Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware? "task Manager Has Been Disabled By Administrator" -


  • This topic is locked This topic is locked
5 replies to this topic

#1 dkrk

dkrk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 11 September 2007 - 08:24 PM

Greetings to all ~ this is my first post at this site.

I'm trying to help a a co-worker whose PC (XP Home) was running VERY slow. I checked and there was no current virus software. A free version of virus software removed 76 items. PC has picked up a little bit of speed; however, I believe there may be some malware. Here are some symptoms:
User account (admin priviledges) is receiving error messages such as "task manager has been disabled by your administrator" when ctrl/alt/delete is pressed, the control panel button is missing (can't access or change any user accounts / can't add or remove programs), cannot perform disk defrag, can't change any desktop settings and ONE CARE firewall says it's blocking "SOCKS.EXE" from accessing the internet at start up. I logged on in SAFE MODE and the Administrator account also receives same error message of"task manager has been disabled by your administrator" when I press ctrl/alt/delete.

Any help is appreciated!

Here is a HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:22 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Documents and Settings\pro-motion employee\socks.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dana\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...joWKYNoxKIBPrmB
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [Services] C:\Documents and Settings\pro-motion employee\socks.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\WinSecureDisc\App.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gwiz] C:\Documents and Settings\Dana\Application Data\7418.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinSecureDisc] "C:\Program Files\WinSecureDisc\App.exe"
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1009\..\Run: [Sonic RecordNow!] (User 'Garrett')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Garrett')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1009\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'Garrett')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Garrett')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1009\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Garrett')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1010\..\Run: [Sonic RecordNow!] (User 'Lauren')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1010\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Lauren')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1010\..\Run: [WinSecureDisc] "C:\Program Files\WinSecureDisc\App.exe" (User 'Lauren')
O4 - HKUS\S-1-5-21-464487669-2263500984-2695167395-1010\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Lauren')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCxdm342
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download...MARKETING48.cab
O16 - DPF: {12140C3A-AB35-685F-AC4E-563268FDAB50} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {76BBCB5D-D1E7-1C61-E62D-134B4F76CE64} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {7D35E857-1185-039D-F8E8-20256742A4E2} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12017 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 September 2007 - 06:27 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum dkrk :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Click Start/Control Panel/Add or Remove Programs and remove/uninstall MyWebSearch,then reboot.

You have Microsoft Windows OneCare Live and Mcafee installed.
Its definitely not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
Isuggest you remove/uninstall Microsoft Windows OneCare Live,then restart your pc.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.

Edited by RichieUK, 12 September 2007 - 06:27 AM.

Posted Image
Posted Image

#3 dkrk

dkrk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 September 2007 - 06:58 AM

Your assistance is GREATLY APPRECIATED!!! :thumbsup:

A few quick notes:
This PC belongs to a co-worker ... the McAfee subscription ran out which is why I temp used the One Care. I will recommend that they purchase the subscription to McAfee. I also completed the Ad-Aware and Spybot as recommended by your website.

I could not find MyWebSearch in add/remove programs.

HERE'S THE REQUESTED LOGS:

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:51 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dana\Desktop\HiJackThis.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Services] C:\Documents and Settings\pro-motion employee\socks.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinSecureDisc] "C:\Program Files\WinSecureDisc\App.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm342
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {12140C3A-AB35-685F-AC4E-563268FDAB50} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {76BBCB5D-D1E7-1C61-E62D-134B4F76CE64} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {7D35E857-1185-039D-F8E8-20256742A4E2} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8358 bytes


COMBOFIX:
ComboFix 07-09-13.1 - "Dana" 2007-09-13 0:22:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.50 [GMT -4:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-12 23:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 18:49 <DIR> d--h----- C:\DOCUME~1\techie\APPLIC~1\GTek
2007-09-12 18:48 <DIR> d-------- C:\DOCUME~1\techie\APPLIC~1\Real
2007-09-12 18:42 <DIR> d-------- C:\DOCUME~1\techie\APPLIC~1\Sonic
2007-09-12 18:42 <DIR> d-------- C:\DOCUME~1\techie\APPLIC~1\Jasc Software Inc
2007-09-12 06:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 21:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-11 21:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 14:33 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-09-09 14:33 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-09-09 09:36 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-09-09 09:31 <DIR> d-------- C:\5cf2d40033f45b373a8ba80dd2
2007-09-08 18:39 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-09-08 18:39 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-09-08 18:31 67,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
2007-09-08 18:04 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-09-07 23:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-09-07 23:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-09-01 14:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-31 22:54 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-31 22:45 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-31 22:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-31 22:43 <DIR> d-------- C:\DOCUME~1\Dana\APPLIC~1\Apple Computer
2007-08-20 19:30 37,376 --a------ C:\WINDOWS\SYSTEM32\vtr221.dll
2007-08-18 21:36 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2007-08-18 21:36 31,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 22:57 --------- d-------- C:\Program Files\Viewpoint
2007-09-12 18:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-09-12 03:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-11 21:42 --------- d-------- C:\Program Files\Lavasoft
2007-09-11 21:41 --------- d-------- C:\DOCUME~1\PRO-MO~1\APPLIC~1\Lavasoft
2007-09-01 15:23 --------- d-------- C:\Program Files\iTunes
2007-09-01 15:17 --------- d-------- C:\Program Files\iPod
2007-09-01 15:07 --------- d-------- C:\Program Files\QuickTime
2007-09-01 15:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-07 19:18 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-07 18:35 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 18:16 --------- d-------- C:\DOCUME~1\Lauren\APPLIC~1\Full Tilt Poker.Net
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 20:55 --------- d-------- C:\DOCUME~1\Lauren\APPLIC~1\InstallShield Installation Information
2007-07-30 20:54 --------- d-------- C:\DOCUME~1\Lauren\APPLIC~1\InstallShield
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-19 02:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-16 20:09 --------- d--h----- C:\DOCUME~1\PRO-MO~1\APPLIC~1\GTek
2007-07-15 12:55 2 --a------ C:\DOCUME~1\Lauren\APPLIC~1\xxx.exe
2007-07-12 19:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-27 15:39 2 --a------ C:\DOCUME~1\Garrett\APPLIC~1\xxx.exe
2007-06-27 10:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 10:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 10:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 10:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 10:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 10:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 04:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 03:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-15 04:12 474112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-06-15 04:12 151040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-06-15 04:12 1498112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-06-15 04:12 1054208 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-06-15 04:12 1022976 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2007-01-14 13:36 23040 --a------ C:\DOCUME~1\Lauren\wpyfluyn.exe
2007-01-10 16:14 23040 --a------ C:\DOCUME~1\Lauren\kcneupxe.exe
2005-07-04 01:01 36864 --a------ C:\DOCUME~1\Lauren\sys.exe
2005-06-15 17:55 49152 --a------ C:\DOCUME~1\PRO-MO~1\socks.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 02:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 02:07]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"Open Site"="C:\Program Files\Open Site\opensite.exe" []
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-12 07:25]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-31 18:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-04 22:44]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-01 15:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 16:33]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-12-08 18:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"WinSecureDisc"="C:\Program Files\WinSecureDisc\App.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Dana\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Garrett\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Lauren\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\PRO-MO~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\techie\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 03:49:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-02-17 18:24:15 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 00:36:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 0:41:08
C:\ComboFix-quarantined-files.txt ... 2007-09-13 00:40
C:\ComboFix2.txt ... 2007-09-12 23:35
.
--- E O F ---

FIXWAREOUT:
Username "Dana" - 09/13/2007 0:08:53 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"Open Site"="\"C:\\Program Files\\Open Site\\opensite.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"Services"="C:\\Documents and Settings\\pro-motion employee\\socks.exe"
"Ultimate Cleaner"="C:\\Program Files\\WinSecureDisc\\App.exe"
"gwiz"="C:\\Documents and Settings\\Dana\\Application Data\\7418.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WinSecureDisc"="\"C:\\Program Files\\WinSecureDisc\\App.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 September 2007 - 07:57 AM

There's a Backdoor Trojan present on your pc.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then let me know what you want to do in your next reply.
Posted Image
Posted Image

#5 dkrk

dkrk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 September 2007 - 04:27 PM

Thank you, thank you, thank you for the quick reply. :thumbsup:

I forwarded the information you presented to the owner of the PC. They have made the decision to have the harddrive reformatted.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 14 September 2007 - 03:52 AM

You're most welcome,thanks for the update.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users