua'!
C:\VundoFix Backups\hpsysdrv.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4818d483.qua'!
C:\VundoFix Backups\hpztsb09.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '481fd484.qua'!
C:\VundoFix Backups\mljjh.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480fd480.qua'!
C:\VundoFix Backups\mljjh.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480fd481.qua'!
C:\VundoFix Backups\ps2.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47d7d489.qua'!
C:\VundoFix Backups\rmqqhdnp.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '4816d483.qua'!
C:\WINDOWS\eHome\ehtray.exe.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\dflaqyai.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4811df7f.qua'!
C:\WINDOWS\system32\kdmcd.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\LE786.tmp
[DETECTION] Contains detection pattern of the dropper DR/Scapur.K.18
[INFO] The file was moved to '47dcdf7e.qua'!
C:\WINDOWS\system32\RCX43.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fddfa4.qua'!
C:\WINDOWS\system32\RCX4C.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fddfa5.qua'!
C:\WINDOWS\system32\RCX5C.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fddfa6.qua'!
C:\WINDOWS\Temp\RCX3A4.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde071.qua'!
C:\WINDOWS\Temp\RCX3A7.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde072.qua'!
C:\WINDOWS\Temp\RCX3AD.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde074.qua'!
C:\WINDOWS\Temp\RCX3B3.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde075.qua'!
C:\WINDOWS\Temp\RCX3B9.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde076.qua'!
C:\WINDOWS\Temp\RCX3BC.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde077.qua'!
C:\WINDOWS\Temp\RCX3BF.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '469f7008.qua'!
Begin scan in 'D:\' <HP_RECOVERY>


End of the scan: Sunday, February 03, 2008 10:58
Used time: 3:50:01 min

The scan has been done completely.

7987 Scanning directories
556327 Files were scanned
59 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
40 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
556268 Files not concerned
22445 Archives were scanned
15 Warnings
5 Notes

Previous Hijack Log of Start ups Before anitivir

StartupList report, 2/2/2008, 12:57:10 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\My Documents\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ehTray = C:\WINDOWS\ehome\ehtray.exe
CamMonitor = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
HPHUPD05 = "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
KBD = C:\HP\KBD\KBD.EXE
AutoTKit = C:\hp\bin\AUTOTKIT.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
Sunkist2k = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioAudioCentral = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
AlcxMonitor = ALCXMNTR.EXE
Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
MediaFace Integration = "C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BackupNotify = c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
Ceedo AutoDetect = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe" /active

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Ceedo Repair = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect .exe" /repair /drive=
DelayShred = "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse5.SH!

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PS2 = C:\WINDOWS\system32\ps2.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\mljjh.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[WebInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webinst.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse5.tmp|C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse5.SH!|||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 9,151 bytes
Report generated in 0.157 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by angigonefishin, 03 February 2008 - 01:26 PM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall



Also post a new HijackThis log
  • 0

#3
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-02.03.1 - Administrator 2008-02-03 14:43:59.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.309 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\SSTEM3~1
C:\Documents and Settings\Administrator\Application Data\SSTEM3~1\m?dtc.exe
C:\Documents and Settings\Administrator\My Documents\YSTEM3~1
C:\Documents and Settings\Administrator\My Documents\YSTEM3~1\?ystem32\
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Installr\Cache\01C5F4B5
C:\Program Files\FunWebProducts\Installr\Cache\01C5F60C
C:\Program Files\FunWebProducts\Installr\Cache\01C5F66A
C:\Program Files\FunWebProducts\Installr\Cache\01C5F6C8
C:\Program Files\FunWebProducts\Installr\Cache\01C5F726
C:\Program Files\FunWebProducts\Installr\Cache\files.ini
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MP3Downloading\bindata.exe
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive10.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\kdmcd.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pndhqqmr.ini
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://meoryprof.info
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 14:40 . 2008-02-03 14:41 <DIR> d-------- C:\ComboFix[1]
2008-02-03 07:03 . 2008-02-03 07:03 <DIR> d-------- C:\Program Files\Avira
2008-02-03 07:03 . 2008-02-03 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-29 20:52 . 2008-01-29 20:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-29 16:23 . 2008-01-29 16:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-29 16:23 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-29 16:23 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-29 16:23 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-29 16:23 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Program Files\Webroot
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-29 16:22 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-01-27 19:22 . 2008-02-03 09:47 <DIR> d-------- C:\VundoFix Backups
2008-01-27 19:10 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 19:08 . 2008-01-27 19:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-26 12:10 . 2008-01-28 05:41 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-26 12:09 . 2008-01-28 05:41 483,328 --a------ C:\WINDOWS\system32\hphmon05 .exe
2008-01-26 12:09 . 2008-01-28 05:40 52,736 --a------ C:\WINDOWS\system\hpsysdrv .exe
2008-01-26 12:09 . 2008-01-28 05:42 180 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-26 08:11 . 2008-01-26 08:11 0 --a------ C:\WINDOWS\system32\MI71.tmp
2008-01-26 08:06 . 2008-01-26 08:06 270,698 --a------ C:\WINDOWS\system32\L1964.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 19:48 --------- d-----w C:\Program Files\MP3Downloading
2008-02-03 16:25 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-02-03 14:42 --------- d-----w C:\Program Files\QuickTime
2008-02-03 14:09 --------- d-----w C:\Program Files\iTunes
2008-01-28 00:09 --------- d-----w C:\Program Files\Java
2008-01-27 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 22:10 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-01-27 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio
2008-01-27 21:22 --------- d-----w C:\Program Files\eBay
2008-01-27 21:17 --------- d-----w C:\Program Files\Viewpoint
2008-01-27 21:17 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-27 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-27 21:11 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 21:10 --------- d-----w C:\Program Files\Google
2008-01-27 21:05 --------- d-----w C:\Program Files\MSN Messenger
2008-01-18 10:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2007-12-31 16:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-12-29 20:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-29 20:19 --------- d-----w C:\Program Files\McAfee
2007-12-27 16:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EbkReader
2007-12-23 15:14 --------- d-----w C:\Program Files\activePDF
2007-12-21 02:30 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-15 17:42 --------- d-----w C:\Program Files\InterActual
2005-04-19 22:08 56 -csh--r C:\WINDOWS\system32\B7E458F76E.sys
.
<pre>
----a-w			61,440 2008-02-02 21:01:16  C:\hp\KBD\KBD .EXE
----a-w			57,344 2008-02-02 21:01:29  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w		   335,872 2008-02-02 21:01:24  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			65,536 2008-02-02 21:01:24  C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w			53,248 2008-02-02 21:01:30  C:\Program Files\Fellowes\MediaFACE 4.2\SetHook .exe
----a-w			68,856 2008-01-27 20:58:40  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			90,112 2008-02-02 21:01:15  C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w			49,152 2008-02-02 21:01:15  C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
----a-w			49,152 2008-01-28 10:41:22  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   256,576 2008-01-30 00:04:04  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   144,784 2008-02-02 21:01:32  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w		 4,276,224 2008-01-30 00:04:30  C:\Program Files\MP3Downloading\bindata .exe
----a-w		 4,886,528 2008-01-27 20:58:39  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   139,264 2008-02-02 21:01:22  C:\Program Files\Multimedia Card Reader\shwicon2k .exe
----a-w		   319,488 2008-02-02 21:01:26  C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w		   868,352 2008-01-30 00:03:57  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w			81,920 2008-01-30 00:03:59  C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w		 5,367,608 2008-02-02 21:01:45  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w			50,176 2008-02-02 21:01:15  C:\WINDOWS\eHome\ehtray .exe
----a-w		   212,992 2008-02-02 21:01:21  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w			52,736 2008-01-28 10:40:58  C:\WINDOWS\system\hpsysdrv .exe
----a-w		   114,688 2008-01-28 10:41:10  C:\WINDOWS\system32\hkcmd .exe
----a-w		   483,328 2008-01-28 10:41:06  C:\WINDOWS\system32\hphmon05 .exe
----a-w		   188,416 2008-01-28 10:41:21  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 02:56 50176]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [ ]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-03 07:07 249896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= mljjh.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8b212c9]
--a------ 2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Update 4200C]
C:\sj655\HPD873~3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mljjh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

S2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" []
S3 EvcapMaui;Emuzed EvcapMaui Device;C:\WINDOWS\system32\DRIVERS\EvcapMau.sys [2003-08-28 13:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04012be7-ac14-11dc-8db3-000ea61bb381}]
\Shell\AutoRun\command - N:\Autorun.exe /run
\Shell\Shell00\Command - N:\Autorun.exe /run
\Shell\Shell01\Command - N:\Autorun.exe /action
\Shell\Shell02\Command - N:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{761d8286-444a-11d8-8b6a-806d6172696f}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 06:05:56 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 14:50:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2008-02-03 14:54:24 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-02-03 19:54:22
  • 0

#4
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:41 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] "C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6900 bytes
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\mljjh.exe
N:\Autorun.exe
D:\Info.exe

Folder::
C:\sj655

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8b212c9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Update 4200C]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04012be7-ac14-11dc-8db3-000ea61bb381}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{761d8286-444a-11d8-8b6a-806d6172696f}]

RenV::
----a-w 61,440 2008-02-02 21:01:16 C:\hp\KBD\KBD .EXE
----a-w 57,344 2008-02-02 21:01:29 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
----a-w 335,872 2008-02-02 21:01:24 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 65,536 2008-02-02 21:01:24 C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
----a-w 53,248 2008-02-02 21:01:30 C:\Program Files\Fellowes\MediaFACE 4.2\SetHook .exe
----a-w 68,856 2008-01-27 20:58:40 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 90,112 2008-02-02 21:01:15 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w 49,152 2008-02-02 21:01:15 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
----a-w 49,152 2008-01-28 10:41:22 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 256,576 2008-01-30 00:04:04 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 144,784 2008-02-02 21:01:32 C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w 4,276,224 2008-01-30 00:04:30 C:\Program Files\MP3Downloading\bindata .exe
----a-w 4,886,528 2008-01-27 20:58:39 C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w 139,264 2008-02-02 21:01:22 C:\Program Files\Multimedia Card Reader\shwicon2k .exe
----a-w 319,488 2008-02-02 21:01:26 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
----a-w 868,352 2008-01-30 00:03:57 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
----a-w 81,920 2008-01-30 00:03:59 C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w 5,367,608 2008-02-02 21:01:45 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w 50,176 2008-02-02 21:01:15 C:\WINDOWS\eHome\ehtray .exe
----a-w 212,992 2008-02-02 21:01:21 C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w 52,736 2008-01-28 10:40:58 C:\WINDOWS\system\hpsysdrv .exe
----a-w 114,688 2008-01-28 10:41:10 C:\WINDOWS\system32\hkcmd .exe
----a-w 483,328 2008-01-28 10:41:06 C:\WINDOWS\system32\hphmon05 .exe
----a-w 188,416 2008-01-28 10:41:21 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#6
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix 08-02.03.1 - Administrator 2008-02-03 15:15:19.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.327 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\mljjh.exe
D:\Info.exe
N:\Autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sj655
C:\sj655\AUTORUN.INF
C:\sj655\CFGMGR32.DLL
C:\sj655\checkhw.exe
C:\sj655\dibapi.dll
C:\sj655\English\_INST32I.EX_
C:\sj655\English\_ISDEL.EXE
C:\sj655\English\_setup.dll
C:\sj655\English\_setup.lib
C:\sj655\English\~hpsj.z
C:\sj655\English\Data.dxr
C:\sj655\English\HPSCANJT.CNT
C:\sj655\English\HPSCANJT.HLP
C:\sj655\English\Ideas.exe
C:\sj655\English\readme.doc
C:\sj655\English\setup.exe
C:\sj655\English\setup.ini
C:\sj655\English\SETUP.INS
C:\sj655\English\setup.pkg
C:\sj655\English\teaser.eng
C:\sj655\English\Xtras\FILEIO.X32
C:\sj655\English\Xtras\INETURL.X32
C:\sj655\English\Xtras\NETFILE.X32
C:\sj655\English\Xtras\NETLINGO.X32
C:\sj655\hp4200c.inf
C:\sj655\HP4200C.SYS
C:\sj655\hpad32.dll
C:\sj655\hplampc.exe
C:\sj655\hpsctrlc.cpl
C:\sj655\hpsjvset.dll
C:\sj655\instusft.exe
C:\sj655\mfc42.dll
C:\sj655\msvcirt.dll
C:\sj655\msvcrt.dll
C:\sj655\preview\prevengl.cab
C:\sj655\preview\previntl.cab
C:\sj655\setup.exe
C:\sj655\setup.ini
C:\sj655\updatloc.dll
C:\sj655\usbsoft.exe
D:\Info.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 14:40 . 2008-02-03 14:41 <DIR> d-------- C:\ComboFix[1]
2008-02-03 07:03 . 2008-02-03 07:03 <DIR> d-------- C:\Program Files\Avira
2008-02-03 07:03 . 2008-02-03 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-29 20:52 . 2008-01-29 20:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-29 16:23 . 2008-01-29 16:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-29 16:23 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-29 16:23 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-29 16:23 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-29 16:23 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Program Files\Webroot
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-29 16:22 . 2008-01-29 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-01-29 16:22 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-01-27 19:22 . 2008-02-03 09:47 <DIR> d-------- C:\VundoFix Backups
2008-01-27 19:10 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 19:08 . 2008-01-27 19:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-26 12:10 . 2008-01-28 05:41 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-26 12:09 . 2008-01-28 05:41 483,328 --a------ C:\WINDOWS\system32\hphmon05.exe
2008-01-26 12:09 . 2008-01-28 05:40 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2008-01-26 12:09 . 2008-01-28 05:42 180 --a------ C:\WINDOWS\system\hpsysdrv .DAT
2008-01-26 08:11 . 2008-01-26 08:11 0 --a------ C:\WINDOWS\system32\MI71.tmp
2008-01-26 08:06 . 2008-01-26 08:06 270,698 --a------ C:\WINDOWS\system32\L1964.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 20:15 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-02-03 20:15 --------- d-----w C:\Program Files\MSN Messenger
2008-02-03 20:15 --------- d-----w C:\Program Files\MP3Downloading
2008-02-03 20:15 --------- d-----w C:\Program Files\iTunes
2008-02-03 14:42 --------- d-----w C:\Program Files\QuickTime
2008-01-28 00:09 --------- d-----w C:\Program Files\Java
2008-01-27 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 22:10 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-01-27 21:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio
2008-01-27 21:22 --------- d-----w C:\Program Files\eBay
2008-01-27 21:17 --------- d-----w C:\Program Files\Viewpoint
2008-01-27 21:17 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-27 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-27 21:11 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 21:10 --------- d-----w C:\Program Files\Google
2008-01-18 10:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2007-12-31 16:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-12-29 20:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-29 20:19 --------- d-----w C:\Program Files\McAfee
2007-12-27 16:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\EbkReader
2007-12-23 15:14 --------- d-----w C:\Program Files\activePDF
2007-12-21 02:30 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-12-15 17:42 --------- d-----w C:\Program Files\InterActual
2005-04-19 22:08 56 -csh--r C:\WINDOWS\system32\B7E458F76E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-02-02 16:01 50176]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2008-02-02 16:01 90112]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2008-02-02 16:01 49152]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-02 16:01 335872]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2008-02-02 16:01 139264]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2008-02-02 16:01 65536]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2008-02-02 16:01 319488]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-02-02 16:01 57344]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe" [2008-02-02 16:01 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2008-02-02 16:01 144784]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-02-02 16:01 5367608]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-03 07:07 249896]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-29 19:04 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2008-01-29 19:03 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2008-01-29 19:03 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

S2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" []
S3 EvcapMaui;Emuzed EvcapMaui Device;C:\WINDOWS\system32\DRIVERS\EvcapMau.sys [2003-08-28 13:32]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 06:05:56 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 15:17:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2008-02-03 15:21:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 20:20:57
ComboFix2.txt 2008-02-03 19:54:25
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looks good

Do this

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Then post a new HijackThis log and tell me how your PC is running
  • 0

#8
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks..........

Is it ok for me to leave safe mode? It wont let me install otherwise?
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You don't need to run that step in Safe Mode

It should be done from Normal Mode
  • 0

#10
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2008 at 04:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 01:01:44

Memory items scanned : 486
Memory threats detected : 0
Registry items scanned : 7535
Registry threats detected : 10
File items scanned : 50986
File threats detected : 17

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B}
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}#AppID
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}\InprocServer32
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}\InprocServer32#ThreadingModel
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}\ProgID
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}\TypeLib
HKCR\CLSID\{82EA1A55-9CBC-404B-9D0C-E8BFB7EAAE9B}\VersionIndependentProgID
C:\PROGRAM FILES\QDRDRIVE\QDRDRIVE10.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected]webtrendslive[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Adware.AdSponsor/ISM
HKU\S-1-5-21-1032657129-3354846755-1890825710-500\Software\QdrModule
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRDRIVE\QDRDRIVE10.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRMODULE\QDRMODULE12.EXE.VIR

Adware.ClickSpring
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Application Data\SSTEM3~1\MDTCEX~1.VIR

Adware.MyWay
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL.VIR

Trojan.Downloader-Gen/DDC
C:\VUNDOFIX BACKUPS\GNQJPTTJ.EXE.BAD
  • 0

#11
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:25 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] "C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8767 bytes
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

You have two anti-viruses, AntiVir and McAfee so you need to remove one of these


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



You can delete the tools that we used



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
angigonefishin

angigonefishin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Must of read a 100 posts how combofix didnt work, so do this.. ....
So far so good,
McAfee is catching a few changes trying to occur. Thats how it got it in, in the first place I allowed it to download through McAfee, as NTDVM.EXE I thought it was a Windows Update download.

Antivir works really good, but I believe if I would of deleted everything it wanted me to, I would have ruined my system.

Thanks again,
I'll post back if anything occurs.
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP