Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware.vundo, Spyware.virtumondo, Trj/Proxy.BF [RESOLVED]


  • This topic is locked This topic is locked

#1
Betsyann

Betsyann

    New Member

  • Member
  • Pip
  • 7 posts
Malwarebytes' Anti-Malware 1.12
Database version: 732

Scan type: Quick Scan
Objects scanned: 39316
Time elapsed: 8 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\opnklmll.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wotoierw.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a5b9461f-98db-45a1-8883-b61826227454} (Trojan.Vundo) -> Delete on

reboot.
HKEY_CLASSES_ROOT\CLSID\{a5b9461f-98db-45a1-8883-b61826227454} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{fb422e7b-3d5e-4d9b-84c2-91b6c888cde2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb422e7b-3d5e-4d9b-84c2-91b6c888cde2} (Trojan.Vundo) ->

Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvurollk (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\kernelexe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dot1XCfg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc6e464a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fb422e7b-3d5e-4d9b-84c2-91b6c888cde2} (Trojan.Vundo) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMcf5d75d6 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnklmll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnklmll -> Delete on reboot.

Folders Infected:
C:\WINDOWS\system32\edcA17 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Dot1XCfg (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bfmbydnp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pndybmfb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dxotwyrd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drywtoxd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnklmll.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\llmlknpo.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\llmlknpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wotoierw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wreiotow.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvurollk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bnshjnwq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\diwnimep.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilnebmal.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcanmtdq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmimjvea.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qogaalqr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\scrxtpad.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wqpqtsse.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnggriwg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwugqisd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ygwljmti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ngeyilfe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Unist1.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Uninst2.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Howard\results.txt (Malware.Trace) -> Quarantined and deleted successfully.


Log from SuperAntiSpyware

SUPERAntiSpyware Scan Log
Generated 05/08/2008 at 09:20 PM

Application Version : 3.6.1000

Core Rules Database Version : 3456
Trace Rules Database Version: 1448

Scan type : Complete Scan
Total Scan Time : 01:25:30

Memory items scanned : 670
Memory threats detected : 0
Registry items scanned : 6354
Registry threats detected : 0
File items scanned : 73550
File threats detected : 1

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP


Log from Panda Active Scan:

;*******************************************************************************
*******************************************************************************

*********************
ANALYSIS: 2008-05-08 23:09:02
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 0
;*******************************************************************************
*******************************************************************************

*********************
PROTECTIONS
Description Version Active Updated
;===============================================================================
===============================================================================

=====================
McAfee VirusScan Yes Yes
;===============================================================================
===============================================================================

=====================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
===============================================================================

=====================
02935949 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ddwolwcs.dll
02936725 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ljebjgyg.dll
02936951 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\bfrfaakv.dll
02936951 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\niiumowp.dll
02937210 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\cdryfctt.dll
02938511 Trj/Proxy.BF Virus/Trojan No 1 Yes No C:\System Volume

Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000065.dll
;===============================================================================
===============================================================================

=====================
SUSPECTS
Sent Location





ew
;===============================================================================
===============================================================================

=====================
;===============================================================================
===============================================================================

=====================
VULNERABILITIES
Id Severity Description





ew
;===============================================================================
===============================================================================

=====================
;===============================================================================
===============================================================================

=====================


Log from Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:40 PM, on 5/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\downloads\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: {3aedc904-6eb2-6f4b-8754-531051955ba1} - {1ab55915-0135-4578-b4f6-2be6409cdea3} - C:\WINDOWS\system32\bxfpjrnh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\DOCUME~1\howard\LOCALS~1\temp\CITRIX~1\GOTOAS~1\514\log1CC.SH!

c:\DOCUME~1\howard\LOCALS~1\temp\CITRIX~1\GOTOAS~1\514.SH! c:\DOCUME~1\howard\LOCALS~1\temp\CITRIX~1\GOTOAS~1.SH! c:\DOCUME~1\howard\LOCALS~1\temp\CITRIX~1.SH!

c:\DOCUME~1\howard\LOCALS~1\temp\Citrix\GOTOAS~1\514\g2a1CD.SH! c:\DOCUME~1\howard\LOCALS~1\temp\Citrix\GOTOAS~1\514.SH!

c:\DOCUME~1\howard\LOCALS~1\temp\Citrix\GOTOAS~1.SH! c:\DOCUME~1\howard\LOCALS~1\temp\Citrix.SH!
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.mi...b?1208376748453
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support

Center\bin\sprtsvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12421 bytes


Description of problems(s):

The main problem was a continuous message on boot up that stated, "Explorer.EXE - Bad Image. The application or DSS C:\windows\system32\wvurollk.dll is not a valid windows image. Please check against your installation disk." This message would also appear if we tried to execute an application. On the internet we would get redirected to undesired sights. I have worked with McAfee for a about a week and a half anthey alsways gave me the same 'DOS' scan program to run. This never solved my problem and the last McAfee tech said that it was a system problem and I should contact Dell. I was conviced that it was a virus since I was being redirected to unwanted websites. I have followed your instructions and the virus scans have discovered many infected files. The free based Panda Online scan found 5 infectins but would only remove 1 oof them. I am no longer getting the "Explorer.EXE - Bad Image" message, but I'm still infected because when I downloaded the "Hijack" application I was redirected to another website. I tried to download the Service Pack SP1a but microsoft would only install the Service Pack 3 when I clicked on the SP1a link. After reboot, I received a message saying that "wmiprvse.exe wanted access" I couldn't figure out if this was legit or not and therefore didn't allow access. I tried to call Microsoft about this but didn't find any help. I didn't want to get back on the internet to
look up the information. I tried my best to follow all the Malware Cleaning Guide and I think I did it all correctly. Thank-you for your help.


Log from Uninstall Manager

3300 Software Uninstall
924PLC32
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AOLIcon
Bluetooth Stack for Windows by Toshiba
Broadcom Management Programs
Cisco SSL VPN Client
CleanCache 3.3
Conexant HDA D110 MDC V.92 Modem
Dell Digital Jukebox Driver
Dell Game Console
Dell Media Experience
Dell Photo AIO Printer 924
Dell Support Center
DellSupport
Desktop Maestro 2.0
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
Games, Music, & Photos Launcher
Garmin WebUpdater
Get High Speed Internet!
Google Desktop
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Intel® PROSet/Wireless Software
Internet Service Offers Launcher
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Logitech Desktop Messenger
Logitech Harmony Remote
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
MCU
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
mWlsSafe
mWMI
mZConfig
NetWaiting
NetZeroInstallers
NVIDIA Drivers
Panda ActiveScan 2.0
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WexTech AnswerWorks
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Are you currently still having problems? Because I see Malwarebytes' Anti-Malware already removed the malware.


After reboot, I received a message saying that "wmiprvse.exe wanted access" I couldn't figure out if this was legit or not and therefore didn't allow access

Yes, that one is legitimate: http://www.liutiliti...brary/wmiprvse/
  • 0

#3
Betsyann

Betsyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank-you for responding.

1. Yes, I think so. I got redirected on the internet again this morning. So, I decided to run the PandaOnline again and it gave the following:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-10 08:25:57
PROTECTIONS: 1
MALWARE: 20
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee VirusScan Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Howard\Cookies\[email protected][2].txt
02935949 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ddwolwcs.dll
02936725 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ljebjgyg.dll
02936951 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\niiumowp.dll
02936951 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\bfrfaakv.dll
02937210 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\cdryfctt.dll
02940782 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000420.dll
02940782 Spyware/Virtumonde Spyware No 1 Yes No C:\VundoFix Backups\vgluqoqu.dll.bad
02940899 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\BXFPJRNH.DLL
02940899 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\makekqgo.dll
;===============================================================================
=================================================================================
===================

2. I then ran VundoFix program and it found and deleted the following:

jjehkymw
tihoxuq
vgluqoqu
vyjgdvcu
yeluttku


Should I start the process all over again? How will I know if my system is clean?

Thanks so much.
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
Betsyann

Betsyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks. I ran the programs and I have copied the logs below. Please note that when ComboFix was completed I also received an error message that stated: Generic Host Process for Win32 Services has encountered a problem and needs to close." However, the ComboFix program appeared to have finished.

ComboFix Log is as follows:

ComboFix 08-05-11.1 - Howard 2008-05-11 19:46:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1422 [GMT -5:00]
Running from: C:\Documents and Settings\Howard\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Howard\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aagrjkbl.ini
C:\WINDOWS\system32\bfrfaakv.dll
C:\WINDOWS\system32\bxfpjrnh.dll
C:\WINDOWS\system32\cdryfctt.dll
C:\WINDOWS\system32\ddwolwcs.dll
C:\WINDOWS\system32\gqbtfmxc.ini
C:\WINDOWS\system32\jlorqaui.ini
C:\WINDOWS\system32\ljebjgyg.dll
C:\WINDOWS\system32\makekqgo.dll
C:\WINDOWS\system32\mwqudldb.dll
C:\WINDOWS\system32\niiumowp.dll
C:\WINDOWS\system32\oaymhlom.dll
C:\WINDOWS\system32\oktgdkys.dll
C:\WINDOWS\system32\opnklmll.dll
C:\WINDOWS\system32\rjtvljyl.ini
C:\WINDOWS\system32\rosetwqt.ini
C:\WINDOWS\system32\rtlouobm.ini
C:\WINDOWS\system32\skjnrhaq.ini
C:\WINDOWS\system32\vhrudfug.ini
C:\WINDOWS\system32\xmrogbys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-09 22:58 . 2008-05-09 23:31 <DIR> d-------- C:\VundoFix Backups
2008-05-09 22:55 . 2008-05-09 22:55 <DIR> d-------- C:\Program Files\Sun
2008-05-09 22:55 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-09 22:38 . 2008-05-09 22:38 <DIR> d-------- C:\Documents and Settings\Mary\Application Data\McAfee
2008-05-08 21:38 . 2008-05-08 21:44 <DIR> d-------- C:\Program Files\Panda Security
2008-05-08 19:49 . 2008-05-08 21:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 19:49 . 2008-05-08 19:49 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\SUPERAntiSpyware.com
2008-05-08 19:49 . 2008-05-08 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 19:47 . 2008-05-08 19:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 19:30 . 2008-05-08 19:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 19:30 . 2008-05-08 19:30 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\Malwarebytes
2008-05-08 19:30 . 2008-05-08 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 19:30 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 19:30 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-08 19:29 . 2008-05-08 19:29 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 18:56 . 2008-05-09 22:58 <DIR> d-------- C:\downloads
2008-05-08 11:18 . 2008-05-08 11:18 2,112 --a------ C:\WINDOWS\system32\ywtuvead.exe
2008-05-06 21:16 . 2008-05-06 21:16 2,112 --a------ C:\WINDOWS\system32\pranynnf.exe
2008-05-06 20:42 . 2008-05-06 20:42 47,123,920 --a------ C:\sdat5289.exe
2008-05-06 20:14 . 2008-05-06 20:30 354 ---hs---- C:\WINDOWS\system32\jiesegyq.ini
2008-04-30 14:05 . 2008-04-30 14:32 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 08:23 . 2008-04-28 08:23 <DIR> d-------- C:\Documents and Settings\Mary\Application Data\SiteAdvisor
2008-04-27 19:01 . 2007-01-02 18:16 86,848 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2008-04-27 18:53 . 2008-05-09 23:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-27 18:53 . 2008-05-11 19:49 6,645 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-27 18:52 . 2008-04-30 13:58 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-27 18:52 . 2008-05-02 17:12 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\SiteAdvisor
2008-04-27 18:50 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-27 18:47 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-27 18:46 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-27 18:46 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-27 18:46 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-27 18:46 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-27 18:46 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-27 18:44 . 2008-04-27 18:45 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-27 18:44 . 2008-05-08 18:24 <DIR> d-------- C:\Program Files\McAfee
2008-04-27 18:44 . 2008-04-27 18:46 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-25 20:49 . 2008-04-30 12:37 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\McAfee
2008-04-25 20:42 . 2008-05-11 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-25 20:27 . 2008-04-30 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 20:25 . 2008-04-30 10:36 <DIR> d-------- C:\McAfee Install
2008-04-25 00:00 . 2008-05-06 20:46 <DIR> d-------- C:\SDAT
2008-04-24 23:58 . 2008-04-24 23:58 45,433,378 --a------ C:\sdat5281.exe
2008-04-24 22:25 . 2008-04-24 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-24 22:18 . 2008-04-24 22:18 61,224 --a------ C:\Documents and Settings\Howard\GoToAssistDownloadHelper.exe
2008-04-24 09:12 . 2008-04-24 09:13 <DIR> d-------- C:\Program Files\RegClean
2008-04-24 08:44 . 2008-04-24 08:48 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-24 08:27 . 2008-04-24 08:28 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\ErrorSmart
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\WINDOWS\system32\en
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-19 17:54 . 2008-04-19 17:54 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-04-19 17:54 . 2008-04-19 17:54 <DIR> d-------- C:\WINDOWS\l2schemas
2008-04-19 17:50 . 2008-04-19 17:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-19 17:24 . 2008-05-08 19:05 109,752 --a------ C:\WINDOWS\BMcf5d75d6.xml
2008-04-18 09:25 . 2008-04-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-17 13:00 . 2008-04-17 13:00 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\Desktop Mechanic
2008-04-17 12:51 . 2008-04-30 14:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 12:50 . 2008-04-30 14:26 <DIR> d-------- C:\Program Files\Desktop Maestro
2008-04-17 12:37 . 2008-03-20 15:05 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-04-17 12:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-17 12:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-16 15:09 . 2008-04-17 18:43 62,663 ---hs---- C:\WINDOWS\system32\tuevpodo.ini
2008-04-15 14:58 . 2008-04-16 15:03 29,173 ---hs---- C:\WINDOWS\system32\iiwymfnb.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:10 --------- d-----w C:\Program Files\Dl_cats
2008-05-10 03:55 --------- d-----w C:\Program Files\Java
2008-04-30 19:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-27 17:32 --------- d-----w C:\Program Files\Shop'NCook 3.4
2008-03-20 20:07 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-03-20 20:07 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-03-20 20:07 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-03-20 20:07 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-03-20 20:05 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-03-20 14:51 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-03-20 14:42 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-03-20 14:42 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-03-20 14:42 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-03-20 14:42 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-03-20 14:41 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-03-20 14:41 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-03-20 14:41 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-03-20 14:41 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-03-20 14:41 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-03-20 14:40 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-03-20 14:39 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-20 14:39 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-03-20 14:39 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-03-20 14:38 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-03-20 14:38 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-03-20 14:38 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-03-20 14:37 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-03-20 14:37 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-20 14:37 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-03-20 14:36 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-03-20 14:36 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-03-20 14:21 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-03-20 14:21 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-03-20 14:21 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-03-20 14:18 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-03-20 14:18 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-03-20 14:18 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-03-20 14:18 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-03-20 14:18 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-03-20 14:18 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-03-20 14:18 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-03-20 14:17 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-03-20 14:17 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-03-20 14:17 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-03-20 14:17 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-03-20 14:17 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-03-20 14:17 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-03-20 14:16 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-03-20 14:16 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-03-20 14:16 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-03-20 14:16 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-03-20 14:15 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-03-20 14:14 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-03-20 14:13 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-03-20 14:13 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-03-20 14:13 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-03-20 14:13 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-03-20 14:11 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-03-20 14:11 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-03-20 14:11 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-03-20 14:11 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-03-20 14:11 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-03-20 14:10 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-03-20 14:10 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-03-20 14:10 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-03-20 14:10 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-20 14:10 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-03-20 14:10 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-03-20 14:10 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-03-20 14:09 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-03-20 14:09 59,520 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
2008-03-20 14:09 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-03-20 14:09 32,128 ----a-w C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-20 14:09 30,208 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
2008-03-20 14:09 25,728 ----a-w C:\WINDOWS\system32\drivers\usbcamd2.sys
2008-03-20 14:09 25,600 ----a-w C:\WINDOWS\system32\drivers\usbcamd.sys
2008-03-20 14:09 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-03-20 14:09 20,608 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
2008-03-20 14:09 15,872 ----a-w C:\WINDOWS\system32\drivers\usbintel.sys
2008-03-20 14:09 143,872 ----a-w C:\WINDOWS\system32\drivers\usbport.sys
2008-03-20 14:09 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-03-20 14:07 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-03-20 14:07 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-20 14:07 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-03-20 14:06 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-03-20 14:06 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-03-20 14:05 15,104 ----a-w C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-20 14:04 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-03-20 14:04 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-03-20 14:02 80,128 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-03-20 14:02 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-03-20 14:02 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-03-20 14:02 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-03-20 14:02 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-03-20 14:02 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-03-20 14:02 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-03-20 14:02 27,392 ----a-w C:\WINDOWS\system32\drivers\fdc.sys
2008-03-20 14:02 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-03-20 14:02 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-03-20 14:02 20,480 ----a-w C:\WINDOWS\system32\drivers\flpydisk.sys
2006-07-10 17:36 88 --sh--r C:\WINDOWS\system32\22663F16EE.sys
2006-10-14 06:29 56 --sh--r C:\WINDOWS\system32\8D9E8CEEC2.sys
2006-07-22 21:48 56 --sh--r C:\WINDOWS\system32\EE163F6622.sys
2006-11-16 14:23 8,246 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-03-20 15:06 1695232]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-26 18:03 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-20 15:06 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 16:33 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 05:03 7557120]
"nwiz"="nwiz.exe" [2006-03-21 05:03 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-03-21 05:03 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 14:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 14:58 1032192]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-14 00:58 169472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-14 00:48 98304]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-13 17:50 73728]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-20 19:40 430080]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 17:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 17:30 974848]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"RegistryMechanic"="" []
"DesktopMechanic"="" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"MWLExe"="C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 09:32 206184]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-14 00:43:30 24576]
Harmony Monitor.lnk - C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe [2004-01-20 11:47:34 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dlcccoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2007-01-15 08:33]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 09:52:37 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart.Howard+Runs ErrorSmart to optimize your registry.
"2008-04-27 23:45:47 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 06:00:05 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 20:06:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2008-05-11 20:13:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 01:13:04

Pre-Run: 76,805,828,608 bytes free
Post-Run: 76,734,496,768 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

346 --- E O F --- 2008-05-10 20:20:06

Hijackthis_log_after_comboFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:30 PM, on 5/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\downloads\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1208376748453
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12269 bytes

Thank-you.
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please uninstall RegClean via software > add and remove programs if still present.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\BMcf5d75d6.xml
C:\WINDOWS\system32\ywtuvead.exe
C:\WINDOWS\system32\pranynnf.exe
C:\WINDOWS\system32\jiesegyq.ini
C:\WINDOWS\system32\tuevpodo.ini
C:\WINDOWS\system32\iiwymfnb.ini
Folder::
C:\Program Files\RegClean
C:\Documents and Settings\Howard\Application Data\ErrorSmart
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"=-
"DesktopMechanic"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 12 May 2008 - 12:20 AM.

  • 0

#7
Betsyann

Betsyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
FYI - I rebooted after running ComboFix and received the following message: "End Program 494D195AOEFE4E50ADBCB20A1123EEDA". A rather weird program name???

Here's the ComboFix Log:

ComboFix 08-05-11.1 - Howard 2008-05-12 18:23:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1505 [GMT -5:00]
Running from: C:\Documents and Settings\Howard\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Howard\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMcf5d75d6.xml
C:\WINDOWS\system32\iiwymfnb.ini
C:\WINDOWS\system32\jiesegyq.ini
C:\WINDOWS\system32\pranynnf.exe
C:\WINDOWS\system32\tuevpodo.ini
C:\WINDOWS\system32\ywtuvead.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Howard\Application Data\ErrorSmart
C:\Documents and Settings\Howard\Application Data\ErrorSmart\Log\2008 Apr 24 - 08_27_45 AM_765.log
C:\Documents and Settings\Howard\Application Data\ErrorSmart\Registry Backups\2008-04-24_08-28-37.reg
C:\WINDOWS\BMcf5d75d6.xml
C:\WINDOWS\system32\iiwymfnb.ini
C:\WINDOWS\system32\jiesegyq.ini
C:\WINDOWS\system32\pranynnf.exe
C:\WINDOWS\system32\tuevpodo.ini
C:\WINDOWS\system32\ywtuvead.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-09 22:58 . 2008-05-09 23:31 <DIR> d-------- C:\VundoFix Backups
2008-05-09 22:55 . 2008-05-09 22:55 <DIR> d-------- C:\Program Files\Sun
2008-05-09 22:55 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-09 22:38 . 2008-05-09 22:38 <DIR> d-------- C:\Documents and Settings\Mary\Application Data\McAfee
2008-05-08 21:38 . 2008-05-08 21:44 <DIR> d-------- C:\Program Files\Panda Security
2008-05-08 19:49 . 2008-05-12 17:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 19:49 . 2008-05-08 19:49 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\SUPERAntiSpyware.com
2008-05-08 19:49 . 2008-05-08 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 19:47 . 2008-05-08 19:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 19:30 . 2008-05-08 19:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 19:30 . 2008-05-08 19:30 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\Malwarebytes
2008-05-08 19:30 . 2008-05-08 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-08 19:30 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-08 19:30 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-08 19:29 . 2008-05-08 19:29 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-08 18:56 . 2008-05-12 17:56 <DIR> d-------- C:\downloads
2008-05-06 20:42 . 2008-05-06 20:42 47,123,920 --a------ C:\sdat5289.exe
2008-04-30 14:05 . 2008-04-30 14:32 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 08:23 . 2008-04-28 08:23 <DIR> d-------- C:\Documents and Settings\Mary\Application Data\SiteAdvisor
2008-04-27 19:01 . 2007-01-02 18:16 86,848 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2008-04-27 18:53 . 2008-05-09 23:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-27 18:53 . 2008-05-12 18:22 6,775 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-27 18:52 . 2008-04-30 13:58 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-27 18:52 . 2008-05-02 17:12 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\SiteAdvisor
2008-04-27 18:50 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-27 18:47 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-27 18:46 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-27 18:46 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-27 18:46 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-27 18:46 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-27 18:46 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-27 18:44 . 2008-04-27 18:45 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-27 18:44 . 2008-05-08 18:24 <DIR> d-------- C:\Program Files\McAfee
2008-04-27 18:44 . 2008-04-27 18:46 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-25 20:49 . 2008-04-30 12:37 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\McAfee
2008-04-25 20:42 . 2008-05-11 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-25 20:27 . 2008-04-30 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 20:25 . 2008-04-30 10:36 <DIR> d-------- C:\McAfee Install
2008-04-25 00:00 . 2008-05-06 20:46 <DIR> d-------- C:\SDAT
2008-04-24 23:58 . 2008-04-24 23:58 45,433,378 --a------ C:\sdat5281.exe
2008-04-24 22:25 . 2008-04-24 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-24 22:18 . 2008-04-24 22:18 61,224 --a------ C:\Documents and Settings\Howard\GoToAssistDownloadHelper.exe
2008-04-24 08:44 . 2008-04-24 08:48 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\WINDOWS\system32\en
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-19 17:54 . 2008-04-19 17:54 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-04-19 17:54 . 2008-04-19 17:54 <DIR> d-------- C:\WINDOWS\l2schemas
2008-04-19 17:50 . 2008-04-19 17:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-18 09:25 . 2008-04-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-17 13:00 . 2008-04-17 13:00 <DIR> d-------- C:\Documents and Settings\Howard\Application Data\Desktop Mechanic
2008-04-17 12:51 . 2008-04-30 14:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 12:50 . 2008-04-30 14:26 <DIR> d-------- C:\Program Files\Desktop Maestro
2008-04-17 12:37 . 2008-03-20 15:05 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-04-17 12:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-17 12:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 22:53 --------- d-----w C:\Program Files\Dl_cats
2008-05-10 03:55 --------- d-----w C:\Program Files\Java
2008-04-30 19:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-27 17:32 --------- d-----w C:\Program Files\Shop'NCook 3.4
2008-03-21 06:36 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-03-21 06:36 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-03-21 06:36 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-03-20 20:19 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-03-20 20:10 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-03-20 20:06 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-03-20 20:05 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-03-20 20:04 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-03-20 20:02 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2008-03-20 20:02 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2008-03-20 14:51 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-03-20 14:51 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 14:47 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-03-20 14:42 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-03-20 14:42 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-03-20 14:42 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-03-20 14:42 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-03-20 14:41 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-03-20 14:41 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-03-20 14:41 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-03-20 14:41 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-03-20 14:41 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-03-20 14:40 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-03-20 14:39 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-20 14:39 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-03-20 14:39 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-03-20 14:38 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-03-20 14:38 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-03-20 14:38 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-03-20 14:37 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-03-20 14:37 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-20 14:37 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-03-20 14:36 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-03-20 14:36 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-03-20 14:21 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-03-20 14:21 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-03-20 14:21 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-03-20 14:18 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-03-20 14:18 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-03-20 14:18 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-03-20 14:18 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-03-20 14:18 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-03-20 14:18 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-03-20 14:18 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-03-20 14:17 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-03-20 14:17 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-03-20 14:17 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-03-20 14:17 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-03-20 14:17 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-03-20 14:17 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-03-20 14:16 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-03-20 14:16 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-03-20 14:16 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-03-20 14:16 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-03-20 14:15 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-03-20 14:14 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-03-20 14:13 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-03-20 14:13 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-03-20 14:13 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-03-20 14:13 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-03-20 14:11 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-03-20 14:11 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-03-20 14:11 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-03-20 14:11 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-03-20 14:11 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-03-20 14:10 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-03-20 14:10 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-03-20 14:10 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-03-20 14:10 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-20 14:10 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-03-20 14:10 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-03-20 14:10 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-03-20 14:09 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-03-20 14:09 59,520 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
2008-03-20 14:09 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-03-20 14:09 32,128 ----a-w C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-20 14:09 30,208 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
2008-03-20 14:09 25,728 ----a-w C:\WINDOWS\system32\drivers\usbcamd2.sys
2008-03-20 14:09 25,600 ----a-w C:\WINDOWS\system32\drivers\usbcamd.sys
2008-03-20 14:09 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-03-20 14:09 20,608 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
2008-03-20 14:09 15,872 ----a-w C:\WINDOWS\system32\drivers\usbintel.sys
2008-03-20 14:09 143,872 ----a-w C:\WINDOWS\system32\drivers\usbport.sys
2008-03-20 14:09 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-03-20 14:07 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-03-20 14:07 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-20 14:07 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-03-20 14:06 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-03-20 14:06 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-03-20 14:05 15,104 ----a-w C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-20 14:04 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-03-20 14:04 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-03-20 14:02 80,128 ----a-w C:\WINDOWS\system32\drivers\parport.sys
2008-03-20 14:02 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-03-20 14:02 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-03-20 14:02 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2006-07-10 17:36 88 --sh--r C:\WINDOWS\system32\22663F16EE.sys
2006-10-14 06:29 56 --sh--r C:\WINDOWS\system32\8D9E8CEEC2.sys
2006-07-22 21:48 56 --sh--r C:\WINDOWS\system32\EE163F6622.sys
2006-11-16 14:23 8,246 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_20.12.49.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 00:50:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 16:24:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-12 00:02:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-12 22:48:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-12 00:02:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-12 22:48:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-03-20 15:06 1695232]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-26 18:03 67128]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-20 15:06 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 16:33 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-12 17:44 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 05:03 7557120]
"nwiz"="nwiz.exe" [2006-03-21 05:03 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-03-21 05:03 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 14:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 14:58 1032192]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-14 00:58 169472]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-14 00:48 98304]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-13 17:50 73728]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-20 19:40 430080]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 17:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 17:30 974848]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"MWLExe"="C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 09:32 206184]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-14 00:43:30 24576]
Harmony Monitor.lnk - C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe [2004-01-20 11:47:34 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-12 17:44 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dlcccoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2007-01-15 08:33]

*Newly Created Service* - CATCHME
*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 09:52:37 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart.Howard+Runs ErrorSmart to optimize your registry.
"2008-04-27 23:45:47 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 06:00:05 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 18:26:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 18:27:35
ComboFix-quarantined-files.txt 2008-05-12 23:27:31
ComboFix2.txt 2008-05-12 01:13:11

Pre-Run: 76,763,336,704 bytes free
Post-Run: 76,742,238,208 bytes free

293 --- E O F --- 2008-05-10 20:20:06


Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:36 PM, on 5/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\downloads\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1208376748453
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12493 bytes


thanks - mary
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#9
Betsyann

Betsyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi,

I think all is well. I can get on the internet and the Google search is once again working and I don't have any more pop-ups during boot-up like I did when I first submitted my problems.

How will I know that my computer is clean? Also, I now have SuperAntiSpy (free edition) on my computer. Should I delete it since I also have McAfee Total Protection? Although, I don't think McAfee protected me very well; and they weren't able to disinfect my computer.

I'm so pleased with your help. You were very straight forward, gave clear instructions and obviously you have earned your "expert" stripes.

thank-you,
Mary

Edited by Betsyann, 13 May 2008 - 04:42 AM.

  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Well the logs don't show any signs of malware anymore, so you should be OK here. There *may be some leftovers present that logs won't show, but let your SuperAntispyware deal with it. The main infection is gone anyway and whatever that is leftover won't reload it anyway again. And to be honest, I don't think any leftovers will be present anyway.

If you're not satisfied with McAfee - and in case you didn't purchase it, then it may indeed be better to install another Antivirus.
Look in my signature below for the ones I recommend.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#11
Betsyann

Betsyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi again,

I'm reading through all your advice and taking it to heart. I really did think that we were doing all that we could to be protected but realize now that there's a lot more for that we need to do. Thank you.

I couldn't find a way to uninstall Internet Explorer. Should I just disable it or do you know of a way to get rid of it?
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Why should you uninstall Internet Explorer? IE is still needed, to get Windows updates, to open sites that won't open in another browser etc etc... :)
Just use another browser (Firefox for example) and set it as your default browser.
  • 0

#13
Betsyann

Betsyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Miekiemoes,

Okay, I'll keep IE installed but I'll use another browser. Thank-you so much for all your help. This was truly a great experience and the first time I've been part of this forum. I still have questions but they don't have to do with Malware removal so I'll search for information and I may eventually post a new topic. It's so nice to find someone who is not only willing to help but is truly an expert. We can mark this as resolved. Thanks again. :)
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
You're most welcome :)
  • 0

#15
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP