Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Alert Popups That Wont Go Away!


  • Please log in to reply
19 replies to this topic

#1 Lesley52

Lesley52

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 16 October 2007 - 05:55 PM

I have a laptop that is infected with something that has put a yellow triangle in the bottom right toolbar with a ! in the middle of it. You cannot close it and will disappear when you right click on it (only to return in seconds) It sends popups that say SYSTEM ALERT! Spyware/virus/trojan etc found. Sometimes these boxes use Microsoft or Explorer in the title. If you click the box it takes you to the web site savetheinformation.com and offers to sell you fixes. It has added 2 icons to the desktop, one green shield with a check in the middle that says ONELINE SECURITY Guide, and a blue shield again with the check mark that says LIVE SAFETY CENTER. A toolbar has been added to the top entitiled SECURITY TOOLBAR 7.1 and has green bars to click on for removal of spyware or to block adware/popups. Frequently, you are redirected to porn sites and other sites when you click to go to a desired site. About the same time all this happened, a teenager used the computer for surfing the net including Myspace and other stuff. After that, the startup screen started going to Common Files page that is blank. Then all this junk started happening. She swears she did not turn off the firewall, but I don't believe it. Other problems that may or may not be related are difficulty navigating your site when it came to downloading the spybot, ad-aware, etc. I had to download it to a thumbdrive on another computer and load it that way. It would not let me click on any of the links like hijackthis, etc. Again I used another computer to download it to a thumbdrive. I am afraid soon it will not boot at all. Please give me any help you can!! TLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:16 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ssimswzl.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://www.memorialherman.org
O15 - Trusted Zone: http://*.memorialherman.org
O15 - Trusted Zone: http://www.roadrunner.com
O15 - Trusted Zone: http://www.rr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://mhclinweb.mhhs.org/DSK_LOGINProj1.cab
O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0301861192572939) (0301861192572939mcinstcleanup) - Unknown owner - C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file -

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 03:47 PM

Hi Lesley52 and Welcome to the Bleeping Computer!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#3 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 21 October 2007 - 10:04 PM

I have not been able to get to the laptop, will do it ASAP. THanks. I didn't know how to use this page but I'm learning!! I VERY much appreciate your help!!!!!!!!!

#4 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 27 October 2007 - 09:05 PM

I did all the things that this site said to do and I now have the toolbar and popups gone, but frequently get McAfee pop ups that Vondo has been removed, so I'm sure its not gone completely. Here is the latest hijack this scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:50 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\xwkoafon.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C214E54D-8600-40A2-AA3A-F055C2096664} - C:\WINDOWS\system32\awtsr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O15 - Trusted Zone: www.comcast.com
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://www.memorialherman.org
O15 - Trusted Zone: http://*.memorialherman.org
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://mhclinweb.mhhs.org/DSK_LOGINProj1.cab
O20 - Winlogon Notify: iifddcy - iifddcy.dll (file missing)
O20 - Winlogon Notify: opnkjjh - opnkjjh.dll (file missing)
O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0301861192572939) (0301861192572939mcinstcleanup) - Unknown owner - C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 9049 bytes

Thanks for any help!! Lesley

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 October 2007 - 03:10 AM

Looks like its still in there,use this next tool as instrcuted and we shall get you cleaned up.


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#6 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 28 October 2007 - 06:42 PM

Thanks, here's the info:
ComboFix 07-10-28.2** - steve polfus 2007-10-29 18:29:39.1 - NTFSx86
Running from: E:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fqryjdpe.dllbox
C:\WINDOWS\system32\gsjvwvxl.ini
C:\WINDOWS\system32\lxvwvjsg.dll
C:\WINDOWS\system32\mlxuqznp.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qysifbxy.dll
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\ssimswzl.dllbox
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW10a
C:\WINDOWS\system32\xwkoafon.dll
C:\WINDOWS\system32\yxbfisyq.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-29 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 19:34 2,900 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 22:07 <DIR> d-------- C:\VundoFix Backups
2007-10-17 17:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-17 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-10-17 00:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-16 18:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 18:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 01:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-15 01:26 <DIR> d-------- C:\{00004676-0000-0000-BA05-9C0819EF8BD6}
2007-10-14 22:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-14 18:24 <DIR> d-------- C:\Docum
2007-10-13 08:59 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-10-13 08:59 <DIR> d-------- C:\Documents and Settings\steve polfus\Application Data\ComcastToolbar
2007-10-12 02:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-12 02:43 128,896 --a------ C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-12 02:43 23,040 --a------ C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-12 02:43 16,896 --a------ C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-11 23:42 584,192 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 23:21 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-11 20:57 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-10-11 20:54 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-11 20:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-11 20:54 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-11 20:54 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-11 20:54 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-11 20:53 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee
2007-10-11 20:51 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-08 15:39 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-08 11:11 <DIR> d-------- C:\WINDOWS\system32\vz3
2007-10-08 11:11 <DIR> d-------- C:\WINDOWS\system32\cz1
2007-10-08 11:11 <DIR> d-------- C:\WINDOWS\system32\ab2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 03:24 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-16 05:17 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-16 04:49 --------- d-----w C:\Program Files\InterActual
2007-10-15 02:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 23:21 --------- d-----w C:\Program Files\Google
2007-10-13 14:01 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-12 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-12 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-09 04:52 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-09 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-25 01:48 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-12 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-12 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-12 02:05 --------- d-----w C:\Program Files\Common Files\aolshare
2007-08-22 13:12 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-31 00:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2005-11-08 04:52 52,760 ----a-w C:\Documents and Settings\steve polfus\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C214E54D-8600-40A2-AA3A-F055C2096664}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 15:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 01:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 11:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 11:24]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 19:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 12:49]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 12:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-05 10:00]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"HostManager"="C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe" [2007-04-12 16:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-15 14:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifddcy]
iifddcy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjjh]
opnkjjh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

S2 0301861192572939mcinstcleanup;McAfee Application Installer Cleanup (0301861192572939);C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 DbgMsg;Debug Message;\??\C:\WINDOWS\System32\Drivers\DbgMsg.sys
S3 AR5513;DWL-G650M Super G MIMO Wireless Notebook Adapter;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys
S3 U2SP;OEM USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 07:13:34 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-12 01:52:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 18:35:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-29 18:39:33 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:24 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C214E54D-8600-40A2-AA3A-F055C2096664} - C:\WINDOWS\system32\awtsr.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O15 - Trusted Zone: www.comcast.com
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://www.memorialherman.org
O15 - Trusted Zone: http://*.memorialherman.org
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://mhclinweb.mhhs.org/DSK_LOGINProj1.cab
O20 - Winlogon Notify: iifddcy - iifddcy.dll (file missing)
O20 - Winlogon Notify: opnkjjh - opnkjjh.dll (file missing)
O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0301861192572939) (0301861192572939mcinstcleanup) - Unknown owner - C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 8797 bytes

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 October 2007 - 03:33 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\[b]plite731_uninstaller_.bat
C:\WINDOWS\system32\awtsr.dll
Folder::
C:\WINDOWS\system32\vz3
C:\WINDOWS\system32\cz1
C:\WINDOWS\system32\ab2
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C214E54D-8600-40A2-AA3A-F055C2096664}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifddcy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjjh]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.


After posting those 2 logs,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#8 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 29 October 2007 - 10:01 PM

OK, did it and here's the 3 logs:
ComboFix 07-10-28.2** - steve polfus 2007-10-30 17:43:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.353 [GMT -5:00]
Running from: C:\Documents and Settings\steve polfus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\steve polfus\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\[b]plite731_uninstaller_.bat
C:\WINDOWS\system32\awtsr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ab2
C:\WINDOWS\system32\cz1
C:\WINDOWS\system32\vz3

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-29 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 19:34 2,900 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 22:07 <DIR> d-------- C:\VundoFix Backups
2007-10-17 17:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-17 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-10-17 00:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-16 18:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 18:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 01:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-15 01:26 <DIR> d-------- C:\{00004676-0000-0000-BA05-9C0819EF8BD6}
2007-10-14 22:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-14 18:24 <DIR> d-------- C:\Docum
2007-10-13 08:59 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-10-13 08:59 <DIR> d-------- C:\Documents and Settings\steve polfus\Application Data\ComcastToolbar
2007-10-12 02:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-12 02:43 128,896 --a------ C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-12 02:43 23,040 --a------ C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-12 02:43 16,896 --a------ C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-11 23:42 584,192 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 23:21 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-11 20:57 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-10-11 20:54 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-11 20:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-11 20:54 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-11 20:54 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-11 20:54 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-11 20:53 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee
2007-10-11 20:51 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-08 15:39 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-09-24 20:48 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-09-24 20:33 1 --a------ C:\WINDOWS\system32\SI.bin
2007-09-11 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-11 21:05 <DIR> d-------- C:\Program Files\Common Files\aolshare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 03:24 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-16 05:17 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-16 04:49 --------- d-----w C:\Program Files\InterActual
2007-10-15 02:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 23:21 --------- d-----w C:\Program Files\Google
2007-10-13 14:01 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-12 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-12 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-09 04:52 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-09 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-12 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-22 13:12 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-31 00:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-09 13:09 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
2005-11-08 04:52 52,760 ----a-w C:\Documents and Settings\steve polfus\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C214E54D-8600-40A2-AA3A-F055C2096664}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 15:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 01:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 11:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 11:24]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 19:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 12:49]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 12:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-05 10:00]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"HostManager"="C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe" [2007-04-12 16:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-15 14:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifddcy]
iifddcy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjjh]
opnkjjh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

S2 0301861192572939mcinstcleanup;McAfee Application Installer Cleanup (0301861192572939);C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 DbgMsg;Debug Message;\??\C:\WINDOWS\System32\Drivers\DbgMsg.sys
S3 AR5513;DWL-G650M Super G MIMO Wireless Notebook Adapter;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys
S3 U2SP;OEM USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 07:13:34 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-12 01:52:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 17:44:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 17:46:08
C:\ComboFix2.txt ... 2007-10-29 18:39
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:29 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O15 - Trusted Zone: www.comcast.com
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://www.memorialherman.org
O15 - Trusted Zone: http://*.memorialherman.org
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://mhclinweb.mhhs.org/DSK_LOGINProj1.cab
O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0301861192572939) (0301861192572939mcinstcleanup) - Unknown owner - C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe


--
End of file - 8318 bytes

Scanning Report
Tuesday, October 30, 2007 18:11:12 - 19:25:40
Computer name: PC116878316169
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 11 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
Vundo.gen39 (virus)
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI (Submitted)
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29773
System: 4121
Not scanned: 4
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 9
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_ABPZ4DKTIHHU5PK
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-26
F-Secure AVP: 7.0.171, 2007-10-29
F-Secure Orion: 1.2.37, 2007-10-29
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 October 2007 - 03:24 AM

Looking better!! :thumbsup:

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#10 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 30 October 2007 - 09:34 AM

OK. Here it is. I thought I had already posted this, but cant find the reply so here it is again.
Scanning Report
Tuesday, October 30, 2007 18:11:12 - 19:25:40
Computer name: PC116878316169
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 11 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
Vundo.gen39 (virus)
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI (Submitted)
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29773
System: 4121
Not scanned: 4
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 9
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_ABPZ4DKTIHHU5PK
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-26
F-Secure AVP: 7.0.171, 2007-10-29
F-Secure Orion: 1.2.37, 2007-10-29
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#11 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 30 October 2007 - 10:45 AM

:thumbsup: I think I lost todays scan results from fsecure scan. The one I posted says it is from last night, so I ran it again with the file check in hjt as instructed. Heres the fsecure scan results (Athough it says tomorrows date):
Scanning Report
Wednesday, October 31, 2007 09:56:23 - 10:56:37
Computer name: PC116878316169
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 5 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
Vundo.gen39 (virus)
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI (Submitted)
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29601
System: 4109
Not scanned: 6
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 4
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_7UKKJDGPJJGHJPH
C:\WINDOWS\TEMP\MCAFEE_FCFUFVRQ2CFQ8RB
C:\WINDOWS\TEMP\MCMSC_1ML1SUOCVOATB7V
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-29
F-Secure AVP: 7.0.171, 2007-10-30
F-Secure Orion: 1.2.37, 2007-10-30
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-15
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 October 2007 - 02:40 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.


After posting those,have a go at the Panda Total Scan and post those results please.
http://www.nanoscan.com/as/v1/principal.aspx

#13 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 31 October 2007 - 01:49 PM

When i tried to drop the file into combifix, it started then said error; something was spelled wrong. Anyway, I ran combifix, hjt, and the pandascan. Here's the results:
ComboFix 07-10-28.2** - steve polfus 2007-11-01 12:31:36.3 - NTFSx86
Running from: C:\Documents and Settings\steve polfus\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-10-29 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 19:34 2,900 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 22:07 <DIR> d-------- C:\VundoFix Backups
2007-10-17 17:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-17 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-10-17 00:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-16 18:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 18:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 01:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-15 01:26 <DIR> d-------- C:\{00004676-0000-0000-BA05-9C0819EF8BD6}
2007-10-14 22:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-14 18:24 <DIR> d-------- C:\Docum
2007-10-13 08:59 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-10-13 08:59 <DIR> d-------- C:\Documents and Settings\steve polfus\Application Data\ComcastToolbar
2007-10-12 02:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-12 02:43 128,896 --a------ C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-12 02:43 23,040 --a------ C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-12 02:43 16,896 --a------ C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-11 23:42 584,192 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 23:21 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-11 20:57 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-10-11 20:54 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-11 20:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-11 20:54 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-11 20:54 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-11 20:54 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-11 20:53 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee
2007-10-11 20:51 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-08 15:39 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 03:24 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-16 05:17 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-16 04:49 --------- d-----w C:\Program Files\InterActual
2007-10-15 02:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 23:21 --------- d-----w C:\Program Files\Google
2007-10-13 14:01 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-12 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-12 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-09 04:52 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-09 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-25 01:48 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-12 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-12 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-12 02:05 --------- d-----w C:\Program Files\Common Files\aolshare
2007-08-22 13:12 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-11-08 04:52 52,760 ----a-w C:\Documents and Settings\steve polfus\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-10-29_18.37.37.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 21:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 21:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 21:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 15:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 01:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 11:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 11:24]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 19:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 12:49]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 12:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-05 10:00]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"HostManager"="C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe" [2007-04-12 16:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-15 14:54]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

S2 0301861192572939mcinstcleanup;McAfee Application Installer Cleanup (0301861192572939);C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 DbgMsg;Debug Message;\??\C:\WINDOWS\System32\Drivers\DbgMsg.sys
S3 AR5513;DWL-G650M Super G MIMO Wireless Notebook Adapter;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys
S3 U2SP;OEM USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 07:13:34 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-12 01:52:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 12:34:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-01 12:36:17
C:\ComboFix2.txt ... 2007-10-30 17:46
C:\ComboFix3.txt ... 2007-10-29 18:39
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:51 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O15 - Trusted Zone: www.comcast.com
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://www.memorialherman.org
O15 - Trusted Zone: http://*.memorialherman.org
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://mhclinweb.mhhs.org/DSK_LOGINProj1.cab
O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0301861192572939) (0301861192572939mcinstcleanup) - Unknown owner - C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 8293 bytes

Scan details
High danger level (0)

Medium danger level (1)
Spyware/Virtum... Spyware Latent Hide + Info
C:\System Volume Informat...9BA1B}\RP165\A0069457.dll
C:\qoobox\Quarantine\C\WI...system32\xwkoafon.dll.vir

Low danger level (17)
Cookie/Doublec... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDA.tmp
Cookie/PointRo... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDC.tmp
Cookie/GoClick Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC4.tmp
Application/Ni... Tracking Application Latent Show + Info
C:\Documents and Settings...\ComboFix.exe[nircmd.exe]
C:\Documents and Settings...omboFix.exe[nircmd.cfexe]
C:\System Volume Informat...9BA1B}\RP165\A0070582.exe
C:\WINDOWS\NirCmd.exe
C:\System Volume Informat...9BA1B}\RP166\A0070685.exe
Cookie/Atlas D... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD6.tmp
C:\Documents and Settings...steve polfus@atdmt[2].txt
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp
Cookie/Com.com Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD9.tmp
Cookie/Adverti... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD5.tmp
Cookie/Tribalf... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDF.tmp
Cookie/2o7 Tracking Cookie Latent Show + Info
C:\Documents and Settings...s\steve polfus@2o7[1].txt
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD3.tmp
Adware/Adband Adware Latent Hide + Info
C:\System Volume Informat...9BA1B}\RP143\A0056652.dll
C:\System Volume Informat...062984.exe[BndDrive5.dll]
Adware/Amera Adware Latent Show + Info
C:\System Volume Informat...9BA1B}\RP143\A0056640.exe
C:\System Volume Informat...0062984.exe[ISMPack6.exe]
Cookie/Questio... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC7.tmp
Cookie/Zedo Tracking Cookie Latent Hide + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE1.tmp
Cookie/YieldMa... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD4.tmp
Cookie/Mediapl... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp
Cookie/Traffic... Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC8.tmp
Cookie/Atwola Tracking Cookie Latent Show + Info
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD7.tmp
C:\Documents and Settings...teve polfus@atwola[2].txt
C:\Documents and Settings...teve polfus@atwola[1].txt

<<
1
2
3
4
5
>>

Suspicious files (3)

<<
1
2
3
4
5
>>
:thumbsup:

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 November 2007 - 01:21 PM

Allright,when you save this,just save it with the name CFScript

When you look on the desktop,it should be saved as CFScript.txt

Copy the text below to notepad and save it to the desktop with the name CFScript

File::
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI
C:\WINDOWS\plite731_uninstaller_.bat

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log

#15 Lesley52

Lesley52
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 01 November 2007 - 06:43 PM

:thumbsup: It's amazing to me that you can figure this stuff out!! Thank you again for your help!! Here is the new posts. This time the combifix worked.
ComboFix 07-10-28.2** - steve polfus 2007-11-02 18:45:19.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.360 [GMT -5:00]
Running from: C:\Documents and Settings\steve polfus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\steve polfus\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\IIKGBUBC.INI
C:\WINDOWS\SYSTEM32\PWSGCQMM.INI

.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-01 12:48 <DIR> d-------- C:\Program Files\Panda Security
2007-10-29 18:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 19:34 2,900 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 22:07 <DIR> d-------- C:\VundoFix Backups
2007-10-17 17:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-17 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-10-17 00:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-16 18:55 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 18:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 01:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-15 01:26 <DIR> d-------- C:\{00004676-0000-0000-BA05-9C0819EF8BD6}
2007-10-14 22:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-14 18:24 <DIR> d-------- C:\Docum
2007-10-13 08:59 <DIR> d-------- C:\Program Files\ComcastToolbar
2007-10-13 08:59 <DIR> d-------- C:\Documents and Settings\steve polfus\Application Data\ComcastToolbar
2007-10-12 02:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-12 02:43 128,896 --a------ C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-12 02:43 23,040 --a------ C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-12 02:43 16,896 --a------ C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-11 23:42 584,192 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-11 23:21 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-11 20:57 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-10-11 20:54 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-11 20:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-11 20:54 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-11 20:54 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-11 20:54 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-11 20:53 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-11 20:51 <DIR> d-------- C:\Program Files\McAfee
2007-10-11 20:51 <DIR> d-------- C:\Program Files\Common Files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 03:24 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-16 05:17 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\skyscape
2007-10-16 05:13 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-16 04:49 --------- d-----w C:\Program Files\InterActual
2007-10-15 02:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 23:21 --------- d-----w C:\Program Files\Google
2007-10-13 14:01 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-12 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-12 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-10-09 04:52 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-09 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-25 01:48 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-12 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-12 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-12 02:05 --------- d-----w C:\Program Files\Common Files\aolshare
2007-08-22 13:12 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-11-08 04:52 52,760 ----a-w C:\Documents and Settings\steve polfus\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-10-29_18.37.37.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-05-07 21:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 21:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 21:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 15:43]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 01:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 11:25]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 11:24]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 19:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 12:49]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 12:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-05 10:00]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"HostManager"="C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe" [2007-04-12 16:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-15 14:54]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

S2 0301861192572939mcinstcleanup;McAfee Application Installer Cleanup (0301861192572939);C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S2 DbgMsg;Debug Message;\??\C:\WINDOWS\System32\Drivers\DbgMsg.sys
S3 AR5513;DWL-G650M Super G MIMO Wireless Notebook Adapter;C:\WINDOWS\system32\DRIVERS\ar5513.sys
S3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys
S3 U2SP;OEM USB to Serial Converter Driver(Philips);C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 07:13:34 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-10-12 01:52:51 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 18:47:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 18:48:43
C:\ComboFix2.txt ... 2007-11-01 12:36
C:\ComboFix3.txt ... 2007-10-30 17:46
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:27 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189562747\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O15 - Trusted Zone: www.comcast.com
O15 - Trusted Zone: www.comcast.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://www.memorialherman.org
O15 - Trusted Zone: http://*.memorialherman.org
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://mhclinweb.mhhs.org/DSK_LOGINProj1.cab
O21 - SSODL: UcRwgnftmTEa - {0CB58F02-A61F-25A8-3539-53A44FF0CA53} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0301861192572939) (0301861192572939mcinstcleanup) - Unknown owner - C:\DOCUME~1\STEVEP~1\LOCALS~1\Temp\030186~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 8166 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users