Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Your System is Infected Spyware removal

Started by laint , Dec 19 2009 07:28 AM

  • Please log in to reply

#1
laint
Posted 19 December 2009 - 07:28 AM

laint

    New Member

  • Member
  • Pip
  • 7 posts
My desktop has been changed to green screen with large warning YOUR SYSTEM IS INFECTED

When the computer boots two RUNDLL errors come up

Error loading C:\windows\sytem32\wijutopa.dll
Error loading C:\windows\sytem32\msmkkrqf.dll

I tried to follow the instructions on a previous post by downloading OTL and trying to run a scan. The program stopped responding and the scan could not be completed.

I also tried to boot the computer in safe mode and it would not boot, it just kept returning to boot screen unitl I choose run normally.

Any help would be appreciated. Thanks.
  • 0

Advertisements

#2
kahdah
Posted 19 December 2009 - 11:42 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello laint

Welcome to G2Go. :)
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#3
laint
Posted 19 December 2009 - 02:56 PM

laint

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for your help

Here is the data in the DDS.txt file. attach.txt attached to thispost.


When I tried to run the scan in the second half of your post. The scan starts and during the system automatically reboots. Should I continue to try to keep running the scan?



DDS (Ver_09-12-01.01) - NTFSx86
Run by Tim at 14:37:12.25 on Sat 12/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.429 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\pworr.dll: {c5b24b16-23f2-41ad-f4e4-00abc39c0004} - c:\windows\system32\pworr.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [notepad] rundll32.exe c:\docume~1\networ~1\ntload.dll,_IWMPEvents@0
uRun: [ygua8e7yhuiesfha876yfauy8fe] c:\docume~1\tim~1.you\locals~1\temp\bz36r.exe
uRun: [jckcuyyj] c:\documents and settings\tim.your-0cdc4f5844\local settings\application data\xgsdnr\iyjpsysguard.exe
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\tim~1.you\locals~1\temp\system.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Dzevipataxuhiju] rundll32.exe "c:\windows\ujipahogevopeba.dll",Startup
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [jvkphb] RUNDLL32.EXE c:\windows\system32\msmkkrqf.dll,w
mRun: [guzemejon] Rundll32.exe "c:\windows\system32\wijutopa.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: {D7F32DF7-1E24-46FC-A5F8-B294C7742EBF} = 193.104.110.38,4.2.2.1,68.87.64.150 68.87.75.198
TCP: {E8BB457B-AD5D-4B10-9C41-7B1C1F339B98} = 193.104.110.38,4.2.2.1
Filter: text/html - {ae43b0ff-83b8-49f6-b445-769b7177e71f} -
AppInit_DLLs: pujadoli.dll
SSODL: jarolejaw - {1d5aeefa-3078-4987-925c-faca5280da9c} - c:\windows\system32\wijutopa.dll
STS: c:\windows\system32\pworr.dll: {c5b24b16-23f2-41ad-f4e4-00abc39c0004} - c:\windows\system32\pworr.dll
STS: tokatiluy: {1d5aeefa-3078-4987-925c-faca5280da9c} - c:\windows\system32\wijutopa.dll
LSA: Notification Packages = scecli LO2pnt.dll hugeloko.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-17 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-11 144704]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-8-17 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-11 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-11 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-10 34248]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-11-25 11520]

=============== Created Last 30 ================

2009-12-19 19:28:41 524288 ----a-w- C:\dds.scr
2009-12-19 19:02:02 0 d-----w- c:\docume~1\tim~1.you\applic~1\Malwarebytes
2009-12-19 19:00:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 02:30:27 0 d-----w- C:\SDFix
2009-12-13 02:12:51 2854 ----a-w- c:\windows\system32\critical_warning.html
2009-12-12 00:11:05 120 ----a-w- c:\windows\Mjoyuku.dat
2009-12-12 00:11:05 0 ----a-w- c:\windows\Pveduqodi.bin
2009-12-10 23:59:01 0 d-sh--w- c:\documents and settings\tim.your-0cdc4f5844\IECompatCache
2009-12-06 18:24:26 0 d-sh--w- c:\documents and settings\tim.your-0cdc4f5844\PrivacIE
2009-12-06 14:39:54 0 d-sh--w- c:\documents and settings\tim.your-0cdc4f5844\IETldCache
2009-12-06 14:21:58 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-06 14:21:20 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-06 14:21:20 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-06 14:21:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-06 14:21:19 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-06 14:21:19 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-06 14:21:19 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-06 02:35:39 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-12-05 15:41:26 0 d-----w- c:\program files\MSXML 6.0
2009-12-05 15:39:06 0 d-----w- c:\program files\Shared
2009-12-03 21:07:01 0 d-----w- c:\windows\system32\CatRoot_bak
2009-12-03 20:43:11 6172 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-03 16:17:04 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-12-03 16:17:04 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-12-03 16:16:32 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-12-03 16:16:32 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-03 16:16:32 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-03 16:16:31 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-03 16:16:31 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-03 16:16:31 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-03 16:16:31 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-03 16:16:30 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-03 16:16:30 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-03 16:16:29 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-03 16:16:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-03 16:15:20 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-03 16:13:45 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-12-03 16:13:41 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-03 16:13:34 333184 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-03 16:13:27 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-12-03 16:13:23 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-03 16:12:49 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-12-03 16:12:44 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2009-12-03 16:11:19 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-03 16:11:06 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-12-03 16:08:26 344064 ------w- c:\windows\system32\dllcache\localspl.dll
2009-12-03 16:08:18 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2009-12-03 16:08:18 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-12-03 16:08:17 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2009-12-03 16:08:17 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2009-12-03 16:08:17 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2009-12-03 16:08:16 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2009-12-03 16:04:22 1193414 ------w- c:\windows\system32\dllcache\sysmain.sdb
2009-12-03 16:04:21 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-03 16:03:23 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-12-03 16:03:02 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-03 16:03:01 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-03 16:03:00 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-03 16:03:00 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-03 16:00:59 0 d-----w- c:\windows\system32\PreInstall
2009-12-03 16:00:39 8454656 ------w- c:\windows\system32\dllcache\shell32.dll
2009-12-03 15:59:31 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-03 01:39:43 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-11-25 19:16:34 0 d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2009-11-25 19:13:22 0 d-----w- c:\docume~1\tim~1.you\applic~1\Western Digital
2009-11-25 19:13:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2009-11-25 19:13:03 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2009-11-25 19:12:27 0 d-----w- c:\program files\Western Digital
2009-11-25 18:56:48 0 d-----w- c:\docume~1\tim~1.you\applic~1\ZoomBrowser EX
2009-11-25 18:53:49 0 d-----w- c:\docume~1\tim~1.you\applic~1\CameraWindowDC
2009-11-25 18:53:47 0 d-----w- c:\docume~1\tim~1.you\applic~1\CANON INC
2009-11-23 23:24:05 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-23 23:24:04 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-23 23:24:04 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-23 23:24:03 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-11-10 11:03:12 1681 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv2000 (RG404UA#ABA)_YN_0Pavi_Q2CE6461VZF_E433352003_46_I30B5_SWistron_V62.46_BF.13_T061018_WXP2_L409_M959_J120_7AMD_8Turion 64 X2_91.61_#061117_N14E44311_(RG404UA#ABA)_XMOBILE_CN10_Z_2F.13.MRK
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll
2009-09-25 05:49:02 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 05:49:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:48:59 55808 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 05:48:58 151040 ------w- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 05:48:58 1054208 ------w- c:\windows\system32\dllcache\danim.dll
2009-09-25 05:48:57 1024000 ------w- c:\windows\system32\dllcache\browseui.dll
2009-09-13 02:13:05 52736 --sha-w- c:\windows\system32\hugeloko.dll
2009-09-13 02:18:16 11264 --sha-w- c:\windows\system32\huhukuge.dll
2009-09-13 02:18:15 45568 --sha-w- c:\windows\system32\lovojefu.dll
2009-03-21 14:18:57 29696 --sha-w- c:\windows\system32\notepad.dll
2009-09-13 02:13:06 52736 --sha-w- c:\windows\system32\pujadoli.dll
2009-03-21 14:18:57 29696 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll

============= FINISH: 14:37:28.18 ===============

When I tried to run the scan in the second half of your post. The scan starts and during the system automatically reboots. Should I continue to try to keep running the scan?

Attached Files


  • 0

#4
kahdah
Posted 20 December 2009 - 07:59 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No don't worry with the Gmer scan for now.

Please do the following:
Download ComboFix from below:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on KittyFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
laint
Posted 20 December 2009 - 01:39 PM

laint

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks again for your help. Here is the requested info. Please advise on next steps.

Here is the log file. I also uploaded combofix.txt file, not sure if they are one in the same.

ComboFix 09-12-18.03 - Tim 12/20/2009 12:44:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.480 [GMT -5:00]
Running from: c:\documents and settings\Tim.YOUR-0CDC4F5844\Desktop\KittyFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tim.YOUR-0CDC4F5844\Start Menu\Programs\StartUp\scandisk.dll
c:\documents and settings\Tim.YOUR-0CDC4F5844\Start Menu\Programs\StartUp\scandisk.lnk
c:\program files\Shared\liB.dll
c:\program files\Shared\lib.sig
c:\recycler\S-1-5-21-2634240986-3808314100-2425551066-1005
c:\recycler\S-1-5-21-2634240986-3808314100-2425551066-1006
c:\windows\Fonts\RandFont.dll
c:\windows\kb913800.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\hugeloko.dll
c:\windows\system32\huhukuge.dll
c:\windows\system32\lovojefu.dll
c:\windows\system32\notepad.dll
c:\windows\system32\pujadoli.dll
c:\windows\system32\pworr.dll
c:\windows\ujipahogevopeba.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-20 17:52 . 2009-12-20 17:55 -------- d-----w- C:\698def7004e822201cf5
2009-12-19 19:41 . 2009-12-19 19:39 293376 ----a-w- C:\oikyjdxg.exe
2009-12-19 19:28 . 2009-12-19 19:08 524288 ----a-w- C:\dds.scr
2009-12-19 19:02 . 2009-12-19 19:02 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\Malwarebytes
2009-12-19 19:00 . 2009-12-19 19:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 18:57 . 2009-12-19 18:57 -------- d-----w- c:\program files\ERUNT
2009-12-19 02:30 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
2009-12-19 02:21 . 2009-12-19 02:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\Temporary Internet Files
2009-12-19 02:21 . 2009-12-19 02:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\History
2009-12-14 18:00 . 2009-12-14 18:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-13 02:14 . 2009-12-13 02:50 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\xgsdnr
2009-12-12 00:11 . 2009-12-20 17:22 0 ----a-w- c:\windows\Pveduqodi.bin
2009-12-12 00:11 . 2009-12-13 01:50 120 ----a-w- c:\windows\Mjoyuku.dat
2009-12-10 23:59 . 2009-12-10 23:59 -------- d-sh--w- c:\documents and settings\Tim.YOUR-0CDC4F5844\IECompatCache
2009-12-06 18:24 . 2009-12-06 18:24 -------- d-sh--w- c:\documents and settings\Tim.YOUR-0CDC4F5844\PrivacIE
2009-12-06 14:39 . 2009-12-06 14:39 -------- d-sh--w- c:\documents and settings\Tim.YOUR-0CDC4F5844\IETldCache
2009-12-06 14:21 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-06 14:21 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-06 14:21 . 2009-10-29 07:45 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-06 14:21 . 2009-10-29 07:45 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-06 14:21 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-06 14:21 . 2009-10-29 07:45 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-06 14:21 . 2009-10-29 07:45 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-06 02:35 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-12-05 15:41 . 2009-12-05 15:41 -------- d-----w- c:\program files\MSXML 6.0
2009-12-05 15:39 . 2009-12-20 17:48 -------- d-----w- c:\program files\Shared
2009-12-03 21:07 . 2009-12-03 21:22 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-12-03 20:58 . 2009-12-03 20:58 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\Identities
2009-12-03 20:43 . 2009-12-10 23:46 6172 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-03 16:17 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-12-03 16:17 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-12-03 16:16 . 2009-03-06 14:44 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-03 16:16 . 2009-02-06 16:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-03 16:16 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-12-03 16:16 . 2009-02-09 10:20 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-03 16:16 . 2009-02-09 10:20 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-03 16:16 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-03 16:16 . 2009-02-06 16:39 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-03 16:16 . 2009-02-09 10:20 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-03 16:16 . 2009-02-09 10:20 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-03 16:16 . 2009-02-09 10:20 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-03 16:16 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-03 16:13 . 2008-05-08 12:28 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-12-03 16:13 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-03 16:13 . 2008-12-11 11:57 333184 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-03 16:13 . 2008-05-01 14:30 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-12-03 16:13 . 2008-04-11 18:50 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-03 16:12 . 2009-07-31 04:57 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-12-03 16:12 . 2008-06-24 16:23 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2009-12-03 16:11 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-03 16:11 . 2008-10-15 16:57 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-12-03 16:08 . 2009-05-07 15:44 344064 ------w- c:\windows\system32\dllcache\localspl.dll
2009-12-03 16:08 . 2008-06-12 14:16 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2009-12-03 16:08 . 2008-06-12 14:16 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-12-03 16:08 . 2008-06-12 14:16 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2009-12-03 16:08 . 2008-06-12 14:16 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2009-12-03 16:08 . 2008-06-12 14:16 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2009-12-03 16:08 . 2008-06-12 14:16 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2009-12-03 16:04 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-03 16:03 . 2009-06-10 14:21 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-12-03 16:03 . 2009-08-04 12:51 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-03 16:03 . 2009-08-04 12:02 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-03 16:03 . 2009-08-04 12:49 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-03 16:03 . 2009-08-04 12:02 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-03 16:00 . 2008-07-03 13:16 8454656 ------w- c:\windows\system32\dllcache\shell32.dll
2009-12-03 15:59 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-11-25 19:16 . 2009-11-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2009-11-25 19:14 . 2009-11-25 19:14 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\Western_Digital
2009-11-25 19:13 . 2009-11-25 19:13 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\Western Digital
2009-11-25 19:13 . 2009-11-25 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2009-11-25 19:13 . 2009-11-25 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2009-11-25 19:13 . 2009-02-13 17:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2009-11-25 19:12 . 2009-11-25 19:12 -------- d-----w- c:\program files\Western Digital
2009-11-25 19:10 . 2009-11-25 19:10 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\Western Digital
2009-11-25 18:56 . 2009-12-10 03:35 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\ZoomBrowser EX
2009-11-25 18:53 . 2009-11-25 19:07 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\CameraWindowDC
2009-11-25 18:53 . 2009-11-25 18:53 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\CANON INC
2009-11-23 23:24 . 2009-11-23 23:24 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\Leadertech
2009-11-23 23:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-23 23:24 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-23 23:24 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-23 23:24 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 16:05 . 2009-11-12 02:56 -------- d-----w- c:\program files\McAfee
2009-11-15 16:29 . 2009-11-15 16:29 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\AdobeUM
2009-11-12 03:18 . 2009-11-12 03:18 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\U3
2009-11-12 02:59 . 2007-01-23 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-12 02:56 . 2009-11-12 02:56 -------- d-----w- c:\program files\McAfee.com
2009-11-11 12:45 . 2009-11-11 12:45 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\McAfee
2009-11-11 02:41 . 2006-11-18 01:40 65664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 02:40 . 2006-11-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-11 02:40 . 2006-11-18 02:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-11 02:37 . 2006-11-18 02:39 -------- d-----w- c:\program files\Quicken
2009-11-11 02:30 . 2006-11-18 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-11 02:26 . 2006-11-18 02:52 -------- d-----w- c:\program files\HP Rhapsody
2009-11-11 02:25 . 2006-11-18 02:16 -------- d-----w- c:\program files\GemMaster
2009-11-10 17:07 . 2009-11-10 17:07 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\GTek
2009-11-10 11:05 . 2009-11-10 11:02 142 ----a-w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\fusioncache.dat
2009-11-10 11:03 . 2006-11-18 02:12 1681 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv2000 (RG404UA#ABA)_YN_0Pavi_Q2CE6461VZF_E433352003_46_I30B5_SWistron_V62.46_BF.13_T061018_WXP2_L409_M959_J120_7AMD_8Turion 64 X2_91.61_#061117_N14E44311_(RG404UA#ABA)_XMOBILE_CN10_Z_2F.13.MRK
2009-11-10 09:31 . 2006-11-18 02:38 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-10 09:30 . 2006-11-18 02:39 -------- d-----w- c:\program files\Quickensetup
2009-11-10 09:30 . 2006-11-18 02:19 -------- d-----w- c:\program files\RGB
2009-11-10 09:28 . 2006-11-18 02:22 -------- d-----w- c:\program files\NetWaiting
2009-11-10 09:28 . 2006-11-18 02:36 -------- d-----w- c:\program files\music_now
2009-11-10 09:27 . 2006-11-18 02:38 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2009-11-10 09:26 . 2006-11-18 01:54 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-10 09:19 . 2006-11-18 02:37 -------- d-----w- c:\program files\DivX
2009-11-10 09:19 . 2006-11-18 02:13 -------- d-----w- c:\program files\Encarta Online
2009-11-10 09:19 . 2006-11-18 01:59 -------- d-----w- c:\program files\CONEXANT
2009-11-10 09:18 . 2006-11-18 01:32 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-10 09:18 . 2006-11-18 01:32 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-10 09:17 . 2006-11-18 02:54 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-10 09:10 . 2006-11-18 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-10 09:10 . 2009-11-10 11:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-11-10 09:10 . 2006-11-18 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-10-29 07:45 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 22:06 . 2009-10-24 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-21 06:00 . 2006-03-16 04:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-03-16 04:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2006-03-16 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-03-16 04:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-03-16 04:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-03-16 04:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-03-21 14:18 . 2006-03-16 04:00 29696 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7569408]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-27 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"Dzevipataxuhiju"="c:\windows\uvaxuluqiz.dll" [2006-03-16 163840]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\documents and settings\Tim\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-9-14 1078]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-1-14 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-9-19 960032]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-8-17 2043904]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-8-17 8919040]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli LO2pnt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcinfo.exe"=
"c:\\WINDOWS\\ehome\\ehSched.exe"=

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/25/2009 2:13 PM 11520]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {D7F32DF7-1E24-46FC-A5F8-B294C7742EBF} = 193.104.110.38,4.2.2.1,68.87.64.150 68.87.75.198
TCP: {E8BB457B-AD5D-4B10-9C41-7B1C1F339B98} = 193.104.110.38,4.2.2.1
.
- - - - ORPHANS REMOVED - - - -

BHO-{45029581-4904-4af7-b019-f5ad2e8bd699} - zekizuma.dll
HKCU-Run-jckcuyyj - c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\xgsdnr\iyjpsysguard.exe
HKLM-Run-notepad - c:\windows\system32\notepad.dll
HKLM-Run-jvkphb - c:\windows\system32\msmkkrqf.dll
HKLM-Run-guzemejon - c:\windows\system32\wijutopa.dll
HKLM-Run-luyahibefu - hugeloko.dll
SharedTaskScheduler-{1d5aeefa-3078-4987-925c-faca5280da9c} - c:\windows\system32\wijutopa.dll
SSODL-jarolejaw-{1d5aeefa-3078-4987-925c-faca5280da9c} - c:\windows\system32\wijutopa.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 13:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????W????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,2c,f9,66,b8,cc,54,45,a6,ce,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,2c,f9,66,b8,cc,54,45,a6,ce,a5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(984)
c:\windows\LO2pnt.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\LO2pnt.dll
c:\windows\uvaxuluqiz.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-12-20 13:33:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 18:33

Pre-Run: 69,734,539,264 bytes free
Post-Run: 70,189,723,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - A2BED45ED91ABCEE865E7B4B4D980B1A

Attached Files


  • 0

#6
kahdah
Posted 20 December 2009 - 02:11 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Open notepad and copy/paste the text in the codebox below into it:



http://www.geekstogo.com/forum/Your-System-Infected-Spyware-removal-t262211.html

Collect::
c:\windows\system32\config\systemprofile\ntload.dll
c:\windows\Pveduqodi.bin
c:\windows\Mjoyuku.dat
c:\windows\uvaxuluqiz.dll
c:\windows\LO2pnt.dll

File::
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\windows\Tasks\engnvvox.job

Folder::
c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\xgsdnr

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.
  • 0

#7
laint
Posted 20 December 2009 - 07:56 PM

laint

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks. Pls advise on any next steps.


ComboFix 09-12-20.03 - Tim 12/20/2009 20:18:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.373 [GMT -5:00]
Running from: c:\documents and settings\Tim.YOUR-0CDC4F5844\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\Tim.YOUR-0CDC4F5844\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\program files\Mozilla Firefox\components\iamfamous.dll"
"c:\windows\Tasks\engnvvox.job"

file zipped: c:\windows\LO2pnt.dll
file zipped: c:\windows\Mjoyuku.dat
file zipped: c:\windows\Pveduqodi.bin
file zipped: c:\windows\system32\config\systemprofile\ntload.dll
file zipped: c:\windows\uvaxuluqiz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\xgsdnr
c:\program files\Shared
c:\windows\LO2pnt.dll
c:\windows\Mjoyuku.dat
c:\windows\Pveduqodi.bin
c:\windows\system32\config\systemprofile\ntload.dll
c:\windows\uvaxuluqiz.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-19 19:41 . 2009-12-19 19:39 293376 ----a-w- C:\oikyjdxg.exe
2009-12-19 19:28 . 2009-12-19 19:08 524288 ----a-w- C:\dds.scr
2009-12-19 19:02 . 2009-12-19 19:02 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\Malwarebytes
2009-12-19 19:00 . 2009-12-19 19:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 18:57 . 2009-12-19 18:57 -------- d-----w- c:\program files\ERUNT
2009-12-19 02:30 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
2009-12-19 02:21 . 2009-12-19 02:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\Temporary Internet Files
2009-12-19 02:21 . 2009-12-19 02:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\History
2009-12-14 18:00 . 2009-12-14 18:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-10 23:59 . 2009-12-10 23:59 -------- d-sh--w- c:\documents and settings\Tim.YOUR-0CDC4F5844\IECompatCache
2009-12-06 18:24 . 2009-12-06 18:24 -------- d-sh--w- c:\documents and settings\Tim.YOUR-0CDC4F5844\PrivacIE
2009-12-06 14:39 . 2009-12-06 14:39 -------- d-sh--w- c:\documents and settings\Tim.YOUR-0CDC4F5844\IETldCache
2009-12-06 14:21 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-06 14:21 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-06 14:21 . 2009-10-29 07:45 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-06 14:21 . 2009-10-29 07:45 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-06 14:21 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-06 14:21 . 2009-10-29 07:45 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-06 14:21 . 2009-10-29 07:45 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-06 02:35 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-12-05 15:41 . 2009-12-05 15:41 -------- d-----w- c:\program files\MSXML 6.0
2009-12-03 21:07 . 2009-12-03 21:22 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-12-03 20:58 . 2009-12-03 20:58 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\Identities
2009-12-03 20:43 . 2009-12-10 23:46 6172 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-03 16:17 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-12-03 16:17 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-12-03 16:16 . 2009-03-06 14:44 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-03 16:16 . 2009-02-06 16:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-03 16:16 . 2005-07-26 04:39 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-12-03 16:16 . 2009-02-09 10:20 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-03 16:16 . 2009-02-09 10:20 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-03 16:16 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-03 16:16 . 2009-02-06 16:39 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-03 16:16 . 2009-02-09 10:20 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-03 16:16 . 2009-02-09 10:20 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-03 16:16 . 2009-02-09 10:20 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-03 16:16 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-03 16:13 . 2008-05-08 12:28 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-12-03 16:13 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-03 16:13 . 2008-12-11 11:57 333184 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-03 16:13 . 2008-05-01 14:30 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-12-03 16:13 . 2008-04-11 18:50 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-03 16:12 . 2009-07-31 04:57 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-12-03 16:12 . 2008-06-24 16:23 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2009-12-03 16:11 . 2009-07-10 13:42 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-03 16:11 . 2008-10-15 16:57 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-12-03 16:08 . 2009-05-07 15:44 344064 ------w- c:\windows\system32\dllcache\localspl.dll
2009-12-03 16:08 . 2008-06-12 14:16 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2009-12-03 16:08 . 2008-06-12 14:16 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-12-03 16:08 . 2008-06-12 14:16 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2009-12-03 16:08 . 2008-06-12 14:16 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2009-12-03 16:08 . 2008-06-12 14:16 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2009-12-03 16:08 . 2008-06-12 14:16 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2009-12-03 16:04 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-03 16:03 . 2009-06-10 14:21 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-12-03 16:03 . 2009-08-04 12:51 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-03 16:03 . 2009-08-04 12:02 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-03 16:03 . 2009-08-04 12:49 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-03 16:03 . 2009-08-04 12:02 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-03 16:00 . 2008-07-03 13:16 8454656 ------w- c:\windows\system32\dllcache\shell32.dll
2009-12-03 15:59 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-11-25 19:16 . 2009-11-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2009-11-25 19:14 . 2009-11-25 19:14 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\Western_Digital
2009-11-25 19:13 . 2009-11-25 19:13 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\Western Digital
2009-11-25 19:13 . 2009-11-25 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2009-11-25 19:13 . 2009-11-25 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2009-11-25 19:13 . 2009-02-13 17:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2009-11-25 19:12 . 2009-11-25 19:12 -------- d-----w- c:\program files\Western Digital
2009-11-25 19:10 . 2009-11-25 19:10 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\Western Digital
2009-11-25 18:56 . 2009-12-10 03:35 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\ZoomBrowser EX
2009-11-25 18:53 . 2009-11-25 19:07 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\CameraWindowDC
2009-11-25 18:53 . 2009-11-25 18:53 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\CANON INC
2009-11-23 23:24 . 2009-11-23 23:24 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\Leadertech
2009-11-23 23:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-23 23:24 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-23 23:24 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-23 23:24 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 16:05 . 2009-11-12 02:56 -------- d-----w- c:\program files\McAfee
2009-11-15 16:29 . 2009-11-15 16:29 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\AdobeUM
2009-11-12 03:18 . 2009-11-12 03:18 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\U3
2009-11-12 02:59 . 2007-01-23 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-12 02:56 . 2009-11-12 02:56 -------- d-----w- c:\program files\McAfee.com
2009-11-11 12:45 . 2009-11-11 12:45 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\McAfee
2009-11-11 02:41 . 2006-11-18 01:40 65664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-11 02:40 . 2006-11-18 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-11 02:40 . 2006-11-18 02:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-11 02:37 . 2006-11-18 02:39 -------- d-----w- c:\program files\Quicken
2009-11-11 02:30 . 2006-11-18 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-11-11 02:26 . 2006-11-18 02:52 -------- d-----w- c:\program files\HP Rhapsody
2009-11-11 02:25 . 2006-11-18 02:16 -------- d-----w- c:\program files\GemMaster
2009-11-10 17:07 . 2009-11-10 17:07 -------- d-----w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Application Data\GTek
2009-11-10 11:05 . 2009-11-10 11:02 142 ----a-w- c:\documents and settings\Tim.YOUR-0CDC4F5844\Local Settings\Application Data\fusioncache.dat
2009-11-10 11:03 . 2006-11-18 02:12 1681 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv2000 (RG404UA#ABA)_YN_0Pavi_Q2CE6461VZF_E433352003_46_I30B5_SWistron_V62.46_BF.13_T061018_WXP2_L409_M959_J120_7AMD_8Turion 64 X2_91.61_#061117_N14E44311_(RG404UA#ABA)_XMOBILE_CN10_Z_2F.13.MRK
2009-11-10 09:31 . 2006-11-18 02:38 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-10 09:30 . 2006-11-18 02:39 -------- d-----w- c:\program files\Quickensetup
2009-11-10 09:30 . 2006-11-18 02:19 -------- d-----w- c:\program files\RGB
2009-11-10 09:28 . 2006-11-18 02:22 -------- d-----w- c:\program files\NetWaiting
2009-11-10 09:28 . 2006-11-18 02:36 -------- d-----w- c:\program files\music_now
2009-11-10 09:27 . 2006-11-18 02:38 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2009-11-10 09:26 . 2006-11-18 01:54 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-11-10 09:19 . 2006-11-18 02:37 -------- d-----w- c:\program files\DivX
2009-11-10 09:19 . 2006-11-18 02:13 -------- d-----w- c:\program files\Encarta Online
2009-11-10 09:19 . 2006-11-18 01:59 -------- d-----w- c:\program files\CONEXANT
2009-11-10 09:18 . 2006-11-18 01:32 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-10 09:18 . 2006-11-18 01:32 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-10 09:17 . 2006-11-18 02:54 -------- d-----w- c:\program files\Common Files\LightScribe
2009-11-10 09:10 . 2006-11-18 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-10 09:10 . 2006-11-18 02:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-10-29 07:45 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 22:06 . 2009-10-24 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-21 06:00 . 2006-03-16 04:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-03-16 04:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2006-03-16 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-03-16 04:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-03-16 04:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-03-16 04:00 112128 ----a-w- c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7569408]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-27 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\documents and settings\Tim\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-9-14 1078]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-1-14 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-9-19 960032]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-8-17 2043904]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-8-17 8919040]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcinfo.exe"=
"c:\\WINDOWS\\ehome\\ehSched.exe"=

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [8/17/2009 10:52 AM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/25/2009 2:13 PM 11520]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {D7F32DF7-1E24-46FC-A5F8-B294C7742EBF} = 193.104.110.38,4.2.2.1,68.87.64.150 68.87.75.198
TCP: {E8BB457B-AD5D-4B10-9C41-7B1C1F339B98} = 193.104.110.38,4.2.2.1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Dzevipataxuhiju - c:\windows\uvaxuluqiz.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 20:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...


.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-12-20 20:47:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 01:47
ComboFix2.txt 2009-12-20 18:33

Pre-Run: 70,197,567,488 bytes free
Post-Run: 70,227,353,600 bytes free

- - End Of File - - 6F36AC87BB6F32BBD155855CC9B629EB

Attached Files


  • 0

#8
kahdah
Posted 21 December 2009 - 06:18 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.
================
Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#9
laint
Posted 22 December 2009 - 06:11 PM

laint

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks again for your help. Please advise next steps, if any.

Submit file uploaded.

MBAM Log Below:

Malwarebytes' Anti-Malware 1.42
Database version: 3406
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/21/2009 8:59:54 PM
mbam-log-2009-12-21 (20-59-54).txt

Scan type: Quick Scan
Objects scanned: 135119
Time elapsed: 11 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d7f32df7-1e24-46fc-a5f8-b294c7742ebf}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,68.87.64.150 68.87.75.198 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e8bb457b-ad5d-4b10-9c41-7b1c1f339b98}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET Log below:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
  • 0

#10
kahdah
Posted 23 December 2009 - 06:08 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great please post a new dds log and let me know how things are running?
  • 0

#11
laint
Posted 23 December 2009 - 07:00 PM

laint

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Perfect. Things are running at normal again. Thanks very much for your help.

Here is the DDS log. The attach.txt file is attached. Please let me know if there is anything else you think I should do. Thanks again.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Tim at 19:54:36.18 on Wed 12/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.402 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\system32\mqsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Tim.YOUR-0CDC4F5844\My Documents\PERSONAL\ADMIN\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-17 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-11 144704]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-8-17 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-21 38224]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-11 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-11 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-10 34248]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-11-25 11520]

=============== Created Last 30 ================

2009-12-23 08:03:29 282112 ----a-w- c:\windows\system32\TBD7AC0.tmp
2009-12-23 08:00:24 0 d-----w- C:\199e6e088ce2f6a5a599
2009-12-23 00:19:52 282112 ----a-w- c:\windows\system32\TBD79E9.tmp
2009-12-23 00:16:25 0 d-----w- C:\d814651ece9df4303b
2009-12-22 08:04:26 282112 ----a-w- c:\windows\system32\TBD786C.tmp
2009-12-22 08:00:41 0 d-----w- C:\01578a25d71889fc2553
2009-12-22 02:03:41 0 d-----w- c:\program files\ESET
2009-12-22 01:45:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 01:45:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 01:45:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-21 12:24:20 282112 ----a-w- c:\windows\system32\TBD69.tmp
2009-12-21 12:19:09 0 d-----w- C:\87e392c967de9c3bf6aabbf96e5a83d3
2009-12-21 01:17:18 98816 ----a-w- c:\windows\sed.exe
2009-12-21 01:17:18 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 01:17:18 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 01:17:18 161792 ----a-w- c:\windows\SWREG.exe
2009-12-20 17:40:30 0 d-sha-r- C:\cmdcons
2009-12-19 19:41:01 293376 ----a-w- C:\oikyjdxg.exe
2009-12-19 19:28:41 524288 ----a-w- C:\dds.scr
2009-12-19 19:02:02 0 d-----w- c:\docume~1\tim~1.you\applic~1\Malwarebytes
2009-12-19 19:00:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 02:30:27 0 d-----w- C:\SDFix
2009-12-10 23:59:01 0 d-sh--w- c:\documents and settings\tim.your-0cdc4f5844\IECompatCache
2009-12-06 18:24:26 0 d-sh--w- c:\documents and settings\tim.your-0cdc4f5844\PrivacIE
2009-12-06 14:39:54 0 d-sh--w- c:\documents and settings\tim.your-0cdc4f5844\IETldCache
2009-12-06 14:21:58 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-06 14:21:20 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-06 14:21:20 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-06 14:21:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-06 14:21:19 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-06 14:21:19 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-06 14:21:19 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-06 02:35:39 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2009-12-05 15:41:26 0 d-----w- c:\program files\MSXML 6.0
2009-12-03 21:07:01 0 d-----w- c:\windows\system32\CatRoot_bak
2009-12-03 20:43:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-03 16:17:04 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-12-03 16:17:04 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-12-03 16:16:32 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-12-03 16:16:32 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-12-03 16:16:32 283648 ------w- c:\windows\system32\dllcache\pdh.dll
2009-12-03 16:16:31 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-12-03 16:16:31 399360 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-12-03 16:16:31 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-12-03 16:16:31 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-12-03 16:16:30 616960 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-12-03 16:16:30 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-12-03 16:16:29 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-12-03 16:16:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-03 16:15:20 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-03 16:13:45 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-12-03 16:13:41 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-03 16:13:34 333184 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-03 16:13:27 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-12-03 16:13:23 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-03 16:12:49 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-12-03 16:12:44 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2009-12-03 16:11:19 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-03 16:11:06 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-12-03 16:08:26 344064 ------w- c:\windows\system32\dllcache\localspl.dll
2009-12-03 16:08:18 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2009-12-03 16:08:18 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-12-03 16:08:17 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2009-12-03 16:08:17 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2009-12-03 16:08:17 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2009-12-03 16:08:16 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2009-12-03 16:04:22 1193414 ------w- c:\windows\system32\dllcache\sysmain.sdb
2009-12-03 16:04:21 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-12-03 16:03:23 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-12-03 16:03:02 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-03 16:03:01 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-03 16:03:00 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-03 16:03:00 2062976 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-03 16:00:59 0 d-----w- c:\windows\system32\PreInstall
2009-12-03 16:00:39 8454656 ------w- c:\windows\system32\dllcache\shell32.dll
2009-12-03 15:59:31 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-03 01:39:43 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-11-25 19:16:34 0 d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2009-11-25 19:13:22 0 d-----w- c:\docume~1\tim~1.you\applic~1\Western Digital
2009-11-25 19:13:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2009-11-25 19:13:03 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2009-11-25 19:12:27 0 d-----w- c:\program files\Western Digital
2009-11-25 18:56:48 0 d-----w- c:\docume~1\tim~1.you\applic~1\ZoomBrowser EX
2009-11-25 18:53:49 0 d-----w- c:\docume~1\tim~1.you\applic~1\CameraWindowDC
2009-11-25 18:53:47 0 d-----w- c:\docume~1\tim~1.you\applic~1\CANON INC

==================== Find3M ====================

2009-11-10 11:03:12 1681 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv2000 (RG404UA#ABA)_YN_0Pavi_Q2CE6461VZF_E433352003_46_I30B5_SWistron_V62.46_BF.13_T061018_WXP2_L409_M959_J120_7AMD_8Turion 64 X2_91.61_#061117_N14E44311_(RG404UA#ABA)_XMOBILE_CN10_Z_2F.13.MRK
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll
2009-09-25 05:49:02 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 05:49:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:48:59 55808 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 05:48:58 151040 ------w- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 05:48:58 1054208 ------w- c:\windows\system32\dllcache\danim.dll
2009-09-25 05:48:57 1024000 ------w- c:\windows\system32\dllcache\browseui.dll

============= FINISH: 19:55:36.04 ===============

Attached Files


  • 0

#12
kahdah
Posted 23 December 2009 - 07:09 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
======Next======
  • Download OTC to your desktop and run it
  • Click Yes to beginn the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingc...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP