Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Blue Screen and iftuyszv.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
WarrenH

WarrenH

    Member

  • Member
  • PipPip
  • 51 posts
Hello,

I had just finished loading NHL 08 yesterday on to my computer and went to update the patch files. When I did so, I got slammed with Trojans and other things. My desktop has turned to a blue screen with an add for anti-spyware. My computer says the administrator (which is me) has disabled my task manager. So I can't shutdown any programs with the old control-alt-delete. I have iftuyszv.exe running and can't get rid of it or shut it off. I have windows XP with service pack 2. I have ran McAfee virus scan and antispyware. Got rid of some stuff but not iftuyszv. I googled the program on the internet and found several forums. I jumped the gun and followed intructions from Trusted Helper to SteveTep on this forum and downloaded and ran Combofix. It briefly returned my wallpaper but then froze up when finishing. When I restarted, the blue screen was back, my task manager was still disabled and iftuyszv was still running. Any help you can provide me would be greatly appreciated. I'm not a techie so this way beyond my knowledge.


Here's my Hackthis file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:20 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\iftuyszv.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: McAfee Application Installer Cleanup (0000001213475303) (0000001213475303mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\000000~1.EXE (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 11640 bytes




And here's the Combofix file




C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\SYSTEM32\000080.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 18:31 . 2008-06-15 18:37 2,022 --a------ C:\WINDOWS\default.htm
2008-06-15 15:45 . 2008-06-15 15:45 <DIR> d-------- C:\Program Files\Easy SpyRemover
2008-06-15 14:57 . 2008-06-15 14:57 <DIR> d-------- C:\Program Files\Uniblue
2008-06-14 20:03 . 2008-06-14 20:03 31,488 --a------ C:\WINDOWS\explore.exe
2008-06-14 20:03 . 2008-06-14 20:03 27,904 --a------ C:\WINDOWS\clrssn.exe
2008-06-14 20:03 . 2008-06-14 20:03 27,392 --a------ C:\WINDOWS\explorer32.exe
2008-06-14 20:03 . 2008-06-14 20:03 24,320 --a------ C:\WINDOWS\qttasks.exe
2008-06-14 19:48 . 2008-06-14 19:48 90,073 --a------ C:\WINDOWS\SYSTEM32\iftuyszv.exe
2008-06-14 19:48 . 2008-06-14 19:48 43,520 --a------ C:\WINDOWS\SYSTEM32\clbdll.dll
2008-06-14 19:48 . 2008-06-14 19:48 10,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\clbdriver.sys
2008-06-14 19:48 . 2004-08-04 03:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-06-10 15:54 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-10 15:54 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-08 09:50 . 2008-06-14 19:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-08 09:50 . 2008-06-08 09:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-01 08:33 . 2008-06-01 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-01 08:32 . 2008-06-01 16:56 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 01:31 31,232 ----a-w C:\WINDOWS\iexplorer.exe
2008-06-16 01:31 18,688 ----a-w C:\WINDOWS\x.exe
2008-06-15 04:47 --------- d-----w C:\Program Files\EA SPORTS
2008-06-15 03:42 --------- d-----w C:\Program Files\McAfee
2008-06-15 03:42 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-08 16:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 22:57 --------- d-----w C:\Program Files\LimeWire
2008-04-30 03:24 --------- d-----w C:\Program Files\DivX
2007-01-11 05:32 940,032 ------w C:\Documents and Settings\Warren Hoeft\dbghelp.dll
2007-01-11 05:32 2,392,064 ------w C:\Documents and Settings\Warren Hoeft\LaunchPad.exe
2007-01-11 05:32 11,264 ------w C:\Documents and Settings\Warren Hoeft\lp_plugin.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 03:51:55 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 110,592 2004-01-07 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 57,344 2004-10-12 21:54:30 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 202,544 2007-11-15 17:23:56 C:\Program Files\Dell Support Center\bin\bak\sprtcmd.exe

----a-w 16,384 2007-11-15 17:24:00 C:\Program Files\Dell Support Center\gs_agent\custom\bak\dsca.exe

----a-w 460,784 2007-03-15 18:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 32,768 2000-06-02 18:57:38 C:\Program Files\Iomega\Common\bak\ImgStart.exe

----a-w 36,864 2000-06-13 15:48:58 C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe

----a-w 132,496 2007-09-25 08:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 110,592 2005-12-01 13:01:00 C:\Program Files\McAfee\McAfee QuickClean\bak\Plguni.exe
----a-w 110,592 2005-12-01 13:01:00 C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe

----a-w 152,144 2007-01-18 01:30:24 C:\Program Files\McAfee\MSK\bak\MskAgent.exe
----a-w 152,144 2007-01-17 23:30:24 C:\Program Files\McAfee\MSK\mskagent.exe

----a-w 8,192 2006-09-18 21:46:30 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe

----a-w 110,592 2006-09-18 21:46:30 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

----a-w 98,304 2005-04-06 05:38:51 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 26,112 2005-04-06 05:38:31 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

----a-w 36,904 2007-01-17 19:24:46 C:\Program Files\SiteAdvisor\6253\bak\SiteAdv.exe

----a-w 1,544,192 2002-04-25 01:37:43 C:\Program Files\support.com\bin\bak\tgcmd.exe

----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
2008-03-10 14:02 282636 --a------ C:\Program Files\eSoftware\studio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]
"McAfee QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [2005-12-01 06:01 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 15:10 4583424]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [ ]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe" [2004-07-29 12:55 139264]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" [2007-11-09 17:54 3516088]
"combofix"="C:\WINDOWS\system32\CF12133.exe" [2004-08-04 03:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2006-04-09 13:54:57 43520]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-09 13:49:12 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll [2004-11-15 01:00 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe,C:\\WINDOWS\\system32\\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yvu9"= C:\WINDOWS\system32\iyvu9_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S2 0000001213475303mcinstcleanup;McAfee Application Installer Cleanup (0000001213475303);C:\WINDOWS\TEMP\000000~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f47fbd05-aac1-11d9-8867-806d6172696f}]
\Shell\AutoRun\command - D:\Madden04.exe

*Newly Created Service* - 0000001213475303MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 03:42:27 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- C:\PROGRA~1\McAfee\MCAFEE~3\McSpy.ex
- C:\PROGRA~1\McAfee\MCAFEE~3
"2008-06-15 08:10:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-08 04:04:05 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 18:37:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\default.htm 2022 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\SYSTEM32\iftuyszv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-15 18:41:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 01:41:35

Post-Run: 27,476,418,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

292 --- E O F --- 2008-06-11 03:10:50
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
What other forums have you posted at ?

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\clrssn.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\SYSTEM32\iftuyszv.exe
C:\WINDOWS\SYSTEM32\clbdll.dll
C:\WINDOWS\SYSTEM32\DRIVERS\clbdriver.sys
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\x.exe
D:\Madden04.exe

Folder::
C:\Program Files\Easy SpyRemover

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f47fbd05-aac1-11d9-8867-806d6172696f}]

Rootkit::
C:\WINDOWS\default.htm

AWF::
C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\Dell Support Center\bin\bak\sprtcmd.exe
C:\Program Files\Dell Support Center\gs_agent\custom\bak\dsca.exe
C:\Program Files\DellSupport\bak\DSAgnt.exe
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\Iomega\Common\bak\ImgStart.exe
C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\McAfee\McAfee QuickClean\bak\Plguni.exe
C:\Program Files\McAfee\MSK\bak\MskAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
C:\Program Files\SiteAdvisor\6253\bak\SiteAdv.exe
C:\Program Files\support.com\bin\bak\tgcmd.exe
C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Also post a new HijackThis log
  • 0

#3
WarrenH

WarrenH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Thank you Rorschach112. Did as you said. How am I looking now? Is this thing cleaned out?


SDfix file


SDFix: Version 1.193
Run by Warren Hoeft on Mon 06/16/2008 at 08:00 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Killing PID 824 'iftuyszv.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\iftuyszv.exe - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 08:10:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"="C:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe:*:Enabled:Updater"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AMERIC~1.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 16 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 10 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT11.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Warren Hoeft\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Warren Hoeft\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Warren Hoeft\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\Warren Hoeft\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!



