Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Slow / Iexplorer.exe Using Large Amounts Of Memory


  • This topic is locked This topic is locked
10 replies to this topic

#1 hrudy24

hrudy24

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 29 July 2008 - 04:25 PM

I have a computer that has been infected with all kinds of spyware. I've ran spybot, ad-aware and a-squared with no success. It's picking some of the infections up, but they keep coming back. Below is my DSS report.

One thing I've noticed is that iexplorer.exe is taking up a great deal of memory, but Internet Explorer isn't even open. Could this be why the computer is running at such a slow speed?





Deckard's System Scanner v20071014.68
Run by Rhonda Schneider on 2008-07-29 15:38:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
105: 2008-07-29 20:39:29 UTC - RP527 - Deckard's System Scanner Restore Point
104: 2008-07-29 19:43:17 UTC - RP526 - ComboFix created restore point
103: 2008-07-29 18:26:33 UTC - RP525 - ComboFix created restore point
102: 2008-07-28 20:05:59 UTC - RP524 - System Checkpoint
101: 2008-07-27 17:17:06 UTC - RP523 - System Checkpoint


-- First Restore Point --
1: 2008-06-24 01:09:29 UTC - RP423 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-29 15:43:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\McAfee.com\VSO\McShield.exe
C:\Program Files\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\SpamKiller\MSKAgent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Rhonda Schneider\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: {cc639d96-f5a0-688b-46c4-2b8898190e73} - {37e09189-88b2-4c64-b886-0a5f69d936cc} - C:\WINDOWS\system32\hgcdyj.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - C:\Program Files\McAfee\SpamKiller\McApfBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BAFFE38C-C38F-421D-A619-854106535705} - C:\WINDOWS\system32\iifeBQJy.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [6060db3f] rundll32.exe "C:\WINDOWS\system32\bfkvxfrm.dll",b
O4 - HKLM\..\Run: [BM6353e8a3] Rundll32.exe "C:\WINDOWS\system32\pjkxbxkq.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [greytool] C:\DOCUME~1\RHONDA~1\APPLIC~1\SIZECL~1\Up Build.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\Program Files\McAfee\SpamKiller\McApfBHO.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\Program Files\McAfee\SpamKiller\McApfBHO.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: iifeBQJy - C:\WINDOWS\system32\iifeBQJy.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - Unknown owner - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 10575 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 MskService (McAfee SpamKiller Server) - c:\progra~1\mcafee\spamki~1\msksrvr.exe <Not Verified; McAfee Inc.; McAfee SpamKiller>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 ScsiAccess - c:\windows\system32\scsiaccess.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-29 15:00:05 256 --ah----- C:\WINDOWS\Tasks\ACBE69D5918DE3E5.job
2008-07-29 15:00:01 292 --ah----- C:\WINDOWS\Tasks\A7499BD0918E1884.job
2008-07-27 18:00:00 430 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2008-07-25 18:30:00 372 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RHONDA-Rhonda Schneider).job
2008-07-18 15:31:06 350 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-07-17 17:51:17 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 15:43:58 347 --ahs---- C:\WINDOWS\system32\RAddKkkj.ini2
2008-07-29 15:43:45 314880 --a------ C:\WINDOWS\system32\jkkKddAR.dll
2008-07-29 15:20:06 0 d-------- C:\WINDOWS\LastGood
2008-07-29 14:41:39 83456 --a------ C:\WINDOWS\system32\bfkvxfrm.dll
2008-07-29 14:39:40 91648 --a------ C:\WINDOWS\system32\pjkxbxkq.dll
2008-07-29 13:29:23 0 d-------- C:\cmdcons
2008-07-29 13:23:46 68096 --a------ C:\WINDOWS\zip.exe
2008-07-29 13:23:46 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-29 13:23:46 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-29 13:23:46 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-29 13:23:46 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-29 13:23:46 98816 --a------ C:\WINDOWS\sed.exe
2008-07-29 13:23:46 80412 --a------ C:\WINDOWS\grep.exe
2008-07-29 13:23:46 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-28 14:22:09 105472 --a------ C:\WINDOWS\system32\hgcdyj.dll
2008-07-28 14:22:06 105472 --a------ C:\WINDOWS\system32\hykoikfy.dll
2008-07-28 14:20:33 91648 --a------ C:\WINDOWS\system32\hcyfksxj.dll
2008-07-27 11:47:59 26112 --a------ C:\WINDOWS\system32\iifddedc.dll
2008-07-27 11:47:58 26112 --a------ C:\WINDOWS\system32\urqPhgEx.dll
2008-07-27 11:39:19 105472 --a------ C:\WINDOWS\system32\jooqea.dll
2008-07-27 11:39:18 105472 --a------ C:\WINDOWS\system32\luenwkiq.dll
2008-07-27 11:38:41 91648 --a------ C:\WINDOWS\system32\cwuvbbnf.dll
2008-07-25 22:40:23 83456 --a------ C:\WINDOWS\system32\duqvgywg.dll
2008-07-25 22:37:24 105472 --a------ C:\WINDOWS\system32\pezrvk.dll
2008-07-25 22:37:22 105472 --a------ C:\WINDOWS\system32\glxspvhm.dll
2008-07-25 22:34:48 91648 --a------ C:\WINDOWS\system32\iyeiroko.dll
2008-07-24 22:41:18 105472 --a------ C:\WINDOWS\system32\vuetgn.dll
2008-07-24 22:41:16 105472 --a------ C:\WINDOWS\system32\forjpfqu.dll
2008-07-24 22:35:17 91648 --a------ C:\WINDOWS\system32\rtyslvnp.dll
2008-07-24 00:55:10 0 d-------- C:\Program Files\size close mess
2008-07-18 12:50:54 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 11:25:59 0 d-------- C:\Program Files\Lavasoft
2008-07-18 11:25:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 11:17:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-07-29 14:54:24 0 d-------- C:\Program Files\Common Files
2008-07-29 13:30:54 0 d-------- C:\Program Files\GamesBar
2008-07-28 07:41:57 0 d-------- C:\Documents and Settings\Rhonda Schneider\Application Data\size close mess
2008-07-24 04:20:14 0 d-------- C:\Program Files\Dl_cats
2008-07-24 04:15:45 4704 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-24 04:15:45 56 -r-hs---- C:\WINDOWS\system32\116A348100.sys
2008-07-21 22:35:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-21 15:12:21 0 d-------- C:\Documents and Settings\Rhonda Schneider\Application Data\SiteAdvisor
2008-07-16 18:00:21 0 d-------- C:\Program Files\Norton Security Scan
2008-06-30 10:23:43 0 d-------- C:\Program Files\Common Files\AOL
2008-06-23 20:04:03 25488 --a------ C:\WINDOWS\system32\iifeBQJy.dll
2008-06-22 17:48:46 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{272E239B-DD64-4694-8309-2246643F39FC}]
07/29/2008 03:43 PM 314880 --a------ C:\WINDOWS\system32\jkkKddAR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37e09189-88b2-4c64-b886-0a5f69d936cc}]
07/28/2008 02:22 PM 105472 --a------ C:\WINDOWS\system32\hgcdyj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAFFE38C-C38F-421D-A619-854106535705}]
06/23/2008 08:04 PM 25488 --a------ C:\WINDOWS\system32\iifeBQJy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [07/12/2005 06:06 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [08/26/2005 02:26 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [07/01/2005 07:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"6060db3f"="C:\WINDOWS\system32\bfkvxfrm.dll" [07/29/2008 02:41 PM]
"BM6353e8a3"="C:\WINDOWS\system32\pjkxbxkq.dll" [07/29/2008 02:39 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/01/2007 02:26 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"greytool"="C:\DOCUME~1\RHONDA~1\APPLIC~1\SIZECL~1\Up Build.exe" [07/24/2008 12:54 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BAFFE38C-C38F-421D-A619-854106535705}"= C:\WINDOWS\system32\iifeBQJy.dll [06/23/2008 08:04 PM 25488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeBQJy]
iifeBQJy.dll 06/23/2008 08:04 PM 25488 C:\WINDOWS\system32\iifeBQJy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkKddAR

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"greytool"=C:\DOCUME~1\RHONDA~1\APPLIC~1\SIZECL~1\Up Build.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"6060db3f"=rundll32.exe "C:\WINDOWS\system32\embhnyea.dll",b
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe"
"AntiSpywareExpert"=C:\Program Files\AntiSpywareExpert\ase.exe
"BM6353e8a3"=Rundll32.exe "C:\WINDOWS\system32\fircdpag.dll",s
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"PCPrivacyCleaner"=C:\Program Files\PCPrivacyCleaner\pcpc.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 15:46:55 ------------

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:10 PM

Posted 30 July 2008 - 02:55 PM

Hi,

Total Physical Memory: 503 MiB (512 MiB recommended).

You really should consider another Antivirus instead of McAfee, because McAfee is not recommended if you only have 503MB of ram. I'm pretty sure your system is currently crawling, esxpecially with the malware on top.

Anyway..

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also, look if one of the following programs is present and uninstall it:

3wPlayer
Anti-Leech
Bitgrabber
BitRoll
Bitdownload
Browser Enhancer
CiD Help
CiD Manager
DivoCodec version X.X.X.X (X are numbers)
DivoPlayer version X.X.X.X (X are numbers)
DomPlayer
Download Plugin for Internet Explorer
Get-Torrent version X.X.X.X (X are numbers)
KitPlayer
Lop.com
LOP SEARCH
Messenger Plus! Live & Sponsor (CiD)
Messenger Plus or Messenger Plus and Client
Netpumper
Search Plugin
Torrent101
TorrentQ
TorrentSpeeder version X.X.X.X (X are numbers)
Ultimate Browser Enhancer
Window Search
Window Searching
WinZix
W3player
Zone Media


This because they are bundled with the malware you are dealing with (swizzor aka lop).

This will uninstall the malware application.
In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.
In case it says that the file was not found, doublecheck again if you entered the exact command. If still the same, proceed with next steps.


In case you can't find them,

* Go to start > run and copy and paste next command below in the field:
(Please make sure you copy and paste it exactly as you'll find below)

"C:\DOCUME~1\RHONDA~1\APPLIC~1\SIZECL~1\Up Build.exe" -uninstall

Hit enter.

Then reboot. Important!

After reboot,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hrudy24

hrudy24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 30 July 2008 - 04:35 PM

Thanks for your help. I've uninstalled "Viewpoint" and some other programs I found on the list. Also, I ran ComboFix and below is the log.



ComboFix 08-07-28.6 - Rhonda Schneider 2008-07-30 15:33:04.3 - NTFSx86
Running from: C:\Documents and Settings\Rhonda Schneider\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6353e8a3.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jkkKddAR.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RAddKkkj.ini
C:\WINDOWS\system32\RAddKkkj.ini2
C:\WINDOWS\system32\wvmcbcka.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-30 09:14 . 2008-07-30 09:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-30 09:14 . 2008-07-30 09:14 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-29 15:49 . 2008-07-29 15:50 83,456 --a------ C:\WINDOWS\system32\akcbcmvw.dll
2008-07-29 15:47 . 2008-07-29 15:47 105,472 --a------ C:\WINDOWS\system32\kqdisx.dll
2008-07-29 15:46 . 2008-07-29 15:47 105,472 --a------ C:\WINDOWS\system32\lmibjqqs.dll
2008-07-29 15:45 . 2008-07-29 15:45 91,648 --a------ C:\WINDOWS\system32\lqtovath.dll
2008-07-29 15:38 . 2008-07-29 15:38 <DIR> d-------- C:\Deckard
2008-07-29 15:10 . 2008-07-29 15:38 414 --ahs---- C:\WINDOWS\system32\mrfxvkfb.ini
2008-07-29 14:39 . 2008-07-29 14:39 91,648 --a------ C:\WINDOWS\system32\pjkxbxkq.dll
2008-07-29 14:34 . 2008-07-29 14:34 294 --ahs---- C:\WINDOWS\system32\ufbtncyx.ini
2008-07-28 14:22 . 2008-07-28 14:22 105,472 --a------ C:\WINDOWS\system32\hykoikfy.dll
2008-07-28 14:22 . 2008-07-28 14:22 105,472 --a------ C:\WINDOWS\system32\hgcdyj.dll
2008-07-28 14:20 . 2008-07-28 14:20 91,648 --a------ C:\WINDOWS\system32\hcyfksxj.dll
2008-07-27 11:47 . 2008-07-27 11:47 26,112 --a------ C:\WINDOWS\system32\urqPhgEx.dll
2008-07-27 11:47 . 2008-07-27 11:47 26,112 --a------ C:\WINDOWS\system32\iifddedc.dll
2008-07-27 11:39 . 2008-07-27 11:39 105,472 --a------ C:\WINDOWS\system32\luenwkiq.dll
2008-07-27 11:39 . 2008-07-27 11:39 105,472 --a------ C:\WINDOWS\system32\jooqea.dll
2008-07-27 11:38 . 2008-07-27 11:38 91,648 --a------ C:\WINDOWS\system32\cwuvbbnf.dll
2008-07-25 22:40 . 2008-07-25 22:40 83,456 --a------ C:\WINDOWS\system32\duqvgywg.dll
2008-07-25 22:37 . 2008-07-25 22:37 105,472 --a------ C:\WINDOWS\system32\pezrvk.dll
2008-07-25 22:37 . 2008-07-25 22:37 105,472 --a------ C:\WINDOWS\system32\glxspvhm.dll
2008-07-25 22:34 . 2008-07-25 22:34 91,648 --a------ C:\WINDOWS\system32\iyeiroko.dll
2008-07-24 22:41 . 2008-07-24 22:41 105,472 --a------ C:\WINDOWS\system32\vuetgn.dll
2008-07-24 22:41 . 2008-07-24 22:41 105,472 --a------ C:\WINDOWS\system32\forjpfqu.dll
2008-07-24 22:35 . 2008-07-24 22:35 91,648 --a------ C:\WINDOWS\system32\rtyslvnp.dll
2008-07-24 01:36 . 2008-07-27 20:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-24 01:36 . 2008-07-24 01:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-18 12:50 . 2008-07-29 12:47 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 11:25 . 2008-07-18 11:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-18 11:25 . 2008-07-18 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 11:17 . 2008-07-18 11:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 20:18 . 2008-07-30 16:02 111,591 --a------ C:\WINDOWS\BM6353e8a3.xml
2008-06-23 20:04 . 2008-06-23 20:04 25,488 --a------ C:\WINDOWS\system32\iifeBQJy.dll
2008-06-11 05:07 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:07 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Mfcd upload army browse
2008-07-30 20:10 --------- d-----w C:\Program Files\Viewpoint
2008-07-30 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-30 14:25 --------- d-----w C:\Documents and Settings\Rhonda Schneider\Application Data\McAfee.com Personal Firewall
2008-07-30 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-07-29 18:30 --------- d-----w C:\Program Files\GamesBar
2008-07-29 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2008-07-28 12:26 --------- d-----w C:\Documents and Settings\Bay\Application Data\size close mess
2008-07-24 09:20 --------- d-----w C:\Program Files\Dl_cats
2008-07-24 09:15 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-22 03:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-21 20:12 --------- d-----w C:\Documents and Settings\Rhonda Schneider\Application Data\SiteAdvisor
2008-07-18 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-30 15:23 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-30 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-17 10:46 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-12 02:21 83,976 ----a-w C:\Documents and Settings\Rhonda Schneider\Application Data\GDIPFONTCACHEV1.DAT
2006-10-10 23:54 83,976 ----a-w C:\Documents and Settings\Bay\Application Data\GDIPFONTCACHEV1.DAT
2006-08-11 13:43 88 --sh--r C:\WINDOWS\system32\0081346A11.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-29_15.19.17.75 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{500B710D-6922-4404-9623-9A2890D60F49}]
2008-07-30 16:06 314880 --a------ C:\WINDOWS\system32\pmnNFUlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f1a3eb7-5055-4ab2-8be1-cd3fa0ace098}]
2008-07-30 16:09 105472 --a------ C:\WINDOWS\system32\bjkcmg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAFFE38C-C38F-421D-A619-854106535705}]
2008-06-23 20:04 25488 --a------ C:\WINDOWS\system32\iifeBQJy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 14:26 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06 110592]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 14:26 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-07-01 19:22 303104]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"6060db3f"="C:\WINDOWS\system32\akcbcmvw.dll" [2008-07-29 15:50 83456]
"MPFEXE"="C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-08-18 17:52 999424]
"BM6353e8a3"="C:\WINDOWS\system32\ffioqoib.dll" [2008-07-30 16:08 91648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 14:26 68856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BAFFE38C-C38F-421D-A619-854106535705}"= "C:\WINDOWS\system32\iifeBQJy.dll" [2008-06-23 20:04 25488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeBQJy]
2008-06-23 20:04 25488 C:\WINDOWS\system32\iifeBQJy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\pmnNFUlk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"greytool"=C:\DOCUME~1\RHONDA~1\APPLIC~1\SIZECL~1\Up Build.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"6060db3f"=rundll32.exe "C:\WINDOWS\system32\embhnyea.dll",b
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe"
"AntiSpywareExpert"=C:\Program Files\AntiSpywareExpert\ase.exe
"BM6353e8a3"=Rundll32.exe "C:\WINDOWS\system32\fircdpag.dll",s
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"PCPrivacyCleaner"=C:\Program Files\PCPrivacyCleaner\pcpc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-07-30 C:\WINDOWS\Tasks\ACBE69D5918DE3E5.job
- c:\docume~1\bay\applic~1\sizecl~1\Sign heck okay.exe [2008-07-24 01:00]

2008-07-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-07-25 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RHONDA-Rhonda Schneider).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]

2008-07-27 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 05:08]

2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2005-05-31 01:04]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 15:59:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iifeBQJy.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\pvhilkgv.dll
-> C:\WINDOWS\system32\ffioqoib.dll
-> C:\WINDOWS\system32\pmnNFUlk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-30 16:13:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 21:12:38
ComboFix2.txt 2008-07-29 20:21:43

Pre-Run: 23,272,869,888 bytes free
Post-Run: 23,350,382,592 bytes free

208 --- E O F --- 2008-06-21 08:03:20


HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:55 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\a-squared Anti-Malware\a2start.exe
\Server\Shared\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [BM6353e8a3] Rundll32.exe "C:\WINDOWS\system32\ffioqoib.dll",s
O4 - HKLM\..\Run: [6060db3f] rundll32.exe "C:\WINDOWS\system32\pvhilkgv.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7831 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:10 PM

Posted 30 July 2008 - 04:56 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\akcbcmvw.dll
C:\WINDOWS\system32\kqdisx.dll
C:\WINDOWS\system32\lmibjqqs.dll
C:\WINDOWS\system32\lqtovath.dll
C:\WINDOWS\system32\mrfxvkfb.ini
C:\WINDOWS\system32\pjkxbxkq.dll
C:\WINDOWS\system32\ufbtncyx.ini
C:\WINDOWS\system32\hykoikfy.dll
C:\WINDOWS\system32\hgcdyj.dll
C:\WINDOWS\system32\hcyfksxj.dll
C:\WINDOWS\system32\urqPhgEx.dll
C:\WINDOWS\system32\iifddedc.dll
C:\WINDOWS\system32\luenwkiq.dll
C:\WINDOWS\system32\jooqea.dll
C:\WINDOWS\system32\cwuvbbnf.dll
C:\WINDOWS\system32\duqvgywg.dll
C:\WINDOWS\system32\pezrvk.dll
C:\WINDOWS\system32\glxspvhm.dll
C:\WINDOWS\system32\iyeiroko.dll
C:\WINDOWS\system32\vuetgn.dll
C:\WINDOWS\system32\forjpfqu.dll
C:\WINDOWS\system32\rtyslvnp.dll
C:\WINDOWS\BM6353e8a3.xml
C:\WINDOWS\system32\iifeBQJy.dll
C:\WINDOWS\system32\pmnNFUlk.dll
C:\WINDOWS\Tasks\ACBE69D5918DE3E5.job
Folder::
C:\Documents and Settings\All Users\Application Data\Mfcd upload army browse
C:\Documents and Settings\Bay\Application Data\size close mess
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{500B710D-6922-4404-9623-9A2890D60F49}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f1a3eb7-5055-4ab2-8be1-cd3fa0ace098}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAFFE38C-C38F-421D-A619-854106535705}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"6060db3f"=-
"BM6353e8a3"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BAFFE38C-C38F-421D-A619-854106535705}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeBQJy]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"greytool"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"6060db3f"=-
"AntiSpywareExpert"=-
"BM6353e8a3"=-
"PCPrivacyCleaner"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hrudy24

hrudy24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 31 July 2008 - 09:29 AM

Below are the updated logs...

ComboFix 08-07-28.6 - Rhonda Schneider 2008-07-31 8:33:35.4 - NTFSx86
Running from: C:\Documents and Settings\Rhonda Schneider\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rhonda Schneider\Desktop\CFScript.txt
* Resident AV is active


FILE ::
C:\WINDOWS\BM6353e8a3.xml
C:\WINDOWS\system32\akcbcmvw.dll
C:\WINDOWS\system32\cwuvbbnf.dll
C:\WINDOWS\system32\duqvgywg.dll
C:\WINDOWS\system32\forjpfqu.dll
C:\WINDOWS\system32\glxspvhm.dll
C:\WINDOWS\system32\hcyfksxj.dll
C:\WINDOWS\system32\hgcdyj.dll
C:\WINDOWS\system32\hykoikfy.dll
C:\WINDOWS\system32\iifddedc.dll
C:\WINDOWS\system32\iifeBQJy.dll
C:\WINDOWS\system32\iyeiroko.dll
C:\WINDOWS\system32\jooqea.dll
C:\WINDOWS\system32\kqdisx.dll
C:\WINDOWS\system32\lmibjqqs.dll
C:\WINDOWS\system32\lqtovath.dll
C:\WINDOWS\system32\luenwkiq.dll
C:\WINDOWS\system32\mrfxvkfb.ini
C:\WINDOWS\system32\pezrvk.dll
C:\WINDOWS\system32\pjkxbxkq.dll
C:\WINDOWS\system32\pmnNFUlk.dll
C:\WINDOWS\system32\rtyslvnp.dll
C:\WINDOWS\system32\ufbtncyx.ini
C:\WINDOWS\system32\urqPhgEx.dll
C:\WINDOWS\system32\vuetgn.dll
C:\WINDOWS\Tasks\ACBE69D5918DE3E5.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Mfcd upload army browse
C:\Documents and Settings\All Users\Application Data\Mfcd upload army browse\obj fork.exe
C:\Documents and Settings\Bay\Application Data\size close mess
C:\Documents and Settings\Bay\Application Data\size close mess\0
C:\Documents and Settings\Bay\Application Data\size close mess\dvbceapb.exe
C:\Documents and Settings\Bay\Application Data\size close mess\kedopfxc.exe
C:\Documents and Settings\Bay\Application Data\size close mess\pyyobzyp.exe
C:\Documents and Settings\Bay\Application Data\size close mess\Sign heck okay.exe
C:\Documents and Settings\Bay\Application Data\size close mess\Up Build.exe
C:\WINDOWS\BM6353e8a3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akcbcmvw.dll
C:\WINDOWS\system32\cwuvbbnf.dll
C:\WINDOWS\system32\duqvgywg.dll
C:\WINDOWS\system32\forjpfqu.dll
C:\WINDOWS\system32\glxspvhm.dll
C:\WINDOWS\system32\hcyfksxj.dll
C:\WINDOWS\system32\hgcdyj.dll
C:\WINDOWS\system32\hykoikfy.dll
C:\WINDOWS\system32\iifddedc.dll
C:\WINDOWS\system32\iifeBQJy.dll
C:\WINDOWS\system32\iyeiroko.dll
C:\WINDOWS\system32\jooqea.dll
C:\WINDOWS\system32\klUFNnmp.ini
C:\WINDOWS\system32\klUFNnmp.ini2
C:\WINDOWS\system32\kqdisx.dll
C:\WINDOWS\system32\lmibjqqs.dll
C:\WINDOWS\system32\lqtovath.dll
C:\WINDOWS\system32\luenwkiq.dll
C:\WINDOWS\system32\mrfxvkfb.ini
C:\WINDOWS\system32\pezrvk.dll
C:\WINDOWS\system32\pjkxbxkq.dll
C:\WINDOWS\system32\pmnNFUlk.dll
C:\WINDOWS\system32\rtyslvnp.dll
C:\WINDOWS\system32\ufbtncyx.ini
C:\WINDOWS\system32\urqPhgEx.dll
C:\WINDOWS\system32\vgklihvp.ini
C:\WINDOWS\system32\vuetgn.dll
C:\WINDOWS\system32\wvmcbcka.ini
C:\WINDOWS\Tasks\ACBE69D5918DE3E5.job

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 16:12 . 2008-07-30 16:12 83,456 --a------ C:\WINDOWS\system32\pvhilkgv.dll
2008-07-30 16:09 . 2008-07-30 16:09 105,472 --a------ C:\WINDOWS\system32\nmknjsty.dll
2008-07-30 16:09 . 2008-07-30 16:09 105,472 --a------ C:\WINDOWS\system32\bjkcmg.dll
2008-07-30 16:08 . 2008-07-30 16:08 91,648 --a------ C:\WINDOWS\system32\ffioqoib.dll
2008-07-30 09:14 . 2008-07-30 09:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-30 09:14 . 2008-07-30 09:14 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-29 15:38 . 2008-07-29 15:38 <DIR> d-------- C:\Deckard
2008-07-24 01:36 . 2008-07-27 20:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-24 01:36 . 2008-07-24 01:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-18 12:50 . 2008-07-29 12:47 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 11:25 . 2008-07-18 11:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-18 11:25 . 2008-07-18 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 11:17 . 2008-07-18 11:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 05:07 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:07 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-30 21:47 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-30 20:10 --------- d-----w C:\Program Files\Viewpoint
2008-07-30 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-30 14:25 --------- d-----w C:\Documents and Settings\Rhonda Schneider\Application Data\McAfee.com Personal Firewall
2008-07-30 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-07-24 09:20 --------- d-----w C:\Program Files\Dl_cats
2008-07-22 03:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-21 20:12 --------- d-----w C:\Documents and Settings\Rhonda Schneider\Application Data\SiteAdvisor
2008-07-18 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-30 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-03-12 02:21 83,976 ----a-w C:\Documents and Settings\Rhonda Schneider\Application Data\GDIPFONTCACHEV1.DAT
2006-10-10 23:54 83,976 ----a-w C:\Documents and Settings\Bay\Application Data\GDIPFONTCACHEV1.DAT
2006-08-11 13:43 88 --sh--r C:\WINDOWS\system32\0081346A11.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-29_15.19.17.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00:00 7,168 ----a-w C:\WINDOWS\system32\dllcache\bitsprx3.dll
+ 2004-08-04 10:00:00 34,816 ----a-w C:\WINDOWS\system32\dllcache\d3dpmesh.dll
+ 2008-07-31 14:11:25 32,768 ----a-w C:\WINDOWS\temp\Cookies\index.dat
+ 2008-07-31 14:11:00 16,384 ----a-w C:\WINDOWS\temp\History\History.IE5\index.dat
+ 2008-07-31 14:11:22 32,768 ----a-w C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 14:26 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06 110592]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-07-01 19:22 303104]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"MPFEXE"="C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-08-18 17:52 999424]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 14:26 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-07-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-07-25 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (RHONDA-Rhonda Schneider).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 18:18]

2008-07-30 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 05:08]

2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2005-05-31 01:04]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 09:08:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-31 9:16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 14:16:44
ComboFix2.txt 2008-07-30 21:13:26
ComboFix3.txt 2008-07-29 20:21:43

Pre-Run: 23,326,986,240 bytes free
Post-Run: 23,300,567,040 bytes free

198 --- E O F --- 2008-06-21 08:03:20










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:21 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\explorer.exe
\Server\Shared\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7991 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:10 PM

Posted 31 July 2008 - 11:17 AM

Hi,

We'll have to give this another run..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\pvhilkgv.dll
C:\WINDOWS\system32\nmknjsty.dll
C:\WINDOWS\system32\bjkcmg.dll
C:\WINDOWS\system32\ffioqoib.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 hrudy24

hrudy24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 31 July 2008 - 12:36 PM

ComboFix 08-07-28.6 - Rhonda Schneider 2008-07-31 12:15:28.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -5:00]
Running from: C:\Documents and Settings\Rhonda Schneider\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rhonda Schneider\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\bjkcmg.dll
C:\WINDOWS\system32\ffioqoib.dll
C:\WINDOWS\system32\nmknjsty.dll
C:\WINDOWS\system32\pvhilkgv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bjkcmg.dll
C:\WINDOWS\system32\ffioqoib.dll
C:\WINDOWS\system32\nmknjsty.dll
C:\WINDOWS\system32\pvhilkgv.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-31 10:06 . 2008-07-31 10:06 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-31 09:48 . 2008-07-31 09:48 <DIR> d-------- C:\Program Files\Avira
2008-07-31 09:48 . 2008-07-31 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-30 09:14 . 2008-07-30 09:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-30 09:14 . 2008-07-30 09:14 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-29 15:38 . 2008-07-29 15:38 <DIR> d-------- C:\Deckard
2008-07-24 01:36 . 2008-07-27 20:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-24 01:36 . 2008-07-24 01:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-18 12:50 . 2008-07-31 09:42 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-07-18 11:25 . 2008-07-31 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 05:07 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:07 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-30 21:47 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-30 20:10 --------- d-----w C:\Program Files\Viewpoint
2008-07-30 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-30 14:25 --------- d-----w C:\Documents and Settings\Rhonda Schneider\Application Data\McAfee.com Personal Firewall
2008-07-30 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-07-24 09:20 --------- d-----w C:\Program Files\Dl_cats
2008-07-24 09:15 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-22 03:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-21 20:12 --------- d-----w C:\Documents and Settings\Rhonda Schneider\Application Data\SiteAdvisor
2008-07-18 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-30 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-17 10:46 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-12 02:21 83,976 ----a-w C:\Documents and Settings\Rhonda Schneider\Application Data\GDIPFONTCACHEV1.DAT
2006-10-10 23:54 83,976 ----a-w C:\Documents and Settings\Bay\Application Data\GDIPFONTCACHEV1.DAT
2006-08-11 13:43 88 --sh--r C:\WINDOWS\system32\0081346A11.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-29_15.19.17.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00:00 1,817,687 ----a-w C:\WINDOWS\system32\dllcache\bckgres.dll
+ 2004-08-04 10:00:00 7,168 ----a-w C:\WINDOWS\system32\dllcache\bitsprx3.dll
+ 2004-08-04 10:00:00 780,885 ----a-w C:\WINDOWS\system32\dllcache\chkrres.dll
+ 2004-08-04 10:00:00 34,816 ----a-w C:\WINDOWS\system32\dllcache\d3dpmesh.dll
+ 2004-08-04 10:00:00 6,656 ----a-w C:\WINDOWS\system32\dllcache\fxsres.dll
+ 2004-08-04 10:00:00 330,752 ----a-w C:\WINDOWS\system32\dllcache\hnetwiz.dll
+ 2004-08-04 10:00:00 1,175,635 ----a-w C:\WINDOWS\system32\dllcache\hrtzres.dll
+ 2004-08-04 10:00:00 22,016 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2004-08-04 10:00:00 240,128 ----a-w C:\WINDOWS\system32\dllcache\migwiz.exe
+ 2004-08-04 10:00:00 126,976 ----a-w C:\WINDOWS\system32\dllcache\mshearts.exe
+ 2004-08-04 10:00:00 407,552 ----a-w C:\WINDOWS\system32\dllcache\mstsc.exe
+ 2004-08-04 10:00:00 380,416 ----a-w C:\WINDOWS\system32\dllcache\rstrui.exe
+ 2004-08-04 10:00:00 90,112 ----a-w C:\WINDOWS\system32\dllcache\rsvpsp.dll
+ 2004-08-04 10:00:00 753,236 ----a-w C:\WINDOWS\system32\dllcache\rvseres.dll
+ 2004-08-04 10:00:00 2,178,131 ----a-w C:\WINDOWS\system32\dllcache\shvlres.dll
+ 2004-08-04 10:00:00 538,624 ----a-w C:\WINDOWS\system32\dllcache\spider.exe
+ 2004-08-04 10:00:00 136,704 ----a-w C:\WINDOWS\system32\dllcache\sti_ci.dll
+ 2004-08-04 10:00:00 4,256,768 ----a-w C:\WINDOWS\system32\dllcache\wmm2res.dll
+ 2004-08-04 10:00:00 438,784 ----a-w C:\WINDOWS\system32\dllcache\xpob2res.dll
+ 2008-05-09 18:15:51 45,376 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 20:03:55 75,072 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 14:26 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05 1117184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 14:26 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder

2008-07-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-07-30 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 05:08]

2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2005-05-31 01:04]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 12:19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 12:23:51
ComboFix-quarantined-files.txt 2008-07-31 17:23:28
ComboFix2.txt 2008-07-31 14:16:54
ComboFix3.txt 2008-07-30 21:13:26
ComboFix4.txt 2008-07-29 20:21:43

Pre-Run: 23,156,150,272 bytes free
Post-Run: 23,143,292,928 bytes free

135 --- E O F --- 2008-06-21 08:03:20




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:01 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\WINDOWS\explorer.exe
\Server\Shared\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6321 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:10 PM

Posted 31 July 2008 - 12:40 PM

Hi,

This looks OK again.

I also see you uninstalled McAfee in a meanwhile and replaced it with Avira.. which is a good choice. Your CPU usage has decreased as well, because previously, it said in the deckard system scanner log: "Percentage of Memory in Use: 77% (more than 75%)." And now, from your latest log, it looks normal again :thumbsup:

Just some last things to perform.... Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Then,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 hrudy24

hrudy24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 31 July 2008 - 02:43 PM

I think that resolved all the issues. It's running much faster. I really appreciate all your time and effort to help me solve this! Thanks!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:10 PM

Posted 01 August 2008 - 12:56 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:10 PM

Posted 05 August 2008 - 11:54 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users