Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt For Me Please


  • This topic is locked This topic is locked
7 replies to this topic

#1 Feffrey

Feffrey

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 September 2007 - 11:44 PM

I recently saw the "TkBellEXE.exe" file in my start up program roster. I deleted it from the start up program using CCleaner. I'm not sure where the "TkBellEXE.exe" file went or if it disguised itself as another file. (Note: I never opened the file. I just saw it and deleted it from my start-up roster). So, I wanted to check with you guys to see if there was a trace of it around that I would maybe need to eliminate.

The computer runs fine but I'm scared of it hiding in there waiting for me to trip over it and open the malware (and I trip a lot!)

Thank you so much for your time.

Take care.

-Jeff Howell-
----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:05 AM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Creative\SBLive 24-Bit External\Entertainment Center\EAXLoadr.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1170389892\EE\aolsoftware.exe
C:\Program Files\Common Files\AOL\1170389892\EE\aolsoftware.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131918831859
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 13135 bytes

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:07 AM

Posted 06 October 2007 - 04:11 PM

Hi Feffrey,

Sorry for the delay, this forum is very busy right now.

I don't see any signs of malware in this log. However, since you report having spotted a known malware file, We need to do some more investigating. Not everything shows up in a HijackThis scan.

I see that you are running one or more Peer-to-Peer file sharing programs. (In your case, Morpheus.) These things are dangerous, even if they do not install spyware themselves. The first rule of safe internet use is, Never download a file unless you know and trust the source. By their very design these programs put files on your computer from unknown sources. They are a prime means of spreading viruses and other malware.

Consider whether the use of these programs is worth the risk. Please read this article for more information.

If you choose to continue using P2P in spite of the risks, at least disable the programs until we are sure your machine is clean.

It looks like you have already done quite a few online scans. I'd like you to do one more.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Then I would like you to run a check for rootkits.

Download this tool to your desktop:

Rootchk

Run the program. After the program runs it will open a logfile on your desktop.

Post that log, along with the Kaspersky report and a fresh HijackThis log, to your next reply.

Dave

#3 Feffrey

Feffrey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 08 October 2007 - 11:08 PM

Dave,

Thank you so much for your reply. When you said disable the Morpheus program, I wasn't sure if you meant delete it or just for me not to run it. I haven't run it but I haven't deleted the program either. I will if you think that's best. I have also included the Kapersky log, along with the Rootkit log.

I ran Panda's Activesvan and it found about 18 infections that most of the other anti-virus programs didn't. It's a short log, so I included it at the end (after the Rootchk log)

The computer is running fine and I see no problems with the way it runs but apparently I do have infections.

Again, thank you for your help.

Take care.

-Jeff Howell-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:57 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\SBLive 24-Bit External\Entertainment Center\EAXLoadr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1170389892\EE\aolsoftware.exe
C:\Program Files\Common Files\AOL\1170389892\EE\aolsoftware.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SanaSafeConnect] "C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131918831859
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: McAfee Application Installer Cleanup (0152651191574968) (0152651191574968mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\015265~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SanaSafeConnectAgent - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe
O23 - Service: SanaSafeConnectWatcher - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 14036 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 08, 2007 12:03:41 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 8/10/2007
Kaspersky Anti-Virus database records: 428925
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 78802
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:47:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Howelldog\mydb.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Howelldog\style.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\Howelldog\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\CACHE\howelld00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\howelldog Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\howelldog.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0a\organize\howelldog.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{3B3B5CBE-6415-428D-98C1-816F1B6E5C38}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{693F8D24-48A1-410A-950C-6BB1C492B968}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{91E22BFC-0B28-4AF7-A707-934065E63D7A}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\AOL\C_AOL 9.0a\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\AOL\C_AOL 9.0a\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\AOL\C_AOL 9.0a\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\AOL\C_AOL 9.0a\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\AOL\C_AOL 9.0a\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Jeff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.dfd Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.did Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Documents.dsd Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kdb Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kdl Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kib Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.kpf Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\DTS\Index\MainChunk\Keywords.ksb Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\MSHist012007100720071008\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temp\4D.tmp Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temp\~DFA9BA.tmp Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jeff\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MorpheusBar\bar\2.bin\M0PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Program Files\MorpheusBar\bar\2.bin\M0POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\Program Files\MorpheusBar\bar\2.bin\NPMORPBR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_boot.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_graph.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_malware.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_node.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_removed.log Object is locked skipped
C:\Program Files\WildTangent\LFS\Scripts\Install\UI_stub.cdas Object is locked skipped
C:\Program Files\WildTangent\LFS\Scripts\Install\_176EB7A7_8B89_449F_94B2_FEB531DCEB38_fileList.cdas Object is locked skipped
C:\Program Files\WildTangent\LFS\Scripts\Install\_176EB7A7_8B89_449F_94B2_FEB531DCEB38_install.cdas Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_1Q9X8THj1R6Vm71 Object is locked skipped
C:\WINDOWS\Temp\mcafee_m1TgPustfbrQHQs Object is locked skipped
C:\WINDOWS\Temp\mcmsc_APWLmFIXMDCbBc6 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_IR5gg9ryfGk5nZk Object is locked skipped
C:\WINDOWS\Temp\mcmsc_LeEeGgd6fbWghEe Object is locked skipped
C:\WINDOWS\Temp\mcmsc_w9Q7FjYXfvHgXVF Object is locked skipped
C:\WINDOWS\Temp\mcmsc_wErQb2LKWGgEWsk Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ZI4euaNLGEmCTbS Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_31c.dat Object is locked skipped
C:\WINDOWS\Temp\sqlite_07adwZtmkffh0Xs Object is locked skipped
C:\WINDOWS\Temp\sqlite_CgFfCcLAEC4fpCq Object is locked skipped
C:\WINDOWS\Temp\sqlite_eq3BNPQxFRZW4Yt Object is locked skipped
C:\WINDOWS\Temp\sqlite_iBsIDktNtnP02Rj Object is locked skipped
C:\WINDOWS\Temp\sqlite_p30NPEny8yHDbd4 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
----------------------------------------------------


********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Mon 10/08/2007 0:44:45.71

Driver npf (visible) is present. Run COMBOFIX by sUBs.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 00:44:49
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0
---------------------------------------------------------------
*********************************************
Panda Activescan 10-08-07


Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\xaywc1d5.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\xaywc1d5.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\xaywc1d5.default\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@advertising[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@statse.webtrendslive[2].txt
Hacktool:HackTool/KillProcWin.A Not disinfected C:\Documents and Settings\Jeff\Local Settings\Application Data\Wildtangent\Cdacache\00\00\13.dat[simple_killw.exe]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Morpheus\morpheustoolbar.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Morpheus\mymorpheusToolbar.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\M0PLUGIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\M0POPSWT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\NPMORPBR.DLL

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:07 AM

Posted 09 October 2007 - 07:08 PM

Hi Jeff,

Sorry for the delay in answering, I have been having computer problems of my own -- hopefully now sorted out.

Here's the rundown. Kaspersky found Morpheus and Panda found WildTangent. Neither is an immediate threat but both are questionable.

I have already mentioned Morpheus and given you some information about the risks of peer-to-peer file sharing. If you're asking for my opinion, I think the dangers of such programs outweigh the (admittedly considerable) advantages for the user. So if security online is important to you, you should remove Morpheus.

WildTangent is a different sort of thing. It's not going to put trojans or viruses on your machine, the question is whether it is spyware/adware or a legitimate program. The people who made the program think it's legit, but others disagree. Check this article for some background on the controversy, then decide whether you want to keep it. Again, this is something I would not have on my machine, but if you enjoy the WildTangent games you might decide differently.

Finally, rootchk found a driver that is sometimes installed by malware, but also is used by legitimate networking programs. Combofix can determine whether this is a legitimate installation or part of an infection.

Before running Combofix, you should disable Spybot's TeaTimer as it may interfere. After we are sure you are clean, you can enable it again. Here's the procedure:Start Spybot.
Click on Mode, select Advanced, and click Yes.
Click the little cross on the Tools line in the left-hand pane, then select Resident.
Uncheck the box labeled Resident "TeaTimer " Active
Then you should run Combofix.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Dave

Edited by DaveM59, 09 October 2007 - 07:10 PM.


#5 Feffrey

Feffrey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 October 2007 - 01:18 AM

Dave,

Thank you again. I deleted all of my Wildtangent files except for one JAR file in the JAVA folder.

I also deleted a previously detected "Hacktool." I hope that was okay.

While I running Combofix, "Primary Response SafeConnect" by Sana quarantined the Catchme.cfexe file and labeled it malware. I restored it and Combofix completed its task.

I'm not sure if you wanted me to include an Activescan log this time, so, I pasted it after the Combofix log.

Once again, I very much appreciate it.

Take care.

-Jeff-

****************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:25 AM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Creative\SBLive 24-Bit External\Entertainment Center\EAXLoadr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\1170389892\EE\aolsoftware.exe
C:\Program Files\Common Files\AOL\1170389892\EE\aolsoftware.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\Anti Virus and Spyware\stinger.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SanaSafeConnect] "C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131918831859
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SanaSafeConnectAgent - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe
O23 - Service: SanaSafeConnectWatcher - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 13673 bytes
******************************************
******************************************

ComboFix 07-10-11.1 - Jeff 2007-10-10 21:11:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.623 [GMT -4:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-10 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 02:46 204,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-09 02:17 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-09 02:15 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-07 01:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-07 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-04 03:07 <DIR> d-------- C:\Program Files\Sana Security
2007-10-04 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-10-03 02:25 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-02 18:12 <DIR> d-------- C:\Program Files\Corel
2007-09-30 14:54 <DIR> d-------- C:\Program Files\PC Magazine Utilities
2007-09-30 14:54 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\PC Magazine Utilities
2007-09-27 23:55 <DIR> d-------- C:\Documents and Settings\Jeff\.housecall6.6
2007-09-27 23:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-27 23:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-27 21:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-27 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-27 14:52 <DIR> d-------- C:\Autoruns
2007-09-26 21:03 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-26 20:05 <DIR> d-------- C:\Program Files\Secunia
2007-09-18 13:06 86,848 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2007-09-18 13:05 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-09-17 00:56 <DIR> d-------- C:\Program Files\FLV Player
2007-09-16 23:23 <DIR> d-------- C:\videooutput
2007-09-16 23:23 <DIR> d-------- C:\Program Files\Smallvideosoft
2007-09-16 23:23 3,086,336 --a------ C:\WINDOWS\system32\NCMedia.dll
2007-09-16 23:23 3,086,336 --a------ C:\WINDOWS\system32\flvvideo.dll
2007-09-16 23:23 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-16 23:23 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-16 22:45 <DIR> d-------- C:\OutputFolder
2007-09-16 22:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-09-16 22:11 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Moyea
2007-09-16 20:47 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2007-09-16 20:47 <DIR> d-------- C:\Program Files\Freecorder
2007-09-16 20:46 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2007-09-16 20:46 <DIR> d-------- C:\WINDOWS\FLV Player
2007-09-16 20:46 <DIR> d-------- C:\Program Files\Replay Media Catcher
2007-09-16 20:38 1,936,528 --a------ C:\WINDOWS\system32\ltmm15.dll
2007-09-16 20:38 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-09-16 20:38 135,168 --a------ C:\WINDOWS\system32\DSKernel2.dll
2007-09-16 20:37 <DIR> d-------- C:\Program Files\Replay Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 07:44 --------- d-----w C:\Program Files\McAfee
2007-10-10 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-09 07:39 3,476 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-09 07:37 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-09 00:57 --------- d-----w C:\Program Files\Morpheus
2007-10-09 00:49 --------- d-----w C:\Program Files\Common Files\aolshare
2007-10-09 00:45 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-08 08:12 --------- d-----w C:\Program Files\MSWorks
2007-10-08 06:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-05 02:27 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Smart Recorder
2007-10-04 01:09 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Canon
2007-10-03 07:08 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-02 22:19 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Corel
2007-10-02 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2007-09-28 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-28 01:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-27 05:39 --------- d-----w C:\Program Files\Java
2007-09-27 05:33 --------- d-----w C:\Program Files\Google
2007-09-27 04:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-27 04:08 --------- d-----w C:\Program Files\CyberLink
2007-09-27 04:05 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-27 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-27 01:03 --------- d-----w C:\Program Files\Real
2007-09-27 01:03 --------- d-----w C:\Program Files\Common Files\Real
2007-09-26 23:59 --------- d-----w C:\Program Files\QuickTime
2007-09-19 02:03 --------- d-----w C:\Program Files\iFinger
2007-09-18 17:12 --------- d-----w C:\Program Files\SiteAdvisor
2007-09-18 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-09-18 17:05 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-17 01:31 --------- d-----w C:\Documents and Settings\Jeff\Application Data\GetRightToGo
2007-09-16 05:38 --------- d-----w C:\Program Files\VSTplugins
2007-09-10 12:28 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2007-09-05 18:13 --------- d-----w C:\Program Files\WordWeb
2007-09-03 03:02 --------- d-----w C:\Program Files\M-Audio MA_CMIDI
2007-08-31 04:19 --------- d-----w C:\Program Files\Propellerhead
2007-08-31 01:18 --------- d-----w C:\Program Files\Creative
2007-08-30 23:49 --------- d-----w C:\Program Files\AOD
2007-08-30 04:00 --------- d--h--w C:\Program Files\Creative Installation Information
2007-08-29 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-08-29 06:30 --------- d-----w C:\Program Files\SequoiaView
2007-08-29 04:23 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Propellerhead Software
2007-08-29 04:22 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-08-29 04:22 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-08-29 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2007-08-29 01:05 --------- d-----w C:\Program Files\ToniArts
2007-08-28 19:05 --------- d-----w C:\Program Files\MSECache
2007-08-27 20:30 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Ableton
2007-08-27 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ableton
2007-08-25 18:55 --------- d-----w C:\Program Files\M-Audio
2007-08-22 02:16 --------- d-----w C:\Program Files\Southwest Airlines
2007-08-22 02:16 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Southwest Airlines
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-20 01:17 --------- d-----w C:\Program Files\Microsoft Works
2007-08-20 01:16 --------- d-----w C:\Program Files\Microsoft.NET
2007-08-18 19:19 --------- d-----w C:\Program Files\NetZeroInstallers
2007-08-18 08:21 --------- d-----w C:\Program Files\Canon
2007-08-17 16:43 --------- d-----w C:\Program Files\RamBooster 2.0
2007-08-17 16:43 --------- d-----w C:\Program Files\NetWaiting
2007-08-17 16:43 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-17 16:43 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Aim
2007-08-17 16:42 --------- d-----w C:\Program Files\America Online 7.0
2007-08-17 16:41 --------- d-----w C:\Program Files\CCleaner
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-16 06:10 --------- d-----w C:\Program Files\Common Files\FotoNation
2007-08-16 05:35 --------- d-----w C:\Documents and Settings\Jeff\Application Data\IGN_DLM
2007-08-16 02:55 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AOL
2007-08-16 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-16 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-08-15 21:57 --------- d-----w C:\Documents and Settings\Jeff\Application Data\SiteAdvisor
2007-08-15 19:59 --------- d-----w C:\Program Files\ACD Systems
2007-08-15 05:40 --------- d-----w C:\Program Files\AOL Toolbar
2007-08-05 06:35 164 ----a-w C:\install.dat
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2004-08-04 11:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 11:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2007-05-01 23:39:58 8 --sh--r C:\WINDOWS\system32\94E793509E.dll
2004-08-04 11:00:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 11:00:00 54,784 -csh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 11:00:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 11:00:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 11:00:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-08 22:39]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 05:52 C:\WINDOWS\system32\sbusbdll.dll]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTSysVol"="C:\Program Files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-01-19 17:11]
"SanaSafeConnect"="C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe" [2007-05-02 17:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-18 02:49]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax.com Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax.com Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINDOWS\pss\Live Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\AOL 9.0a\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
C:\Program Files\Common Files\AOL\1170389892\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
C:\Program Files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1170389892\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
"C:\Program Files\Analog Devices\Core\smax4pnp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;"C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaAgent.exe" SanaSafeConnectAgent
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;C:\Program Files\Sana Security\Primary Response SafeConnect\agent\Bin\SanaSafeConnectWatcher.exe
R3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;\??\C:\Program Files\Sana Security\Primary Response SafeConnect\agent\driver\platform_XP\SafeConnectDriver.sys
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;\??\C:\Program Files\Sana Security\Primary Response SafeConnect\agent\driver\platform_XP\SafeConnectFilter.sys
R3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
S3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a759c84-e3f0-11db-9bf4-00038a000015}]
AutoRun\command - G:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 22:56:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-18 17:04:52 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-01 05:00:30 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-10 21:30:34 - machine was rebooted
.
--- E O F ---


***********************************************
***********************************************

Activescan 10-11-07


Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\MORPHBAR.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@2o7[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@advertising[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@bluestreak[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@doubleclick[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jeff\Cookies\jeff@serving-sys[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jeff\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jeff\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Morpheus\morpheustoolbar.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Morpheus\mymorpheusToolbar.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\M0PLUGIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\M0POPSWT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\2.bin\NPMORPBR.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:07 AM

Posted 11 October 2007 - 07:59 PM

Hi again Jeff,

Combofix did not touch that driver, which means that it was indeed a legitimate installation.

Not much else wrong with your logs. Your system is clean. :thumbsup:

I do see that you still have Morpheus, all I can say is, if that's your choice to continue using it, please understand the risk.

There are a couple of lines that indicate leftovers in the registry, and we can fix them now now.

Open HJT and run a scan. Place a check next to the following lines:


R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)


Close all other windows on your desktop, and make sure no programs are running minimized in your taskbar. Then click fix checked. Confirm the fix when prompted, then close HJT.


Not much left except final cleanup. You should delete any specialized tools I asked you to download. Standard antispyware scanners you may keep and use for occasional scans as you see fit, but tools like Gmer, combofix, smitfraudfix et.al. are updated very frequently, and if God forbid you ever need them again, you will need to re-download them anyway.

The next step is to delete all temp files. Note for subsequent runs, uncheck the box to delete prefetch files. History is your option.

Get ATF Cleaner here . It does not require installation, just download it to your desktop.
Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on the appropriate tab and repeat the same drill.

Then you should re-enable TeaTimer, just follow the same steps as when you disabled it, but this time check the box labeled "TeaTimer Active."

Now you need to Flush your System Restore files and set a clean restore point. To do this, you must first disable System Restore, then reboot your computer, and finally, turn System Restore back on...For the details, I refer you to this tutorial:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Then, please read and implement the recommendations found here.

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

There are more tips found here:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

Any questions about any of these steps, just ask.

Good luck and safe computing --

Dave

Note: I'll be away on business Friday and Saturday, so if you post during that time please expect a reply on Sunday.

#7 Feffrey

Feffrey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 15 October 2007 - 12:50 AM

Dave,

Thank you so much. Your help has been immeasurable. I really, really appreciate it.

Take care and thank you again.

-Jeff Howell-

#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:07 AM

Posted 15 October 2007 - 05:26 AM

You're quite welcome. :thumbsup:

Because the issue appears to be resolved, this topic will now be closed. If you need it re-opened, PM me and include the URL in your message.

This applies to the original poster only. Everyone else please start a new topic.

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users