The New Combo Fix File


ComboFix 08-06-15.4 - Warren Hoeft 2008-06-16 9:15:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.674 [GMT -7:00]
Running from: C:\Documents and Settings\Warren Hoeft\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Warren Hoeft\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\clrssn.exe
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\SYSTEM32\clbdll.dll
C:\WINDOWS\SYSTEM32\DRIVERS\clbdriver.sys
C:\WINDOWS\SYSTEM32\iftuyszv.exe
C:\WINDOWS\x.exe
D:\Madden04.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Easy SpyRemover
C:\Program Files\Easy SpyRemover\action.dbf
C:\Program Files\Easy SpyRemover\blockprocess.dll
C:\Program Files\Easy SpyRemover\cookie.dbf
C:\Program Files\Easy SpyRemover\Easy SpyRemover Help.chm
C:\Program Files\Easy SpyRemover\Easy SpyRemover.log
C:\Program Files\Easy SpyRemover\EasySpyRemover.exe
C:\Program Files\Easy SpyRemover\EasySpyRemover.exe.manifest
C:\Program Files\Easy SpyRemover\EasySpyRemover.url
C:\Program Files\Easy SpyRemover\file copy 2.avi
C:\Program Files\Easy SpyRemover\file copy to web.avi
C:\Program Files\Easy SpyRemover\knowspyware.dbf
C:\Program Files\Easy SpyRemover\settings.ini
C:\Program Files\Easy SpyRemover\unins000.dat
C:\Program Files\Easy SpyRemover\unins000.exe
C:\WINDOWS\default.htm
C:\WINDOWS\SYSTEM32\clbdll.dll
C:\WINDOWS\SYSTEM32\DRIVERS\clbdriver.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 07:54 . 2008-06-16 07:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-16 07:44 . 2008-06-16 07:44 <DIR> d-------- C:\SDFix
2008-06-15 20:29 . 2008-06-15 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 14:57 . 2008-06-15 14:57 <DIR> d-------- C:\Program Files\Uniblue
2008-06-14 19:48 . 2004-08-04 03:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-06-10 15:54 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-10 15:54 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-08 09:50 . 2008-06-14 19:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-08 09:50 . 2008-06-08 09:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-01 08:33 . 2008-06-01 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-01 08:32 . 2008-06-01 16:56 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 16:17 --------- d-----w C:\Program Files\QuickTime
2008-06-16 16:15 --------- d-----w C:\Program Files\DellSupport
2008-06-15 04:47 --------- d-----w C:\Program Files\EA SPORTS
2008-06-15 03:42 --------- d-----w C:\Program Files\McAfee
2008-06-15 03:42 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-08 16:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 22:57 --------- d-----w C:\Program Files\LimeWire
2008-04-30 03:24 --------- d-----w C:\Program Files\DivX
2007-01-11 05:32 940,032 ------w C:\Documents and Settings\Warren Hoeft\dbghelp.dll
2007-01-11 05:32 2,392,064 ------w C:\Documents and Settings\Warren Hoeft\LaunchPad.exe
2007-01-11 05:32 11,264 ------w C:\Documents and Settings\Warren Hoeft\lp_plugin.exe
.

((((((((((((((((((((((((((((( [email protected]_18.41.15.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-16 01:36:13 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-16 16:17:13 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-16 10:15:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-16 14:54:52 5,419,008 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-16 14:54:52 176,128 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-16 10:15:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-16 14:54:39 5,419,008 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-16 14:54:39 176,128 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2004-12-06 06:05:00 127,035 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
2008-03-10 14:02 282636 --a------ C:\Program Files\eSoftware\studio.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 12:22 1923352]
"McAfee QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe" [2005-12-01 06:01 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 15:10 4583424]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30 152144]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 14:46 110592]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe" [2004-07-29 12:55 139264]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" [ ]
"combofix"="C:\WINDOWS\system32\CF23034.exe" [2004-08-04 03:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2006-04-09 13:54:57 43520]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-09 13:49:12 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll [2004-11-15 01:00 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yvu9"= C:\WINDOWS\system32\iyvu9_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S2 0015171213626283mcinstcleanup;McAfee Application Installer Cleanup (0015171213626283);C:\WINDOWS\TEMP\001517~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 03:42:27 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- C:\PROGRA~1\McAfee\MCAFEE~3\McSpy.ex
- C:\PROGRA~1\McAfee\MCAFEE~3
"2008-06-15 08:10:21 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-08 04:04:05 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 09:18:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-06-16 9:23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 16:23:50

Pre-Run: 27,422,728,192 bytes free
Post-Run: 27,405,697,024 bytes free

173 --- E O F --- 2008-06-11 03:10:50



And the new Hijack file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:57 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: McAfee Application Installer Cleanup (0015171213626283) (0015171213626283mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\001517~1.EXE (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 9829 bytes
  • 0

#4
WarrenH

WarrenH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Oh, sorry, forgot to answer your question. I joined bleepingcomputer and the whatthetech, but I only posted here because I started to follow the instructions for SteveTep here.
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Make sure you don't post at those forums or else you will be wasting another helpers time

Nearly done here actually


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#6
WarrenH

WarrenH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Thanks for getting back to me. Okay, ran the Kaspersky Scan. Here's the results. What's next?


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 20:33:01
Records in database: 874421
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 133621
Threat name: 8
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:28:40


File name / Threat name / Threats count
C:\Program Files\eSoftware\studio.dll/C:\Program Files\eSoftware\studio.dll Infected: not-a-virus:AdWare.Win32.SurfSide.bj 1
C:\Documents and Settings\Warren Hoeft\Application Data\Sun\Java\Deployment\cache\6.0\26\66e2f9da-47e35aea Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Warren Hoeft\Application Data\Sun\Java\Deployment\cache\6.0\54\342ff276-5c83583f Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Warren Hoeft\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-526002f4-55d58c93.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Warren Hoeft\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-1f442ed4-5e8be89c.zip Infected: Trojan-Downloader.Java.OpenConnection.ap 1
C:\Documents and Settings\Warren Hoeft\Shared\cats in the craddle.wm Infected: Trojan-Downloader.WMA.Wimad.m 1
C:\Program Files\eSoftware\studio.dll Infected: not-a-virus:AdWare.Win32.SurfSide.bj 1
C:\QooBox\Quarantine\C\Program Files\Starware337\Setup.exe.vir Infected: not-a-virus:AdWare.Win32.Comet.ba 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\000070.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\QooBox\Quarantine\catchme2008-06-15_183456.10.zip Infected: Rootkit.Win32.Clbd.ce 1
C:\QooBox\Quarantine\catchme2008-06-15_183456.10.zip Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\SDFix\SDFix\backups\backups.zip Infected: not-virus:Hoax.Win32.Renos.daw 1

The selected area was scanned.
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Program Files\eSoftware\studio.dll
    purity 
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also tell me how your PC is running
  • 0

#8
WarrenH

WarrenH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
My computer seems to be running fine. I haven't run any programs except internet explorer and the stuff you've directed me to though. I've been afraid I might corrupt other files if I started doing stuff before cleaning out the system. What's next? Is it cured?

Log file from OTMoveIt2


Explorer killed successfully
C:\Program Files\eSoftware\studio.dll unregistered successfully.
C:\Program Files\eSoftware\studio.dll moved successfully.
< purity >
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\mcafee_2OgMqCMmVx6GAhz scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_55cwJnP3EJGO6jV scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_dwsOx549PPH0fSv scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_pIr56MSOlKiWva9 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Q9g7ck8fgApFTI3 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_T86llHdetSmp8jQ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_XTaur3jurkPEGTP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_7rexNlcD6tu2asu scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_IQ9sIbXj6H3uZ5H scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_T9xjv5fc9b1b18T scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_y3981BPmQdb2DQ6 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06162008_162221

Files moved on Reboot...
File C:\WINDOWS\temp\mcafee_2OgMqCMmVx6GAhz not found!
File C:\WINDOWS\temp\mcmsc_55cwJnP3EJGO6jV not found!
File C:\WINDOWS\temp\mcmsc_dwsOx549PPH0fSv not found!
File C:\WINDOWS\temp\mcmsc_pIr56MSOlKiWva9 not found!
File C:\WINDOWS\temp\mcmsc_Q9g7ck8fgApFTI3 not found!
File C:\WINDOWS\temp\mcmsc_T86llHdetSmp8jQ not found!
File C:\WINDOWS\temp\mcmsc_XTaur3jurkPEGTP not found!
File C:\WINDOWS\temp\sqlite_7rexNlcD6tu2asu not found!
File C:\WINDOWS\temp\sqlite_IQ9sIbXj6H3uZ5H not found!
C:\WINDOWS\temp\sqlite_T9xjv5fc9b1b18T moved successfully.
C:\WINDOWS\temp\sqlite_y3981BPmQdb2DQ6 moved successfully.
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#10
WarrenH

WarrenH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
Removed Combofix and OTMoveIt2. Updated Java. Installed Java ™ 6 update 6 and deleted all Java Runtime Environment programs. Still have Java ™ 6 Update 2 and Update 3. Should I delete these? The java icon next to my clock is trying to lure me into loading Update 5. Do I need this? Downloaded SpywareBlaster and Adaware. Interested in MVPS Hosts file but I had a hard time understanding the tutorial. How difficult is it to operate and maintain? And if I leg in updating will it crash my system? Oh and reset my Internet Explorer settings and updated Windows. These are about the limit of the changes I'm willing to make.

Your help has been very much appreciated. I've been so relieved I haven't had to wipe the whole thing.
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts

Still have Java ™ 6 Update 2 and Update 3. Should I delete these

Yes and update to the latest version

Interested in MVPS Hosts file but I had a hard time understanding the tutorial. How difficult is it to operate and maintain?

Just run the MVPS bat file

Anything else ?
  • 0

#12
WarrenH

WarrenH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 51 posts
No that's it. Thank you so much. I am forever indebted to you.
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP