Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan help: Trojan-Spy.Win32.KeyLogger.aa, Trojan-Spy.Win32.KeyLogger

Started by tsukihoshi , Aug 15 2008 10:37 PM

This topic is locked

#1
tsukihoshi

Posted 15 August 2008 - 10:37 PM

Member

Member
15 posts

Hi, I just joined this community! Thanks for maintaining such a service for people like me. Usually I'm really careful with what I download, but the other day, I stupidly downloaded an unknown exe file. What possessed me, I don't know, but since then I've been infected with a really annoying trojan.

First it changes my wallpaper into a spyware warning. I have screencaped an image of that wallpaper here. (Note that this is an image and not an actual window.) I change my wallpaper back, but every so often, it will revert back. When it changes, an error warning pops up. Clicking Ok changes my wallpaper.

At random moments, Windows Security Alert popups come up with one of the following warnings:

Trojan-Clicker.Win32.Tiny.h
Trojan-Spy.Win32.KeyLogger.aa
Trojan-Spy.Win32.GreenScreen
Trojan-Spy.HTML.Bankfraud.dq
Trojan-Downloader.Win32.Agent.bq

When I click on the Enable Protection button, it takes me to a website for SmartSoft to buy PC Antispy and PC Clean Pro.

I see many other people have the same problem as I do, but I dare not use the same instructions.

Please also note that I am using Windows Vista. I will post the Hijack This log in the following post.

Any help at all will be greatly appreciated! Thanks!

Regards,
Karen

#2
tsukihoshi

Posted 15 August 2008 - 10:40 PM

Member

Topic Starter
Member
15 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:50, on 2008-08-15
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\ProgramData\webui\lazgnyps.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\ProgramData\jspklkxi\lmtglqti.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\RealVNC\VNC4\vncviewer.exe
C:\ProgramData\shcfg\vopitefe.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [lphcvjaj0e3cg] C:\Windows\system32\lphcvjaj0e3cg.exe
O4 - HKCU\..\Run: [Dell DataSafe Scheduler] "C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [webui] C:\ProgramData\webui\lazgnyps.exe
O4 - HKCU\..\Run: [e2elq6MvVK] C:\ProgramData\jspklkxi\lmtglqti.exe
O4 - HKCU\..\Run: [chkapp] C:\ProgramData\chkapp\nefujuro.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....NPUplden-ca.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13308 bytes

#3
tsukihoshi

Posted 15 August 2008 - 10:41 PM

Member

Topic Starter
Member
15 posts

And if this helps:

Malwarebytes' Anti-Malware 1.24
Database version: 1056
Windows 6.0.6001 Service Pack 1

23:29:56 2008-08-15
mbam-log-8-15-2008 (23-29-56).txt

Scan type: Quick Scan
Objects scanned: 38458
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4
SpySentinel

Posted 19 August 2008 - 02:41 PM

R.I.P.

Retired Staff
5,152 posts

Hey Karen,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up.

I'm currently analyzing your log now, and I'll post back with a fix ASAP. Thanks for your patience.

#5
SpySentinel

Posted 19 August 2008 - 04:48 PM

R.I.P.

Retired Staff
5,152 posts

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#6
tsukihoshi

Posted 19 August 2008 - 10:01 PM

Member

Topic Starter
Member
15 posts

Hi SpySentinel,

I'm confused about the Windows XP Recovery Console. As I have stated before, I am using Windows Vista. I have a Windows Vista CD that came with my Dell laptop but it's specifically tailored to Dell's specifications. What should I do?

Regards,
Karen

#7
SpySentinel

Posted 21 August 2008 - 01:45 PM

R.I.P.

Retired Staff
5,152 posts

Ok, just run ComboFix for now

#8
tsukihoshi

Posted 21 August 2008 - 08:13 PM

Member

Topic Starter
Member
15 posts

ComboFix 08-08-21.02 - Karen 2008-08-21 21:52:53.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1860 [GMT -4:00]
Running from: C:\Users\Karen\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\actskn43.ocx
C:\Windows\system32\Memman.vxd
C:\Windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-19 21:57 . 2008-08-19 22:17 2,425 --a------ C:\Windows\diagwrn.xml
2008-08-19 21:57 . 2008-08-19 22:17 1,905 --a------ C:\Windows\diagerr.xml
2008-08-19 20:36 . 2008-08-19 20:36 <DIR> d-------- C:\Users\All Users\webmsginfo
2008-08-19 20:36 . 2008-08-19 20:36 <DIR> d-------- C:\ProgramData\webmsginfo
2008-08-17 05:37 . 2008-08-17 05:37 <DIR> d-------- C:\Users\All Users\WebCom
2008-08-17 05:37 . 2008-08-17 05:37 <DIR> d-------- C:\Users\All Users\HlpCmdSh
2008-08-17 05:37 . 2008-08-17 05:37 <DIR> d-------- C:\ProgramData\WebCom
2008-08-17 05:37 . 2008-08-17 05:37 <DIR> d-------- C:\ProgramData\HlpCmdSh
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\Users\All Users\DVD Shrink
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\ProgramData\DVD Shrink
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\Program Files\DVD Shrink
2008-08-15 23:42 . 2008-08-15 23:42 <DIR> d-------- C:\Users\All Users\shcfg
2008-08-15 23:42 . 2008-08-15 23:42 <DIR> d-------- C:\Users\All Users\chkapp
2008-08-15 23:42 . 2008-08-15 23:42 <DIR> d-------- C:\ProgramData\shcfg
2008-08-15 23:42 . 2008-08-15 23:42 <DIR> d-------- C:\ProgramData\chkapp
2008-08-15 23:36 . 2008-08-15 23:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Users\Karen\AppData\Roaming\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 23:23 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-15 23:23 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-15 23:22 . 2008-08-15 23:22 <DIR> d-------- C:\Users\Karen\AppData\Roaming\Download Manager
2008-08-15 21:27 . 2008-08-15 21:27 5,790 --a------ C:\Windows\System32\tmp.reg
2008-08-15 21:26 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-08-15 21:26 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-08-15 21:26 . 2008-05-29 09:35 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-08-15 21:26 . 2008-05-18 21:40 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-08-15 21:26 . 2008-08-14 21:52 82,432 --a------ C:\Windows\System32\IEDFix.C.exe
2008-08-15 21:26 . 2008-08-09 15:37 82,432 --a------ C:\Windows\System32\404Fix.exe
2008-08-15 21:26 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-08-15 21:26 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-08-15 02:54 . 2008-08-15 02:59 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-08-15 02:54 . 2008-08-15 02:59 <DIR> d-------- C:\ProgramData\NVIDIA
2008-08-15 01:21 . 2008-08-15 01:21 <DIR> d-------- C:\Users\All Users\webui
2008-08-15 01:21 . 2008-08-15 01:21 <DIR> d-------- C:\Users\All Users\jspklkxi
2008-08-15 01:21 . 2008-08-15 01:21 <DIR> d-------- C:\Users\All Users\dscmsgweb
2008-08-15 01:21 . 2008-08-15 01:21 <DIR> d-------- C:\ProgramData\webui
2008-08-15 01:21 . 2008-08-15 01:21 <DIR> d-------- C:\ProgramData\jspklkxi
2008-08-15 01:21 . 2008-08-15 01:21 <DIR> d-------- C:\ProgramData\dscmsgweb
2008-08-15 00:58 . 2008-08-15 00:58 <DIR> d-------- C:\Windows\nvtmpinst
2008-08-15 00:56 . 2008-08-15 00:56 <DIR> d-------- C:\Program Files\Megaupload Downloader
2008-08-14 22:51 . 2008-08-19 21:39 <DIR> d-------- C:\Users\All Users\Google Updater
2008-08-14 22:51 . 2008-08-19 21:39 <DIR> d-------- C:\ProgramData\Google Updater
2008-08-13 23:11 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 19:59 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 19:58 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 19:57 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 19:57 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 19:49 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-09 03:47 . 2008-08-09 03:47 <DIR> d-------- C:\Program Files\Bonjour
2008-08-08 23:57 . 2008-08-08 23:57 <DIR> d-------- C:\Program Files\PowerISO
2008-08-04 18:36 . 2008-08-04 18:36 <DIR> d-------- C:\Program Files\TagRename
2008-07-22 22:04 . 2008-07-22 23:01 <DIR> d-------- C:\Users\Karen\Photos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 01:57 --------- d-----w C:\Users\Karen\AppData\Roaming\DMCache
2008-08-16 03:10 --------- d-----w C:\Users\Karen\AppData\Roaming\Winamp
2008-08-16 03:10 --------- d-----w C:\ProgramData\FLEXnet
2008-08-16 01:25 --------- d-----w C:\Users\Karen\AppData\Roaming\IDM
2008-08-15 02:53 --------- d-----w C:\Program Files\Google
2008-08-14 07:05 --------- d-----w C:\Program Files\Windows Mail
2008-08-09 07:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-06 01:19 --------- d-----w C:\ProgramData\Roxio
2008-07-31 00:39 --------- d-----w C:\Users\Karen\AppData\Roaming\dvdcss
2008-07-27 01:38 27,335 ----a-w C:\Users\Karen\AppData\Roaming\nvModes.dat
2008-07-25 23:33 --------- d-----w C:\Program Files\Internet Download Manager
2008-07-23 02:55 --------- d-----w C:\Program Files\Free Download Manager
2008-07-22 03:08 --------- d-----w C:\Program Files\Winamp
2008-07-14 23:38 --------- d-----w C:\ProgramData\WindowsSearch
2008-07-13 04:20 --------- d-----w C:\Program Files\CAPCOM
2008-07-10 02:02 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-08 02:46 --------- d-----w C:\Program Files\DVD Identifier
2008-07-07 05:44 --------- d-----w C:\Program Files\McAfee
2008-07-07 01:43 --------- d-----w C:\Users\Karen\AppData\Roaming\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\McAfee
2008-07-07 00:30 --------- d-----w C:\Program Files\McAfee.com
2008-07-07 00:30 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-06 20:19 --------- d-----w C:\Program Files\SiteAdvisor(55)
2008-07-05 07:26 --------- d-----w C:\Users\Karen\AppData\Roaming\Thinstall
2008-06-27 05:11 --------- d-----w C:\ProgramData\ACD Systems
2008-06-27 05:11 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-27 05:10 --------- d-----w C:\Program Files\ACD Systems
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 23:24 174 --sha-w C:\Program Files\desktop.ini
2008-03-16 15:07 74 --sh--r C:\Windows\CT4CET.bin
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-01 20:44 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Scheduler"="C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe" [2007-12-02 17:30 308464]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"WinRoll"="C:\Program Files\WinRoll\winroll.exe" [2004-04-06 12:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-06 21:00 2594224]
"webui"="C:\ProgramData\webui\lazgnyps.exe" [2008-08-15 01:21 77824]
"e2elq6MvVK"="C:\ProgramData\jspklkxi\lmtglqti.exe" [2008-08-15 01:21 57344]
"chkapp"="C:\ProgramData\chkapp\nefujuro.exe" [2008-08-15 23:42 90112]
"HlpCmdSh"="C:\ProgramData\HlpCmdSh\hczwvupc.exe" [2008-08-17 05:37 90112]
"lphcvjaj0e3cg"="C:\Windows\system32\lphcvjaj0e3cg.exe" [BU]
"genactdb"="C:\ProgramData\genactdb\tsjirgfy.exe" [2008-08-21 21:58 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 02:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 03:00 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-12-03 01:58 36864]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 10:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"PSQLLauncher"="C:\Program Files\Fingerprint Reader Suite\launcher.exe" [2007-04-16 23:50 49168]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-16 11:20 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 19:57 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-07-09 17:33 36352]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 21:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 19:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 00:04 86528 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F86430DE-CF8F-4BCB-BD80-5EB812AB449A}"= C:\Program Files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{A3956BCC-9895-4B4B-8E74-036D94C0036D}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{31043A6D-AF7E-4416-9F64-872ABE578709}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{3F27E2D6-D258-4C52-982C-3489E84321A9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{2DD59FD8-2A7D-49BC-89C5-E6B0AB90EE07}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D5190660-187A-4C71-865A-7E53CDDABDAB}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C29B27A2-DB63-4438-AC0D-3B2A5930A34A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{A6C3E698-ADED-4D90-A42F-BE90C578317D}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9949E4C4-8286-4FD9-829B-9B80BB870C70}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{9C6D6266-F1EA-44D7-B67F-009DFB6CCCDB}C:\\users\\karen\\desktop\\hfs.exe"= UDP:C:\users\karen\desktop\hfs.exe:hfs.exe
"UDP Query User{3E383C3A-56CB-4E02-B332-A327EA68C804}C:\\users\\karen\\desktop\\hfs.exe"= TCP:C:\users\karen\desktop\hfs.exe:hfs.exe
"TCP Query User{D0A7B4B8-AD22-4877-8984-FD750EFF762E}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9386816D-AD72-4364-AACC-8DDACB37B312}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{11BEA281-33B2-4C72-BCEB-B92530D22AD4}C:\\program files\\flashfxp\\flashfxp.exe"= UDP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"UDP Query User{5C56AA88-85DD-4819-BCAF-AF66E6CAEBE5}C:\\program files\\flashfxp\\flashfxp.exe"= TCP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"{2AF6D983-395E-457B-8F7C-B6112B196372}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\System\\winnet32.exe"= C:\Program Files\Common Files\System\winnet32.exe:*:Enabled:Windows Update
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2008-01-01 23:44]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 08:35]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-12-03 01:58]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-12-03 01:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc24e7a-f368-11dc-8426-806e6f6e6963}]
\shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\Windows\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\Windows\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-06-09 C:\Windows\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lphcvjaj0e3cg - C:\Windows\system32\lphcvjaj0e3cg.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Karen\AppData\Roaming\Mozilla\Firefox\Profiles\lm7icenz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://go.microsoft.com/fwlink/?LinkId=69157
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 21:57:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
-> C:\Program Files\WinRoll\winroll.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\System32\CTSVCCDA.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\System32\conime.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\ProgramData\srvmonapl\dobgbibk.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-21 22:06:33 - machine was rebooted [Karen]
ComboFix-quarantined-files.txt 2008-08-22 02:06:08
ComboFix2.txt 2008-08-16 02:08:43

Pre-Run: 131,607,736,320 bytes free
Post-Run: 131,650,453,504 bytes free

273 --- E O F --- 2008-08-21 02:42:14

#9
SpySentinel

Posted 22 August 2008 - 11:33 AM

R.I.P.

Retired Staff
5,152 posts

You are doing good.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Users\All Users\WebCom
C:\ProgramData\WebCom
C:\Users\All Users\shcfg
C:\Users\All Users\chkapp
C:\Users\All Users\dscmsgweb
C:\Users\All Users\jspklkxi
C:\Users\All Users\webui
C:\ProgramData\webui
C:\ProgramData\jspklkxi
C:\ProgramData\dscmsgweb

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinRoll"=-
"webui"=-
"e2elq6MvVK"=-
"chkapp"=-
"lphcvjaj0e3cg"=-
"genactdb"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bc24e7a-f368-11dc-8426-806e6f6e6963}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#10
tsukihoshi

Posted 22 August 2008 - 10:54 PM

Member

Topic Starter
Member
15 posts

Here is the new combofix log after applying the CFScript. The only issue is that I forgot to disable anti-virus programs this time and a virus warning popped up during the scan... I think it was called ELICAR or something like that. Does that affect the scan results? Should I undo it and redo it again?

ComboFix 08-08-21.02 - Karen 2008-08-23 0:43:01.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1615 [GMT -4:00]
Running from: C:\Users\Karen\Desktop\ComboFix.exe
Command switches used :: C:\Users\Karen\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\dscmsgweb
C:\ProgramData\dscmsgweb\dkxsdgzy.exe
C:\ProgramData\jspklkxi
C:\ProgramData\jspklkxi\lmtglqti.exe
C:\ProgramData\WebCom
C:\ProgramData\WebCom\folwjebw.exe
C:\ProgramData\webui
C:\ProgramData\webui\lazgnyps.exe
C:\Users\All Users\chkapp
C:\Users\All Users\chkapp\nefujuro.exe
C:\Users\All Users\dscmsgweb\dkxsdgzy.exe
C:\Users\All Users\jspklkxi\lmtglqti.exe
C:\Users\All Users\shcfg
C:\Users\All Users\shcfg\vopitefe.exe
C:\Users\All Users\WebCom\folwjebw.exe
C:\Users\All Users\webui\lazgnyps.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-21 22:28 . 2008-08-21 22:28 <DIR> d-------- C:\Users\All Users\strui
2008-08-21 22:28 . 2008-08-21 22:28 <DIR> d-------- C:\Users\All Users\AdmMntCmd
2008-08-21 22:28 . 2008-08-21 22:28 <DIR> d-------- C:\ProgramData\strui
2008-08-21 22:28 . 2008-08-21 22:28 <DIR> d-------- C:\ProgramData\AdmMntCmd
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\Users\All Users\srvmonapl
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\Users\All Users\genactdb
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\ProgramData\srvmonapl
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\ProgramData\genactdb
2008-08-19 21:57 . 2008-08-19 22:17 2,425 --a------ C:\Windows\diagwrn.xml
2008-08-19 21:57 . 2008-08-19 22:17 1,905 --a------ C:\Windows\diagerr.xml
2008-08-19 20:36 . 2008-08-19 20:36 <DIR> d-------- C:\Users\All Users\webmsginfo
2008-08-19 20:36 . 2008-08-19 20:36 <DIR> d-------- C:\ProgramData\webmsginfo
2008-08-17 05:37 . 2008-08-17 05:37 <DIR> d-------- C:\Users\All Users\HlpCmdSh
2008-08-17 05:37 . 2008-08-17 05:37 <DIR> d-------- C:\ProgramData\HlpCmdSh
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\Users\All Users\DVD Shrink
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\ProgramData\DVD Shrink
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\Program Files\DVD Shrink
2008-08-15 23:36 . 2008-08-15 23:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Users\Karen\AppData\Roaming\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 23:23 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-15 23:23 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-15 23:22 . 2008-08-15 23:22 <DIR> d-------- C:\Users\Karen\AppData\Roaming\Download Manager
2008-08-15 21:27 . 2008-08-15 21:27 5,790 --a------ C:\Windows\System32\tmp.reg
2008-08-15 21:26 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-08-15 21:26 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-08-15 21:26 . 2008-05-29 09:35 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-08-15 21:26 . 2008-05-18 21:40 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-08-15 21:26 . 2008-08-14 21:52 82,432 --a------ C:\Windows\System32\IEDFix.C.exe
2008-08-15 21:26 . 2008-08-09 15:37 82,432 --a------ C:\Windows\System32\404Fix.exe
2008-08-15 21:26 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-08-15 21:26 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-08-15 02:54 . 2008-08-15 02:59 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-08-15 02:54 . 2008-08-15 02:59 <DIR> d-------- C:\ProgramData\NVIDIA
2008-08-15 00:58 . 2008-08-15 00:58 <DIR> d-------- C:\Windows\nvtmpinst
2008-08-15 00:56 . 2008-08-15 00:56 <DIR> d-------- C:\Program Files\Megaupload Downloader
2008-08-14 22:51 . 2008-08-21 22:05 <DIR> d-------- C:\Users\All Users\Google Updater
2008-08-14 22:51 . 2008-08-21 22:05 <DIR> d-------- C:\ProgramData\Google Updater
2008-08-13 23:11 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 19:59 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 19:58 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 19:57 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 19:57 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 19:49 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-09 03:47 . 2008-08-09 03:47 <DIR> d-------- C:\Program Files\Bonjour
2008-08-08 23:57 . 2008-08-08 23:57 <DIR> d-------- C:\Program Files\PowerISO
2008-08-04 18:36 . 2008-08-04 18:36 <DIR> d-------- C:\Program Files\TagRename

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 04:45 --------- d-----w C:\Users\Karen\AppData\Roaming\DMCache
2008-08-22 02:51 --------- d-----w C:\Program Files\Winamp
2008-08-16 03:10 --------- d-----w C:\Users\Karen\AppData\Roaming\Winamp
2008-08-16 03:10 --------- d-----w C:\ProgramData\FLEXnet
2008-08-16 01:25 --------- d-----w C:\Users\Karen\AppData\Roaming\IDM
2008-08-15 02:53 --------- d-----w C:\Program Files\Google
2008-08-14 07:05 --------- d-----w C:\Program Files\Windows Mail
2008-08-09 07:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-06 01:19 --------- d-----w C:\ProgramData\Roxio
2008-07-31 00:39 --------- d-----w C:\Users\Karen\AppData\Roaming\dvdcss
2008-07-27 01:38 27,335 ----a-w C:\Users\Karen\AppData\Roaming\nvModes.dat
2008-07-25 23:33 --------- d-----w C:\Program Files\Internet Download Manager
2008-07-23 02:55 --------- d-----w C:\Program Files\Free Download Manager
2008-07-14 23:38 --------- d-----w C:\ProgramData\WindowsSearch
2008-07-13 04:49 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-07-13 04:20 --------- d-----w C:\Program Files\CAPCOM
2008-07-10 02:02 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-08 02:46 --------- d-----w C:\Program Files\DVD Identifier
2008-07-07 05:44 --------- d-----w C:\Program Files\McAfee
2008-07-07 01:43 --------- d-----w C:\Users\Karen\AppData\Roaming\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\McAfee
2008-07-07 00:30 --------- d-----w C:\Program Files\McAfee.com
2008-07-07 00:30 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-06 20:19 --------- d-----w C:\Program Files\SiteAdvisor(55)
2008-07-05 07:26 --------- d-----w C:\Users\Karen\AppData\Roaming\Thinstall
2008-06-27 05:11 --------- d-----w C:\ProgramData\ACD Systems
2008-06-27 05:11 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-27 05:10 --------- d-----w C:\Program Files\ACD Systems
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 23:24 174 --sha-w C:\Program Files\desktop.ini
2008-05-27 21:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-27 21:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-03-16 15:07 74 --sh--r C:\Windows\CT4CET.bin
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-01 20:44 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_22.05.07.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-22 01:56:27 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-22 02:42:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-22 01:56:27 81,920 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-22 02:42:11 81,920 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-22 01:56:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-22 02:42:11 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-20 03:16:32 105,852 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-22 02:04:03 105,852 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-20 03:16:32 600,378 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-22 02:04:03 600,378 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-22 01:32:09 253,112 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-08-23 04:38:12 253,490 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Scheduler"="C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe" [2007-12-02 17:30 308464]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-06 21:00 2594224]
"HlpCmdSh"="C:\ProgramData\HlpCmdSh\hczwvupc.exe" [2008-08-17 05:37 90112]
"strui"="C:\ProgramData\strui\zsrspwvu.exe" [2008-08-21 22:28 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 02:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 03:00 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-12-03 01:58 36864]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 10:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"PSQLLauncher"="C:\Program Files\Fingerprint Reader Suite\launcher.exe" [2007-04-16 23:50 49168]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-16 11:20 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 19:57 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-03 19:02 36352]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 21:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 19:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 00:04 86528 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F86430DE-CF8F-4BCB-BD80-5EB812AB449A}"= C:\Program Files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{A3956BCC-9895-4B4B-8E74-036D94C0036D}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{31043A6D-AF7E-4416-9F64-872ABE578709}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{3F27E2D6-D258-4C52-982C-3489E84321A9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{2DD59FD8-2A7D-49BC-89C5-E6B0AB90EE07}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D5190660-187A-4C71-865A-7E53CDDABDAB}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C29B27A2-DB63-4438-AC0D-3B2A5930A34A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{A6C3E698-ADED-4D90-A42F-BE90C578317D}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9949E4C4-8286-4FD9-829B-9B80BB870C70}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{9C6D6266-F1EA-44D7-B67F-009DFB6CCCDB}C:\\users\\karen\\desktop\\hfs.exe"= UDP:C:\users\karen\desktop\hfs.exe:hfs.exe
"UDP Query User{3E383C3A-56CB-4E02-B332-A327EA68C804}C:\\users\\karen\\desktop\\hfs.exe"= TCP:C:\users\karen\desktop\hfs.exe:hfs.exe
"TCP Query User{D0A7B4B8-AD22-4877-8984-FD750EFF762E}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9386816D-AD72-4364-AACC-8DDACB37B312}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{11BEA281-33B2-4C72-BCEB-B92530D22AD4}C:\\program files\\flashfxp\\flashfxp.exe"= UDP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"UDP Query User{5C56AA88-85DD-4819-BCAF-AF66E6CAEBE5}C:\\program files\\flashfxp\\flashfxp.exe"= TCP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"{2AF6D983-395E-457B-8F7C-B6112B196372}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\System\\winnet32.exe"= C:\Program Files\Common Files\System\winnet32.exe:*:Enabled:Windows Update
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2008-01-01 23:44]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 08:35]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-12-03 01:58]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-12-03 01:59]
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\Windows\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\Windows\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-06-09 C:\Windows\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 00:45:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 0:47:55
ComboFix-quarantined-files.txt 2008-08-23 04:47:21
ComboFix2.txt 2008-08-22 02:06:34
ComboFix3.txt 2008-08-16 02:08:43

Pre-Run: 132,121,874,432 bytes free
Post-Run: 132,108,488,704 bytes free

267 --- E O F --- 2008-08-21 02:42:14

#11
tsukihoshi

Posted 22 August 2008 - 11:04 PM

Member

Topic Starter
Member
15 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:46 AM, on 23/08/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\Windows\ehome\ehmsas.exe
C:\ProgramData\HlpCmdSh\hczwvupc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [Dell DataSafe Scheduler] "C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [HlpCmdSh] C:\ProgramData\HlpCmdSh\hczwvupc.exe
O4 - HKCU\..\Run: [strui] C:\ProgramData\strui\zsrspwvu.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....NPUplden-ca.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12193 bytes

#12
SpySentinel

Posted 24 August 2008 - 01:56 PM

R.I.P.

Retired Staff
5,152 posts

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [strui] C:\ProgramData\strui\zsrspwvu.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\ProgramData\strui

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Also please post a new CF log.

#13
tsukihoshi

Posted 24 August 2008 - 06:39 PM

Member

Topic Starter
Member
15 posts

ComboFix 08-08-23.03 - Karen 2008-08-24 20:25:11.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1624 [GMT -4:00]
Running from: C:\Users\Karen\Desktop\ComboFix.exe
Command switches used :: C:\Users\Karen\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\strui
C:\ProgramData\strui\zsrspwvu.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-21 22:28 . 2008-08-21 22:28 <DIR> d-------- C:\Users\All Users\AdmMntCmd
2008-08-21 22:28 . 2008-08-21 22:28 <DIR> d-------- C:\ProgramData\AdmMntCmd
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\Users\All Users\srvmonapl
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\Users\All Users\genactdb
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\ProgramData\srvmonapl
2008-08-21 21:58 . 2008-08-21 21:58 <DIR> d-------- C:\ProgramData\genactdb
2008-08-19 21:57 . 2008-08-19 22:17 2,425 --a------ C:\Windows\diagwrn.xml
2008-08-19 21:57 . 2008-08-19 22:17 1,905 --a------ C:\Windows\diagerr.xml
2008-08-19 20:36 . 2008-08-19 20:36 <DIR> d-------- C:\Users\All Users\webmsginfo
2008-08-19 20:36 . 2008-08-19 20:36 <DIR> d-------- C:\ProgramData\webmsginfo
2008-08-17 05:37 . 2008-08-24 18:35 <DIR> d-------- C:\Users\All Users\HlpCmdSh
2008-08-17 05:37 . 2008-08-24 18:35 <DIR> d-------- C:\ProgramData\HlpCmdSh
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\Users\All Users\DVD Shrink
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\ProgramData\DVD Shrink
2008-08-15 23:47 . 2008-08-15 23:47 <DIR> d-------- C:\Program Files\DVD Shrink
2008-08-15 23:36 . 2008-08-15 23:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Users\Karen\AppData\Roaming\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-15 23:23 . 2008-08-15 23:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-15 23:23 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-15 23:23 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-15 23:22 . 2008-08-15 23:22 <DIR> d-------- C:\Users\Karen\AppData\Roaming\Download Manager
2008-08-15 21:27 . 2008-08-15 21:27 5,790 --a------ C:\Windows\System32\tmp.reg
2008-08-15 21:26 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-08-15 21:26 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-08-15 21:26 . 2008-05-29 09:35 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-08-15 21:26 . 2008-05-18 21:40 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-08-15 21:26 . 2008-08-14 21:52 82,432 --a------ C:\Windows\System32\IEDFix.C.exe
2008-08-15 21:26 . 2008-08-09 15:37 82,432 --a------ C:\Windows\System32\404Fix.exe
2008-08-15 21:26 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-08-15 21:26 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-08-15 02:54 . 2008-08-15 02:59 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-08-15 02:54 . 2008-08-15 02:59 <DIR> d-------- C:\ProgramData\NVIDIA
2008-08-15 00:58 . 2008-08-15 00:58 <DIR> d-------- C:\Windows\nvtmpinst
2008-08-15 00:56 . 2008-08-15 00:56 <DIR> d-------- C:\Program Files\Megaupload Downloader
2008-08-14 22:51 . 2008-08-21 22:05 <DIR> d-------- C:\Users\All Users\Google Updater
2008-08-14 22:51 . 2008-08-21 22:05 <DIR> d-------- C:\ProgramData\Google Updater
2008-08-13 23:11 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 19:59 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 19:58 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 19:57 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 19:57 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 19:49 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-09 03:47 . 2008-08-09 03:47 <DIR> d-------- C:\Program Files\Bonjour
2008-08-08 23:57 . 2008-08-08 23:57 <DIR> d-------- C:\Program Files\PowerISO
2008-08-04 18:36 . 2008-08-04 18:36 <DIR> d-------- C:\Program Files\TagRename

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 00:27 --------- d-----w C:\Users\Karen\AppData\Roaming\DMCache
2008-08-24 05:46 --------- d-----w C:\ProgramData\Roxio
2008-08-24 04:51 --------- d-----w C:\Users\Karen\AppData\Roaming\dvdcss
2008-08-22 02:51 --------- d-----w C:\Program Files\Winamp
2008-08-16 03:10 --------- d-----w C:\Users\Karen\AppData\Roaming\Winamp
2008-08-16 03:10 --------- d-----w C:\ProgramData\FLEXnet
2008-08-16 01:25 --------- d-----w C:\Users\Karen\AppData\Roaming\IDM
2008-08-15 02:53 --------- d-----w C:\Program Files\Google
2008-08-14 07:05 --------- d-----w C:\Program Files\Windows Mail
2008-08-09 07:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-27 01:38 27,335 ----a-w C:\Users\Karen\AppData\Roaming\nvModes.dat
2008-07-25 23:33 --------- d-----w C:\Program Files\Internet Download Manager
2008-07-23 02:55 --------- d-----w C:\Program Files\Free Download Manager
2008-07-14 23:38 --------- d-----w C:\ProgramData\WindowsSearch
2008-07-13 04:49 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-07-13 04:20 --------- d-----w C:\Program Files\CAPCOM
2008-07-10 02:02 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-08 02:46 --------- d-----w C:\Program Files\DVD Identifier
2008-07-07 05:44 --------- d-----w C:\Program Files\McAfee
2008-07-07 01:43 --------- d-----w C:\Users\Karen\AppData\Roaming\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\SiteAdvisor
2008-07-07 00:31 --------- d-----w C:\ProgramData\McAfee
2008-07-07 00:30 --------- d-----w C:\Program Files\McAfee.com
2008-07-07 00:30 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-06 20:19 --------- d-----w C:\Program Files\SiteAdvisor(55)
2008-07-05 07:26 --------- d-----w C:\Users\Karen\AppData\Roaming\Thinstall
2008-06-27 05:11 --------- d-----w C:\ProgramData\ACD Systems
2008-06-27 05:11 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-06-27 05:10 --------- d-----w C:\Program Files\ACD Systems
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 23:24 174 --sha-w C:\Program Files\desktop.ini
2008-05-27 21:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-27 21:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-03-16 15:07 74 --sh--r C:\Windows\CT4CET.bin
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-01 20:44 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-01 20:44 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-21_22.05.07.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-19 16:57:15 346,688 ----a-w C:\Windows\SoftwareDistribution\Download\Install\mpas-d.exe
- 2008-08-22 01:56:27 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-24 22:40:25 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-22 01:56:27 81,920 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-24 22:40:25 81,920 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-22 01:56:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-24 22:40:25 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-22 01:52:49 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-25 00:25:01 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-08-20 03:16:32 105,852 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-23 05:54:01 105,852 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-20 03:16:32 600,378 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-23 05:54:01 600,378 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-22 01:32:09 253,112 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-08-24 22:35:12 254,326 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 00:13 721408 --a------ C:\Program Files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Scheduler"="C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe" [2007-12-02 17:30 308464]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-07-06 21:00 2594224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 02:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 03:00 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-12-03 01:58 36864]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 10:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"PSQLLauncher"="C:\Program Files\Fingerprint Reader Suite\launcher.exe" [2007-04-16 23:50 49168]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-16 11:20 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 19:57 16384]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-11-01 16:39 189736]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-03 19:02 36352]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 21:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 19:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 00:04 86528 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F86430DE-CF8F-4BCB-BD80-5EB812AB449A}"= C:\Program Files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{A3956BCC-9895-4B4B-8E74-036D94C0036D}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{31043A6D-AF7E-4416-9F64-872ABE578709}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{3F27E2D6-D258-4C52-982C-3489E84321A9}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{2DD59FD8-2A7D-49BC-89C5-E6B0AB90EE07}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D5190660-187A-4C71-865A-7E53CDDABDAB}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C29B27A2-DB63-4438-AC0D-3B2A5930A34A}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{A6C3E698-ADED-4D90-A42F-BE90C578317D}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9949E4C4-8286-4FD9-829B-9B80BB870C70}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{9C6D6266-F1EA-44D7-B67F-009DFB6CCCDB}C:\\users\\karen\\desktop\\hfs.exe"= UDP:C:\users\karen\desktop\hfs.exe:hfs.exe
"UDP Query User{3E383C3A-56CB-4E02-B332-A327EA68C804}C:\\users\\karen\\desktop\\hfs.exe"= TCP:C:\users\karen\desktop\hfs.exe:hfs.exe
"TCP Query User{D0A7B4B8-AD22-4877-8984-FD750EFF762E}C:\\program files\\keyholetv\\keyholetv.exe"= UDP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{9386816D-AD72-4364-AACC-8DDACB37B312}C:\\program files\\keyholetv\\keyholetv.exe"= TCP:C:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{11BEA281-33B2-4C72-BCEB-B92530D22AD4}C:\\program files\\flashfxp\\flashfxp.exe"= UDP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"UDP Query User{5C56AA88-85DD-4819-BCAF-AF66E6CAEBE5}C:\\program files\\flashfxp\\flashfxp.exe"= TCP:C:\program files\flashfxp\flashfxp.exe:FlashFXP
"{2AF6D983-395E-457B-8F7C-B6112B196372}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\System\\winnet32.exe"= C:\Program Files\Common Files\System\winnet32.exe:*:Enabled:Windows Update
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"= C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2008-01-01 23:44]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 08:35]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-12-03 01:58]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-12-03 01:59]
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\Windows\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\Windows\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-06-09 C:\Windows\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2008-01-08 09:14]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HlpCmdSh - C:\ProgramData\HlpCmdSh\hczwvupc.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 20:27:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-24 20:28:54
ComboFix-quarantined-files.txt 2008-08-25 00:28:28
ComboFix2.txt 2008-08-23 04:47:56
ComboFix3.txt 2008-08-22 02:06:34
ComboFix4.txt 2008-08-16 02:08:43

Pre-Run: 116,877,295,616 bytes free
Post-Run: 116,844,965,888 bytes free

255 --- E O F --- 2008-08-23 06:24:05

#14
tsukihoshi

Posted 24 August 2008 - 06:39 PM

Member

Topic Starter
Member
15 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:19 PM, on 24/08/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [Dell DataSafe Scheduler] "C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....NPUplden-ca.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11951 bytes

#15
tsukihoshi

Posted 24 August 2008 - 11:19 PM

Member

Topic Starter
Member
15 posts

And here is the Kaspersky log. Just a note that I use VNC to access my desktop computer from my laptop so it was I who installed it in the first place and not some virus. However, if there is a problem with it, then I don't mind removing it.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 25, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 25, 2008 01:16:13
Records in database: 1141788
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 146498
Threat name: 6
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 01:19:23

File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\ProgramData\AdmMntCmd\vyvmfyju.exe Infected: Trojan.Win32.Monder.gen 1
C:\ProgramData\srvmonapl\dobgbibk.exe Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\ProgramData\jspklkxi\lmtglqti.exe.vir Infected: Trojan-Downloader.Win32.Agent.abtc 1
C:\Users\All Users\AdmMntCmd\vyvmfyju.exe Infected: Trojan.Win32.Monder.gen 1
C:\Users\All Users\srvmonapl\dobgbibk.exe Infected: Trojan.Win32.Monder.gen 1
C:\Users\Karen\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0268c854\Report.cab Infected: Trojan-Downloader.Win32.Zlob.vpo 1
C:\Users\Karen\AppData\Roaming\IDM\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Users\Karen\AppData\Roaming\Uniblue\SpyEraser\Quarantine\Worm (General Components)_17_08_2008_05_12_09.asq15724 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Users\Karen\AppData\Roaming\Uniblue\SpyEraser\Quarantine\Worm (General Components)_17_08_2008_05_12_09.asq26500 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Users\Karen\Desktop\hfs.exe Infected: not-a-virus:Server-FTP.Win32.SFH.d 1
C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Users\Karen\Documents\Downloads\Programs\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Users\Karen\Programs\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4

The selected area was scanned.