Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Limited Network, Nasty Pop ups [RESOLVED]


  • This topic is locked This topic is locked

#1
slicedice2k

slicedice2k

    Member

  • Member
  • PipPip
  • 13 posts
So, I've got something nasty, just can't figure out how to remove it. I ran Mcaffee, Sybot S & D, and tried to figure it out using HiJack myself. If someone could look over my log, that would be awesome. My internet is basically not existent and it seems whatever adware / spyware I have is screwing with my network settings. When I put my computer into safe mode, I can visit any site perfectly. When I run in regular vista, I get pop ups and I can only visit some websites. Heres my log from HiJack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:44 PM, on 5/19/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\mrofinu1535.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Windows\Explorer.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opnlKCRl.dll,#1
O4 - HKLM\..\Run: [runner1] C:\Windows\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\NICKB-~1\AppData\Local\Temp\tuvTnOhH.dll,c
O4 - HKCU\..\Run: [6c695b49] rundll32.exe "C:\Users\NICKB-~1\AppData\Local\Temp\kihptgsy.dll",b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\NICKB-~1\AppData\Local\Temp\ssqqQGaA.dll,#1
O4 - HKCU\..\Run: [BM6f5a68d5] Rundll32.exe "C:\Users\NICKB-~1\AppData\Local\Temp\iwdmgsru.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell....r/SysProExe.CAB
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: dlbc_device - - C:\Windows\system32\dlbccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13096 bytes

I really appreciate any help. Thanks!
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
slicedice2k

slicedice2k

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I'll do that as soon as I get home which wont be till later. Your post says to use the XP recovery, should I still download that if I'm running Vista? Thanks
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Leave that and just run ComboFix
  • 0

#5
slicedice2k

slicedice2k

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
So here is the log from combofix. Not sure, but my computer seems to be running better already, as my internet does not seem slowed down and the moment and I haven't got any pop ups since restart.

ComboFix 08-05-20.5 - Nick B-W 2008-05-21 3:36:42.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1175 [GMT -7:00]
Running from: C:\Users\Nick B-W\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 03:07 . 2008-05-20 03:07 129 --a------ C:\Windows\System32\MRT.INI
2008-05-19 19:04 . 2008-05-19 19:04 2,560 --a------ C:\Windows\System32\bitcometres.dll
2008-05-19 18:25 . 2008-05-19 18:25 <DIR> d-------- C:\Windows\Sun
2008-05-19 18:12 . 2008-05-19 18:12 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\McAfee
2008-05-19 13:35 . 2008-05-19 15:14 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 13:26 . 2008-05-19 13:26 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\PC Tools
2008-05-19 13:26 . 2008-05-19 16:17 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-19 13:26 . 2008-05-19 16:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-19 02:40 . 2008-05-19 02:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 16:51 . 2008-05-18 16:51 <DIR> d-------- C:\Program Files\Uniblue
2008-05-17 16:10 . 2008-05-17 16:10 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\Petroglyph
2008-05-15 19:11 . 2008-05-15 19:11 <DIR> d-------- C:\Program Files\LucasArts
2008-05-15 19:03 . 2008-02-12 14:45 48 --a------ C:\Windows\System32\readme.bat
2008-05-15 18:44 . 2008-05-15 18:44 <DIR> d-------- C:\Program Files\Alcohol Toolbar
2008-05-15 18:44 . 2008-05-15 18:44 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-15 18:44 . 2008-05-15 18:44 229,057 --a------ C:\Windows\Alcohol_Toolbar_Uninstaller_7556.exe
2008-05-08 14:17 . 2008-05-08 14:17 <DIR> d-------- C:\Program Files\iTunes
2008-05-08 14:17 . 2008-05-08 14:17 <DIR> d-------- C:\Program Files\iPod
2008-05-08 14:15 . 2008-05-08 14:15 <DIR> d-------- C:\Program Files\QuickTime
2008-05-08 14:10 . 2008-05-08 14:10 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 02:10 --------- d-----w C:\Program Files\BitComet
2008-05-19 23:22 --------- d-----w C:\Program Files\BAE
2008-05-19 22:23 --------- d-----w C:\Program Files\McAfee
2008-05-17 07:39 131,484 ----a-w C:\Users\Nick B-W\AppData\Roaming\nvModes.dat
2008-05-16 02:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 10:03 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 10:11 944,184 ----a-w C:\Windows\System32\winload.exe
2008-04-09 10:11 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-04-09 10:11 620,088 ----a-w C:\Windows\System32\ci.dll
2008-04-09 10:11 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-04-09 10:11 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-04-09 10:11 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-04-09 10:11 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-04-09 10:11 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-04-09 10:11 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-04-09 10:08 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-09 10:08 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-09 10:06 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-09 10:06 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-09 10:04 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-09 10:04 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-09 10:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-09 10:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-03-27 05:44 --------- d-----w C:\Program Files\HP
2007-12-10 01:49 3,228 ----a-w C:\Users\Nick B-W\AppData\Roaming\wklnhst.dat
2007-09-05 02:16 174 --sha-w C:\Program Files\desktop.ini
2007-09-28 01:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-28 01:25 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-28 01:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( [email protected]_ 3.15.38.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 10:13:49 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-21 10:15:41 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-21 10:07:25 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-21 10:36:45 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-21 10:05:44 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-21 10:16:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-21 10:05:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-21 10:16:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-21 10:05:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-21 10:16:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-29 19:07 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 17:35 857648]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-24 22:17 405504]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 07:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-10 23:00 90112]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 14:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 03:20 17920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 12:43 228088]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-08-23 23:45 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"MRT"="C:\Windows\system32\MRT.exe" [2008-05-09 14:35 16863864]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 15:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-29 11:33:50 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 16:13:26 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA8BE6D5-40E0-48B8-B317-18A4A590918A}"= C:\Users\NICKB-~1\AppData\Local\Temp\uRlJDULc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{84813924-8B72-4021-B906-9121F63B9DFB}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{5C7E8769-8CE6-4688-B51F-217F7E10D3AC}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{EB697D8C-25AF-4A3D-81F8-3FD04AA83EF4}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{13B435CA-1F79-478C-94BB-9157CF541528}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{44670002-9906-4D27-8AC1-23B082326346}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{F3F80003-C496-43BE-8A72-348E88EE9CF4}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{DD4B5A8D-F193-4E77-A941-AA0C998055F7}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{C60B5DD8-AB3C-46B9-B9BD-584A92B70349}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{BE02DCD0-B2DF-4607-919C-363623FDBC9A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{69ADC3BF-8B25-4C53-8F22-568E1936F673}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3940ED6E-BED5-4FF3-B7F2-337948053766}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{97FB86F5-401F-4E71-9A9E-EA8BA419CEFD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{782993F5-A57C-427F-95FF-DBFEB0EF0526}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{19E0C898-7D32-4C4D-8999-1B558A7E6C6F}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{59B418ED-E3F3-4691-852C-C7943D0B46C1}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D20C3389-03B6-4E09-956A-D0625044615C}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F0C9C679-C0F9-4780-B013-9539997D8B42}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{80DD7D33-C8BF-401D-9B72-34F03F85935B}"= UDP:C:\Windows\System32\dlbccoms.exe:Photo Printer 720 Server
"{C83922C3-077F-459F-ACF9-5538211ED969}"= TCP:C:\Windows\System32\dlbccoms.exe:Photo Printer 720 Server
"{D2E71FC4-7B5D-4F7B-A3AF-9BFE27C61B23}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{4B904A07-156E-4F96-91D5-61D74076BE45}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{E7430773-AB5B-4C8E-B27B-8D29DABCE107}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{18C0786C-B62C-4BC6-A817-83499D5EFDB1}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{414C0BF5-064C-4DEA-9CA1-50DC73405DDA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4969A61F-A5D7-47E8-ACC2-2A8817E8F4AD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B411EACA-4C6B-430A-9563-A41BE514DD4F}"= UDP:9119:BitComet 9119 TCP
"{048ED9C9-C3C2-42C0-8CA3-0E595D0AD4EE}"= TCP:9119:BitComet 9119 UDP
"{98770E8A-C847-42FF-A1E0-7F9B81956B9D}"= UDP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War
"{5256D53E-D3D6-464D-8E5D-B78079C9D284}"= TCP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 dlbc_device;dlbc_device;C:\Windows\system32\dlbccoms.exe [2007-03-01 16:52]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 17:39]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 18:37]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 16:13]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 16:13]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 00:36]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169ed2f4-66f4-11dc-b357-001c26f533e0}]
\shell\AutoRun\command - F:\blank.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 07:59:59 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 07:59:59 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 03:38:31
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 3:39:59
ComboFix-quarantined-files.txt 2008-05-21 10:39:21
ComboFix2.txt 2008-05-21 10:16:16

Pre-Run: 65,287,241,728 bytes free
Post-Run: 65,256,423,424 bytes free

193 --- E O F --- 2008-05-21 10:09:46

Thanks again!
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Windows\System32\readme.bat

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
F:\blank.exe

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA8BE6D5-40E0-48B8-B317-18A4A590918A}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169ed2f4-66f4-11dc-b357-001c26f533e0}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#7
slicedice2k

slicedice2k

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Heres VirusTotal Log:

AhnLab-V3 2008.5.20.0 2008.05.21 -
AntiVir 7.8.0.19 2008.05.21 -
Authentium 5.1.0.4 2008.05.21 -
Avast 4.8.1195.0 2008.05.21 -
AVG 7.5.0.516 2008.05.21 -
BitDefender 7.2 2008.05.21 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV 0.92.1 2008.05.21 -
DrWeb 4.44.0.09170 2008.05.21 -
eSafe 7.0.15.0 2008.05.20 -
eTrust-Vet 31.4.5808 2008.05.21 -
Ewido 4.0 2008.05.21 Trojan.Agent
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.21 -
Fortinet 3.14.0.0 2008.05.21 -
GData 2.0.7306.1023 2008.05.21 -
Ikarus T3.1.1.26.0 2008.05.21 -
Kaspersky 7.0.0.125 2008.05.21 -
McAfee 5299 2008.05.20 -
Microsoft 1.3520 2008.05.21 -
NOD32v2 3116 2008.05.21 probably a variant of Win32/Agent
Norman 5.80.02 2008.05.20 -
Panda 9.0.0.4 2008.05.21 -
Prevx1 V2 2008.05.21 Malicious Software
Rising 20.45.12.00 2008.05.20 -
Sophos 4.29.0 2008.05.21 -
Sunbelt 3.0.1123.1 2008.05.17 BAT.Agent.B (v)
Symantec 10 2008.05.21 Trojan Horse
TheHacker 6.2.92.314 2008.05.20 -
VBA32 3.12.6.6 2008.05.20 -
VirusBuster 4.3.26:9 2008.05.20 -
Webwasher-Gateway 6.6.2 2008.05.21 -
Additional information
File size: 48 bytes
MD5...: e46306598c5f687b8afe6a7f5d153792
SHA1..: 5f69c070e6cc0256c4634d26a09ae4bcea2a9052
SHA256: b2dc5a2e489b8b2e706516487c3900405807c662ac453a0a1eef2e893c5e1c54
SHA512: 2de4bb248a540bae11c377a802dd799d312b505ce4de277cc4e3f87a0a1d8945
858a11c38e9b8cc2c14cab3e37b2aa6e1dfc0282965e97a8438f0b33731ee5e3
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.co...E6A7F005D153792

Heres ComboFix:
ComboFix 08-05-20.5 - Nick B-W 2008-05-21 4:27:25.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1023 [GMT -7:00]
Running from: C:\Users\Nick B-W\Desktop\ComboFix.exe
Command switches used :: C:\Users\Nick B-W\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
F:\blank.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 03:07 . 2008-05-20 03:07 129 --a------ C:\Windows\System32\MRT.INI
2008-05-19 19:04 . 2008-05-19 19:04 2,560 --a------ C:\Windows\System32\bitcometres.dll
2008-05-19 18:25 . 2008-05-19 18:25 <DIR> d-------- C:\Windows\Sun
2008-05-19 18:12 . 2008-05-19 18:12 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\McAfee
2008-05-19 13:35 . 2008-05-19 15:14 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 13:26 . 2008-05-19 13:26 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\PC Tools
2008-05-19 13:26 . 2008-05-19 16:17 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-19 13:26 . 2008-05-19 16:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-19 02:40 . 2008-05-19 02:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 16:51 . 2008-05-18 16:51 <DIR> d-------- C:\Program Files\Uniblue
2008-05-17 16:10 . 2008-05-17 16:10 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\Petroglyph
2008-05-15 19:11 . 2008-05-15 19:11 <DIR> d-------- C:\Program Files\LucasArts
2008-05-15 19:03 . 2008-02-12 14:45 48 --a------ C:\Windows\System32\readme.bat
2008-05-15 18:44 . 2008-05-15 18:44 <DIR> d-------- C:\Program Files\Alcohol Toolbar
2008-05-15 18:44 . 2008-05-15 18:44 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-15 18:44 . 2008-05-15 18:44 229,057 --a------ C:\Windows\Alcohol_Toolbar_Uninstaller_7556.exe
2008-05-08 14:17 . 2008-05-08 14:17 <DIR> d-------- C:\Program Files\iTunes
2008-05-08 14:17 . 2008-05-08 14:17 <DIR> d-------- C:\Program Files\iPod
2008-05-08 14:15 . 2008-05-08 14:15 <DIR> d-------- C:\Program Files\QuickTime
2008-05-08 14:10 . 2008-05-08 14:10 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 02:10 --------- d-----w C:\Program Files\BitComet
2008-05-19 23:22 --------- d-----w C:\Program Files\BAE
2008-05-19 22:23 --------- d-----w C:\Program Files\McAfee
2008-05-17 07:39 131,484 ----a-w C:\Users\Nick B-W\AppData\Roaming\nvModes.dat
2008-05-16 02:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 10:03 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 10:11 944,184 ----a-w C:\Windows\System32\winload.exe
2008-04-09 10:11 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-04-09 10:11 620,088 ----a-w C:\Windows\System32\ci.dll
2008-04-09 10:11 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-04-09 10:11 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-04-09 10:11 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-04-09 10:11 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-04-09 10:11 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-04-09 10:11 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-04-09 10:08 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-09 10:08 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-09 10:06 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-09 10:06 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-09 10:04 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-09 10:04 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-09 10:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-09 10:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-03-27 05:44 --------- d-----w C:\Program Files\HP
2007-12-10 01:49 3,228 ----a-w C:\Users\Nick B-W\AppData\Roaming\wklnhst.dat
2007-09-05 02:16 174 --sha-w C:\Program Files\desktop.ini
2007-09-28 01:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-28 01:25 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-28 01:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( [email protected]_ 3.15.38.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 10:13:49 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-21 11:15:30 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-21 10:07:25 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-21 11:26:46 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-21 10:05:44 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-21 10:16:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-21 10:05:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-21 10:16:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-21 10:05:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-21 10:16:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-29 19:07 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 17:35 857648]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-24 22:17 405504]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 07:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-10 23:00 90112]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 14:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 03:20 17920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 12:43 228088]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-08-23 23:45 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"MRT"="C:\Windows\system32\MRT.exe" [2008-05-09 14:35 16863864]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 15:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-29 11:33:50 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 16:13:26 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA8BE6D5-40E0-48B8-B317-18A4A590918A}"= C:\Users\NICKB-~1\AppData\Local\Temp\uRlJDULc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{84813924-8B72-4021-B906-9121F63B9DFB}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{5C7E8769-8CE6-4688-B51F-217F7E10D3AC}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{EB697D8C-25AF-4A3D-81F8-3FD04AA83EF4}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{13B435CA-1F79-478C-94BB-9157CF541528}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{44670002-9906-4D27-8AC1-23B082326346}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{F3F80003-C496-43BE-8A72-348E88EE9CF4}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{DD4B5A8D-F193-4E77-A941-AA0C998055F7}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{C60B5DD8-AB3C-46B9-B9BD-584A92B70349}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{BE02DCD0-B2DF-4607-919C-363623FDBC9A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{69ADC3BF-8B25-4C53-8F22-568E1936F673}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3940ED6E-BED5-4FF3-B7F2-337948053766}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{97FB86F5-401F-4E71-9A9E-EA8BA419CEFD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{782993F5-A57C-427F-95FF-DBFEB0EF0526}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{19E0C898-7D32-4C4D-8999-1B558A7E6C6F}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{59B418ED-E3F3-4691-852C-C7943D0B46C1}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D20C3389-03B6-4E09-956A-D0625044615C}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F0C9C679-C0F9-4780-B013-9539997D8B42}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{80DD7D33-C8BF-401D-9B72-34F03F85935B}"= UDP:C:\Windows\System32\dlbccoms.exe:Photo Printer 720 Server
"{C83922C3-077F-459F-ACF9-5538211ED969}"= TCP:C:\Windows\System32\dlbccoms.exe:Photo Printer 720 Server
"{D2E71FC4-7B5D-4F7B-A3AF-9BFE27C61B23}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{4B904A07-156E-4F96-91D5-61D74076BE45}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{E7430773-AB5B-4C8E-B27B-8D29DABCE107}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{18C0786C-B62C-4BC6-A817-83499D5EFDB1}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{414C0BF5-064C-4DEA-9CA1-50DC73405DDA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4969A61F-A5D7-47E8-ACC2-2A8817E8F4AD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B411EACA-4C6B-430A-9563-A41BE514DD4F}"= UDP:9119:BitComet 9119 TCP
"{048ED9C9-C3C2-42C0-8CA3-0E595D0AD4EE}"= TCP:9119:BitComet 9119 UDP
"{98770E8A-C847-42FF-A1E0-7F9B81956B9D}"= UDP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War
"{5256D53E-D3D6-464D-8E5D-B78079C9D284}"= TCP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 dlbc_device;dlbc_device;C:\Windows\system32\dlbccoms.exe [2007-03-01 16:52]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 17:39]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 18:37]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 16:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 16:13]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 00:36]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169ed2f4-66f4-11dc-b357-001c26f533e0}]
\shell\AutoRun\command - F:\blank.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 07:59:59 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-01 07:59:59 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 04:29:38
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 4:31:05
ComboFix-quarantined-files.txt 2008-05-21 11:30:32
ComboFix2.txt 2008-05-21 10:40:01
ComboFix3.txt 2008-05-21 10:16:16

Pre-Run: 65,033,052,160 bytes free
Post-Run: 65,102,741,504 bytes free

198 --- E O F --- 2008-05-21 10:09:46

Heres HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:54 AM, on 5/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\rundll32.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell....r/SysProExe.CAB
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: dlbc_device - - C:\Windows\system32\dlbccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10631 bytes


I got to get some sleep, but I'll follow whatever other directions you have tomorrow morning
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\readme.bat
F:\blank.exe

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA8BE6D5-40E0-48B8-B317-18A4A590918A}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169ed2f4-66f4-11dc-b357-001c26f533e0}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#9
slicedice2k

slicedice2k

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
So, I copied and pasted the the CFscript, but it didn't actually get ComboFix to fully run (just prompted windows to grant it permission, which i did, and it never came up with the blue application screen like normal)

Heres the MBAM log:

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 33840
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you run ComboFix again and post the log
  • 0

#11
slicedice2k

slicedice2k

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 08-05-20.5 - Nick B-W 2008-05-21 13:23:12.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1194 [GMT -7:00]
Running from: C:\Users\Nick B-W\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 09:31 . 2008-05-21 09:31 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\Malwarebytes
2008-05-21 09:27 . 2008-05-21 09:27 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-05-21 09:27 . 2008-05-21 09:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 09:27 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-21 09:27 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-20 03:07 . 2008-05-20 03:07 129 --a------ C:\Windows\System32\MRT.INI
2008-05-19 19:04 . 2008-05-19 19:04 2,560 --a------ C:\Windows\System32\bitcometres.dll
2008-05-19 18:25 . 2008-05-19 18:25 <DIR> d-------- C:\Windows\Sun
2008-05-19 18:12 . 2008-05-19 18:12 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\McAfee
2008-05-19 13:35 . 2008-05-19 15:14 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 13:26 . 2008-05-19 13:26 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\PC Tools
2008-05-19 13:26 . 2008-05-19 16:17 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-19 13:26 . 2008-05-19 16:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-19 02:40 . 2008-05-19 02:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 16:51 . 2008-05-18 16:51 <DIR> d-------- C:\Program Files\Uniblue
2008-05-17 16:10 . 2008-05-17 16:10 <DIR> d-------- C:\Users\Nick B-W\AppData\Roaming\Petroglyph
2008-05-15 19:11 . 2008-05-15 19:11 <DIR> d-------- C:\Program Files\LucasArts
2008-05-15 19:03 . 2008-02-12 14:45 48 --a------ C:\Windows\System32\readme.bat
2008-05-15 18:44 . 2008-05-15 18:44 <DIR> d-------- C:\Program Files\Alcohol Toolbar
2008-05-15 18:44 . 2008-05-15 18:44 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-15 18:44 . 2008-05-15 18:44 229,057 --a------ C:\Windows\Alcohol_Toolbar_Uninstaller_7556.exe
2008-05-08 14:17 . 2008-05-08 14:17 <DIR> d-------- C:\Program Files\iTunes
2008-05-08 14:17 . 2008-05-08 14:17 <DIR> d-------- C:\Program Files\iPod
2008-05-08 14:15 . 2008-05-08 14:15 <DIR> d-------- C:\Program Files\QuickTime
2008-05-08 14:10 . 2008-05-08 14:10 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 20:17 --------- d-----w C:\Program Files\McAfee
2008-05-20 02:10 --------- d-----w C:\Program Files\BitComet
2008-05-19 23:22 --------- d-----w C:\Program Files\BAE
2008-05-17 07:39 131,484 ----a-w C:\Users\Nick B-W\AppData\Roaming\nvModes.dat
2008-05-16 02:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 10:03 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 10:11 944,184 ----a-w C:\Windows\System32\winload.exe
2008-04-09 10:11 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-04-09 10:11 620,088 ----a-w C:\Windows\System32\ci.dll
2008-04-09 10:11 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-04-09 10:11 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-04-09 10:11 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-04-09 10:11 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-04-09 10:11 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-04-09 10:11 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-04-09 10:08 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-09 10:08 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-09 10:06 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-09 10:06 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-09 10:04 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-09 10:04 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-09 10:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-09 10:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-03-27 05:44 --------- d-----w C:\Program Files\HP
2007-12-10 01:49 3,228 ----a-w C:\Users\Nick B-W\AppData\Roaming\wklnhst.dat
2007-09-05 02:16 174 --sha-w C:\Program Files\desktop.ini
2007-09-28 01:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-28 01:25 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-28 01:25 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( [email protected]_ 3.15.38.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 10:00:27 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-21 20:16:55 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-20 09:25:37 2,484 ----a-w C:\Windows\bthservsdp.dat
+ 2008-05-21 20:15:45 2,484 ----a-w C:\Windows\bthservsdp.dat
- 2008-05-21 10:00:28 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-21 20:16:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-21 10:00:28 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-21 20:16:56 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-21 10:13:49 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-21 20:22:19 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-21 10:02:57 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-21 20:21:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-05-21 10:07:25 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-21 20:21:58 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-21 10:02:50 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-21 20:22:24 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-05-21 10:05:44 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-21 20:19:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-21 10:05:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-21 20:19:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-21 10:05:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-21 20:19:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-21 10:03:00 9,404 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2504436428-3112792286-3194499758-1000_UserData.bin
+ 2008-05-21 20:22:38 9,420 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2504436428-3112792286-3194499758-1000_UserData.bin
- 2008-05-21 10:03:00 81,686 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-21 20:22:35 81,772 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-21 10:02:55 50,544 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-21 20:22:29 50,760 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 05:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-29 19:07 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 17:35 857648]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-24 22:17 405504]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 07:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-10 23:00 90112]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 14:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 03:20 17920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 12:43 228088]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-08-23 23:45 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 15:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-29 11:33:50 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 16:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{84813924-8B72-4021-B906-9121F63B9DFB}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{5C7E8769-8CE6-4688-B51F-217F7E10D3AC}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{EB697D8C-25AF-4A3D-81F8-3FD04AA83EF4}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{13B435CA-1F79-478C-94BB-9157CF541528}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{44670002-9906-4D27-8AC1-23B082326346}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{F3F80003-C496-43BE-8A72-348E88EE9CF4}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{DD4B5A8D-F193-4E77-A941-AA0C998055F7}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{C60B5DD8-AB3C-46B9-B9BD-584A92B70349}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{BE02DCD0-B2DF-4607-919C-363623FDBC9A}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{69ADC3BF-8B25-4C53-8F22-568E1936F673}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3940ED6E-BED5-4FF3-B7F2-337948053766}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{97FB86F5-401F-4E71-9A9E-EA8BA419CEFD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{782993F5-A57C-427F-95FF-DBFEB0EF0526}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{19E0C898-7D32-4C4D-8999-1B558A7E6C6F}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{59B418ED-E3F3-4691-852C-C7943D0B46C1}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D20C3389-03B6-4E09-956A-D0625044615C}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F0C9C679-C0F9-4780-B013-9539997D8B42}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{80DD7D33-C8BF-401D-9B72-34F03F85935B}"= UDP:C:\Windows\System32\dlbccoms.exe:Photo Printer 720 Server
"{C83922C3-077F-459F-ACF9-5538211ED969}"= TCP:C:\Windows\System32\dlbccoms.exe:Photo Printer 720 Server
"{D2E71FC4-7B5D-4F7B-A3AF-9BFE27C61B23}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{4B904A07-156E-4F96-91D5-61D74076BE45}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{E7430773-AB5B-4C8E-B27B-8D29DABCE107}"= UDP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{18C0786C-B62C-4BC6-A817-83499D5EFDB1}"= TCP:C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:RoxioUPnPRenderer9
"{414C0BF5-064C-4DEA-9CA1-50DC73405DDA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4969A61F-A5D7-47E8-ACC2-2A8817E8F4AD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B411EACA-4C6B-430A-9563-A41BE514DD4F}"= UDP:9119:BitComet 9119 TCP
"{048ED9C9-C3C2-42C0-8CA3-0E595D0AD4EE}"= TCP:9119:BitComet 9119 UDP
"{98770E8A-C847-42FF-A1E0-7F9B81956B9D}"= UDP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War
"{5256D53E-D3D6-464D-8E5D-B78079C9D284}"= TCP:C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars: Empire at War

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 dlbc_device;dlbc_device;C:\Windows\system32\dlbccoms.exe [2007-03-01 16:52]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 17:39]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 18:37]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 16:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 16:13]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 00:36]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 07:59:59 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-01 07:59:59 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 13:26:08
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 13:27:37
ComboFix-quarantined-files.txt 2008-05-21 20:27:05
ComboFix2.txt 2008-05-21 11:31:06
ComboFix3.txt 2008-05-21 10:40:01
ComboFix4.txt 2008-05-21 10:16:16

Pre-Run: 65,865,842,688 bytes free
Post-Run: 65,839,095,808 bytes free

212 --- E O F --- 2008-05-21 10:09:46
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP