Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan/malware [RESOLVED]


  • This topic is locked This topic is locked

#1
sooners0102

sooners0102

    Member

  • Member
  • PipPip
  • 18 posts
I'm in the process of trying to clean up a computer. I've followed all the steps in the Malware Cleaning Guide but still have slow speeds and lock ups on the pc.

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:59 PM, on 8/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm801MEUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1219103135328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1219106765468
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9461 bytes
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi sooners0102

welcome to geekstogo :)

sorry to keep you waiting.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


andrewuk
  • 0

#3
sooners0102

sooners0102

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi andrewuk

Thanks for the help :)


Here are the two reports of ComboFix and HijackThis.


---------------
HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:04 PM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\TuneUp Utilities 2008\RegistryCleaner.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm801MEUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1219103135328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1219106765468
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8142 bytes

--------------------------
ComboFix


ComboFix 08-08-21.02 - Lori 2008-08-23 15:15:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.207 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Brendon\Application Data\FunWebProducts
C:\Documents and Settings\Brendon\Application Data\FunWebProducts\Data\Brendon\avatar.dat
C:\Documents and Settings\Brendon\Application Data\macromedia\Flash Player\#SharedObjects\83XUJ4FX\interclick.com
C:\Documents and Settings\Brendon\Application Data\macromedia\Flash Player\#SharedObjects\83XUJ4FX\interclick.com\ud.sol
C:\Documents and Settings\Brendon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Brendon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Lori\Application Data\macromedia\Flash Player\#SharedObjects\J5FRZDWE\interclick.com
C:\Documents and Settings\Lori\Application Data\macromedia\Flash Player\#SharedObjects\J5FRZDWE\interclick.com\ud.sol
C:\Documents and Settings\Lori\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Lori\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Taylor\Application Data\FunWebProducts
C:\Documents and Settings\Taylor\Application Data\FunWebProducts\Data\Taylor\avatar.dat
C:\Documents and Settings\Taylor\Application Data\FunWebProducts\Data\Taylor\register.dat
C:\Documents and Settings\Taylor\Application Data\macromedia\Flash Player\#SharedObjects\A8K8UVAH\interclick.com
C:\Documents and Settings\Taylor\Application Data\macromedia\Flash Player\#SharedObjects\A8K8UVAH\interclick.com\ud.sol
C:\Documents and Settings\Taylor\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Taylor\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-21 19:11 . 2008-08-21 19:11 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\TuneUp Software
2008-08-21 16:50 . 2008-08-21 18:05 <DIR> d-------- C:\Program Files\a-squared Free
2008-08-21 16:27 . 2008-08-21 16:27 <DIR> d-------- C:\Program Files\Astonsoft
2008-08-21 16:27 . 2008-08-21 16:42 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\DeepBurner
2008-08-21 14:55 . 2008-08-21 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 00:31 . 2008-08-21 19:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 00:28 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\is-6M9KD.tmp
2008-08-20 00:28 . 2008-08-20 00:28 680,960 --a------ C:\WINDOWS\is-GK5GF.exe
2008-08-20 00:28 . 2008-08-20 00:28 10,453 --a------ C:\WINDOWS\is-GK5GF.msg
2008-08-20 00:28 . 2008-08-20 00:28 354 --a------ C:\WINDOWS\is-GK5GF.lst
2008-08-19 23:53 . 2008-08-19 23:53 <DIR> d-------- C:\Documents and Settings\Brendon\Application Data\GlarySoft
2008-08-19 23:36 . 2008-08-19 23:36 <DIR> d-------- C:\Documents and Settings\Brendon\Application Data\TuneUp Software
2008-08-19 22:37 . 2008-08-19 22:37 <DIR> d-------- C:\Program Files\Panda Security
2008-08-19 22:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-19 21:10 . 2008-08-21 19:13 <DIR> d-------- C:\Program Files\SpywareGuard
2008-08-19 21:08 . 2008-08-21 19:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-19 20:55 . 2008-08-19 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-18 23:18 . 2008-08-18 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-08-18 23:15 . 2008-08-18 23:15 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-08-18 23:10 . 2008-08-18 23:10 <DIR> d-------- C:\ATI
2008-08-18 22:55 . 2008-08-18 22:55 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 22:55 . 2008-08-18 22:55 <DIR> d-------- C:\Program Files\iPod
2008-08-18 22:54 . 2008-08-18 22:54 <DIR> d-------- C:\Program Files\QuickTime
2008-08-18 22:54 . 2008-08-18 22:54 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 22:52 . 2008-08-18 22:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 22:49 . 2008-08-18 22:49 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-18 22:43 . 2008-08-18 22:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-18 22:41 . 2008-08-18 22:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-18 22:25 . 2008-08-18 22:25 361,600 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-08-18 19:57 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-18 19:56 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-18 19:24 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-18 19:13 . 2008-04-13 19:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-18 19:12 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-18 19:08 . 2008-08-18 19:08 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\TuneUp Software
2008-08-18 19:08 . 2008-08-18 19:08 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-18 19:08 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-18 19:07 . 2008-08-18 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-18 19:06 . 2008-08-18 19:07 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-18 18:56 . 2008-08-18 18:56 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\GlarySoft
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 17:41 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 17:41 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 17:18 . 2008-08-18 17:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 13:15 . 2008-08-18 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-18 13:14 . 2008-08-21 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 12:44 . 2008-08-18 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 12:27 . 2008-08-18 12:27 <DIR> d--hs---- C:\found.000
2008-08-18 12:10 . 2008-08-18 12:10 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\VSRevoGroup
2008-08-18 12:09 . 2008-08-18 12:09 <DIR> d-------- C:\Program Files\VS Revo Group
2008-08-18 11:54 . 2008-04-13 19:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 23:18 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-21 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-21 21:16 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-08-19 04:13 --------- d-----w C:\Program Files\ATI Technologies
2008-08-19 04:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 03:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-19 03:25 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-08-19 03:25 361,600 ----a-w C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-08-19 02:32 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-08-19 01:00 --------- d-----w C:\Program Files\Microsoft Works
2008-08-18 22:39 --------- d-----w C:\Program Files\Dell
2008-08-18 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-18 21:37 --------- d-----w C:\Documents and Settings\Lori\Application Data\Walgreens
2008-08-18 17:07 --------- d-----w C:\Program Files\Dl_cats
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-04 03:06 253,952 ----a-w C:\WINDOWS\system32\atiok3x2(2).dll
2008-07-01 19:05 --------- d-----w C:\Documents and Settings\Lori\Application Data\SiteAdvisor
2008-06-24 23:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 02:19 --------- d-----w C:\Documents and Settings\Lori\Application Data\Apple Computer
2008-06-23 23:16 --------- d-----w C:\Program Files\McAfee
2008-06-23 22:47 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-23 21:35 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-04-29 22:39 722,176 ----a-w C:\Documents and Settings\Lori\gotomypc_428.exe
.

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-10 06:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-08-18 22:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-08-18 22:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 08:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 15:47 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 09:12 286720]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Lori\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-16 20:39:08 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-13 19:12]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-18 19:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ce638aa-dce2-11dc-81fb-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/...654266100086331

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-04-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-05-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\89v6uetj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/

FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 15:17:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 15:20:17
ComboFix-quarantined-files.txt 2008-08-23 20:19:34

Pre-Run: 54,518,644,736 bytes free
Post-Run: 54,579,015,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

239 --- E O F --- 2008-08-21 19:54:40
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will remove the malware i can see and do a couple of scans to see what else slipped onto your machine. i also want to scan a suspicious looking file and update your java.

firstly, i can see that you are running McAffee and a2-squared. running two antivirus programs does slow down your machine, conflict with each other and indeed provides less not more protection. therefore, assuming your McAffee is uptodate, could you remove or disable the a2-squared protection program.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\is-GK5GF.exe

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 3====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 4====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\ativpsrm.bin

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ce638aa-dce2-11dc-81fb-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


====STEP 5====
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), please post the contents of this log on the forum.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

====STEP 6====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 7====
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply could i see:
1. confirmation on whether or not you removed a2-squared
2. the combofix log
3. the jotti log
4. the SUPERantispyware log
5. the kaspersky log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
sooners0102

sooners0102

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
a2-squared was removed.

Logs
----------------------
Combofix:

ComboFix 08-08-21.02 - Lori 2008-08-23 16:33:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.267 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\ativpsrm.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ativpsrm.bin

.
((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-21 19:11 . 2008-08-21 19:11 <DIR> d-------- C:\Documents and Settings\Taylor\Application Data\TuneUp Software
2008-08-21 16:27 . 2008-08-21 16:27 <DIR> d-------- C:\Program Files\Astonsoft
2008-08-21 16:27 . 2008-08-21 16:42 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\DeepBurner
2008-08-21 14:55 . 2008-08-21 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 00:31 . 2008-08-21 19:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 00:28 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\is-6M9KD.tmp
2008-08-20 00:28 . 2008-08-20 00:28 680,960 --a------ C:\WINDOWS\is-GK5GF.exe
2008-08-20 00:28 . 2008-08-20 00:28 10,453 --a------ C:\WINDOWS\is-GK5GF.msg
2008-08-20 00:28 . 2008-08-20 00:28 354 --a------ C:\WINDOWS\is-GK5GF.lst
2008-08-19 23:53 . 2008-08-19 23:53 <DIR> d-------- C:\Documents and Settings\Brendon\Application Data\GlarySoft
2008-08-19 23:36 . 2008-08-19 23:36 <DIR> d-------- C:\Documents and Settings\Brendon\Application Data\TuneUp Software
2008-08-19 22:37 . 2008-08-19 22:37 <DIR> d-------- C:\Program Files\Panda Security
2008-08-19 22:37 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-19 21:10 . 2008-08-21 19:13 <DIR> d-------- C:\Program Files\SpywareGuard
2008-08-19 21:08 . 2008-08-21 19:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-19 20:55 . 2008-08-19 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-18 23:18 . 2008-08-18 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-08-18 23:10 . 2008-08-18 23:10 <DIR> d-------- C:\ATI
2008-08-18 22:55 . 2008-08-18 22:55 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 22:55 . 2008-08-18 22:55 <DIR> d-------- C:\Program Files\iPod
2008-08-18 22:54 . 2008-08-18 22:54 <DIR> d-------- C:\Program Files\QuickTime
2008-08-18 22:54 . 2008-08-18 22:54 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 22:52 . 2008-08-18 22:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 22:49 . 2008-08-18 22:49 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-18 22:43 . 2008-08-18 22:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-18 22:41 . 2008-08-18 22:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-18 22:25 . 2008-08-18 22:25 361,600 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-08-18 19:57 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-18 19:56 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-18 19:27 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-18 19:24 . 2008-08-18 19:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-18 19:13 . 2008-04-13 19:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-18 19:12 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-18 19:08 . 2008-08-18 19:08 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\TuneUp Software
2008-08-18 19:08 . 2008-08-18 19:08 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-18 19:08 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-18 19:07 . 2008-08-18 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-18 19:06 . 2008-08-18 19:07 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-18 18:56 . 2008-08-18 18:56 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\GlarySoft
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-08-18 17:41 . 2008-08-18 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 17:41 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 17:41 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 17:18 . 2008-08-18 17:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 13:15 . 2008-08-18 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-18 13:14 . 2008-08-21 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-18 12:44 . 2008-08-18 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 12:27 . 2008-08-18 12:27 <DIR> d--hs---- C:\found.000
2008-08-18 12:10 . 2008-08-18 12:10 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\VSRevoGroup
2008-08-18 12:09 . 2008-08-18 12:09 <DIR> d-------- C:\Program Files\VS Revo Group
2008-08-18 11:54 . 2008-04-13 19:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 23:18 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-21 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-08-21 21:16 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-08-19 04:13 --------- d-----w C:\Program Files\ATI Technologies
2008-08-19 04:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 03:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-19 03:25 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-08-19 03:25 361,600 ----a-w C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-08-19 02:32 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-08-19 01:00 --------- d-----w C:\Program Files\Microsoft Works
2008-08-18 22:39 --------- d-----w C:\Program Files\Dell
2008-08-18 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-18 21:37 --------- d-----w C:\Documents and Settings\Lori\Application Data\Walgreens
2008-08-18 17:07 --------- d-----w C:\Program Files\Dl_cats
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-04 03:06 253,952 ----a-w C:\WINDOWS\system32\atiok3x2(2).dll
2008-07-01 19:05 --------- d-----w C:\Documents and Settings\Lori\Application Data\SiteAdvisor
2008-06-24 23:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 02:19 --------- d-----w C:\Documents and Settings\Lori\Application Data\Apple Computer
2008-06-23 23:16 --------- d-----w C:\Program Files\McAfee
2008-06-23 22:47 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-23 21:35 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-04-29 22:39 722,176 ----a-w C:\Documents and Settings\Lori\gotomypc_428.exe
.

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-10 06:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-08-18 22:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-08-18 22:25 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 08:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 22:05 344064]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 15:47 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 09:12 286720]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Lori\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-16 20:39:08 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-13 19:12]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-18 19:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-04-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-05-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 16:35:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 16:37:43
ComboFix-quarantined-files.txt 2008-08-23 21:37:18
ComboFix2.txt 2008-08-23 20:20:18

Pre-Run: 54,601,424,896 bytes free
Post-Run: 54,586,007,552 bytes free

197 --- E O F --- 2008-08-21 19:54:40





--------------------

Jotti log:

File: is-GK5GF.exe
Status: OK
MD5: 428df97465967e0998cbfd34e1da5ee7
Packers detected: -



Scan taken on 23 Aug 2008 21:25:53 (GMT)

Scanner results

A-Squared: Found nothing
AntiVir: Found nothing
ArcaVir: Found nothing
Avast: Found nothing
AVG Antivirus: Found nothing
BitDefender: Found nothing
ClamAV: Found nothing
CPsecure: Found nothing
Dr.Web: Found nothing
F-Prot Antivirus: Found nothing
F-Secure Anti-Virus: Found nothing
Fortinet: Found nothing
Ikarus: Found nothing
Kaspersky Anti-Virus: Found nothing
NOD32: Found nothing
Norman Virus Control: Found nothing
Panda Antivirus: Found nothing
Sophos Antivirus: Found nothing
VirusBuster: Found nothing
VBA32: Found nothing

-------------

SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/23/2008 at 05:28 PM

Application Version : 4.20.1046

Core Rules Database Version : 3545
Trace Rules Database Version: 1534

Scan type : Complete Scan
Total Scan Time : 00:24:02

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 6439
Registry threats detected : 0
File items scanned : 24480
File threats detected : 0


--------------

Kaspersky log:

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 23, 2008 13:54:09
Records in database: 1133192
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 76666
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:28:58

No malware has been detected. The scan area is clean.

The selected area was scanned.
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
how is your machine running now?
  • 0

#7
sooners0102

sooners0102

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
So far everything seems to be running well. Thanks for all the help.

But I am getting an error when going to these forums:

Line 2
Char: 1083
Error: Object required
Code: 0
URL: http://www.geekstogo...re-t208709.html
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Line 2
Char: 1083
Error: Object required
Code: 0
URL: http://www.geekstogo...re-t208709.html

hmm, any idea what this is related to? Java? IE? Firefox?
  • 0

#9
sooners0102

sooners0102

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I get this error with internet explorer, with firefox the site has no graphics only text.
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets sort out the firefox first, sounds like you need to clear your cache:

To clear the cache, go to Tools > Options
Go to Advanced category, and then click on the Network tab.
Under Cache, click the Clear Now button.
Click OK.

If you are having problems with the way Firefox displays the pages on some sites, try hitting Ctrl and F5 at the same time. This should refresh the page to the correct state.


for the IE issue, try clearing the cache for IE.

let me know how that all goes.
  • 0

#11
sooners0102

sooners0102

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
That worked for firefox still getting the error pop up with IE.
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Interesting, when i turn on my "Script Debugging" i get that notification also. looks like it is an issue with this site and not your machine. personally, i would turn that off.

In Internet Explorer goto on Tools >>> Internet Options >>> Advanced tab

then either hit Restore Advanced Settings

or, if you have been adjusting your internet explorer settings and just want to target this issue then

Remove the check mark from the Display a notification about every script error option.


let me know how that goes
  • 0

#13
sooners0102

sooners0102

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks the site loads normally for me now.
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi sooners0102

congratulations, your logs are clean and another fix is in the can :)

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix and it will reset your system restore points
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#15
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP