Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/vundo Variant Infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 dgm

dgm

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 16 October 2007 - 06:34 PM

Have worked at least 24 hours over the past few days to rid computer of multiple Trojans. Cannot get rid of Vundo. Have run Webroot Spy Sweeper, Lavasoft AdAware, SuperAntiSpyware, and McAfee. Only SuperAntiSpyware detects anything, but even after cleaning, it comes back with a vengeance. At this point, I'm getting multiple popus/security alerts/and such decreased performance that this post is difficult to type as it doesn't take all letters entered. I also ran Hijack This and Combofix. I failed to save the Combofix log, but I'll be glad to run it again, if need be. Any help would be GREATLY appreciated!!!!!!!

Hijack this (ran moments ago) . . .
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:22, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
Z:\ABACUS\msgs.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dycwcwvk.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Abacus msgs] "Z:\ABACUS\msgs.exe" /"Z:\Abacus\"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6021\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\Software\..\Telephony: DomainName = mobleylawoffice.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7560 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 October 2007 - 09:13 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum dgm :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 09:50 AM

Thanks for the help, Richie! Just to let you know after posting the Hijack This log last night, I did run VundoFix (found and deleted one .dll file). Upon reboot, popups were more sparse, but still there. Then ran VirtumundoBegone, which found nothing. At present, I'm getting popups occassionally, but not as much. The system tray warnings have not returned, yet.

Now that I have an active response, I will not do anything else except what you tell me to do.

Below is the Combofix log, and I will be posting the new Hijack log as directed shortly:

ComboFix 07-10-17.8 - Administrator 2007-10-17 10:34:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 09:57 <DIR> d-------- C:\VundoFix Backups
2007-10-16 19:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 18:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 17:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 17:42 <DIR> d-------- C:\Program Files\Java
2007-10-16 17:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-16 17:30 389,184 --a------ C:\WINDOWS\system32\wwyrytyq.exe
2007-10-15 19:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-15 19:05 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\SUPERAntiSpyware.com
2007-10-15 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-15 19:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 17:30 389,184 --a------ C:\WINDOWS\system32\rmrberrn.exe
2007-10-10 14:40 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 19:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-09 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-09 18:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-08 18:09 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Program Files\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Application Data\Webroot
2007-10-08 17:37 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-10-08 17:37 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-08 17:37 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-08 17:37 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-08 17:37 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-08 17:36 164 --a------ C:\install.dat
2007-10-08 16:05 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\Sunbelt Software
2007-10-08 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-10-08 13:39 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-08 13:39 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-08 13:34 <DIR> d-------- C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Application Data\Sunbelt Software
2007-10-05 16:45 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\McAfee
2007-10-05 16:13 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Application Data\SiteAdvisor
2007-10-05 14:02 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-05 14:02 72,296 --a------ C:\WINDOWS\system32\drivers\MfeAVFK.sys
2007-10-05 14:02 52,200 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-10-05 14:02 34,184 --a------ C:\WINDOWS\system32\drivers\MfeBOPK.sys
2007-10-03 18:45 <DIR> d-------- C:\Temp
2007-09-28 13:43 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\Yahoo!
2007-09-28 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-28 13:38 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-05 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-05 18:06 --------- d-----w C:\Program Files\McAfee
2007-10-04 19:35 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-04 19:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-04 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2006-06-01 16:01:17 8 --sh--r C:\WINDOWS\system32\668B543464.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_18.08.07.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-16 22:42:09 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-10-16 22:42:09 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-10-16 22:42:09 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-10-16 22:42:09 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2006-06-19 20:19:42 571,184 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-04-24 15:32:06 1,485,696 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-11-17 20:14:30 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-17 14:10:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94C7AB89-795F-4D93-852C-0F565188246B}]
2007-10-03 18:50 307808 --------- C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 20:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 20:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 20:23]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-20 19:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-20 19:14]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]
"Abacus msgs"="Z:\ABACUS\msgs.exe" [2006-04-28 11:16]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2007-03-06 17:25]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2007-05-18 04:03]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6021\SiteAdv.exe" [2007-02-03 14:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2006-06-13 11:43:52]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe /ServiceStart
R3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D2306V91-3).job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 10:39:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 10:43:30
C:\ComboFix2.txt ... 2007-10-16 18:10
.
--- E O F ---

#4 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 09:57 AM

abc.bat (Hijack This) log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52, on 2007-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
Z:\ABACUS\msgs.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {94C7AB89-795F-4D93-852C-0F565188246B} - C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Abacus msgs] "Z:\ABACUS\msgs.exe" /"Z:\Abacus\"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6021\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\Software\..\Telephony: DomainName = mobleylawoffice.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8086 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 October 2007 - 10:02 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\wwyrytyq.exe
C:\WINDOWS\system32\rmrberrn.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94C7AB89-795F-4D93-852C-0F565188246B}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#6 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 10:37 AM

I'm not sure it matters, but when I ran ComboFix between the "Please Wait. ComboFix is preparing to run" screen and the "Disclaimer of Warranty" screen, I did get the following message:

"The process cannot access the file because it is being used by another process."

ComboFix seemed to run fine, although it took a bit longer than before. The log follows; Hijack This next . . .

ComboFix 07-10-17.8 - Administrator 2007-10-17 11:23:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.244 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\rmrberrn.exe
C:\WINDOWS\system32\wwyrytyq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rmrberrn.exe
C:\WINDOWS\system32\wwyrytyq.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-16 19:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 18:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-16 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 17:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 17:42 <DIR> d-------- C:\Program Files\Java
2007-10-16 17:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-15 19:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-15 19:05 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\SUPERAntiSpyware.com
2007-10-15 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-15 19:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-10 14:40 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 19:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-09 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-09 18:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-08 18:09 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Program Files\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-08 17:37 <DIR> d-------- C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Application Data\Webroot
2007-10-08 17:37 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-10-08 17:37 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-08 17:37 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-08 17:37 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-08 17:37 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-10-08 17:36 164 --a------ C:\install.dat
2007-10-08 16:05 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\Sunbelt Software
2007-10-08 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-10-08 13:39 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-08 13:39 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-08 13:34 <DIR> d-------- C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Application Data\Sunbelt Software
2007-10-05 16:45 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\McAfee
2007-10-05 16:13 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-05 14:03 <DIR> d-------- C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Application Data\SiteAdvisor
2007-10-05 14:02 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-05 14:02 72,296 --a------ C:\WINDOWS\system32\drivers\MfeAVFK.sys
2007-10-05 14:02 52,200 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-10-05 14:02 34,184 --a------ C:\WINDOWS\system32\drivers\MfeBOPK.sys
2007-10-03 18:45 <DIR> d-------- C:\Temp
2007-09-28 13:43 <DIR> d-------- C:\Documents and Settings\Regina\Application Data\Yahoo!
2007-09-28 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-28 13:38 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-05 20:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-05 18:06 --------- d-----w C:\Program Files\McAfee
2007-10-04 19:35 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-04 19:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-04 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2006-06-01 16:01:17 8 --sh--r C:\WINDOWS\system32\668B543464.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B488F497-E802-4143-A662-898C3F98CFD6}]
2007-10-03 18:50 307808 --------- C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 20:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 20:19]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 20:23]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-20 19:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-20 19:14]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20]
"Abacus msgs"="Z:\ABACUS\msgs.exe" [2006-04-28 11:16]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2007-03-06 17:25]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [2007-05-18 04:03]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6021\SiteAdv.exe" [2007-02-03 14:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2006-06-13 11:43:52]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe /ServiceStart
R3 HSFHWCD2;HSFHWCD2;C:\WINDOWS\system32\DRIVERS\HSFHWCD2.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D2306V91-3).job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 11:28:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 11:31:50
C:\ComboFix.txt ... 2007-10-17 10:43
C:\ComboFix3.txt ... 2007-10-16 18:10
.
--- E O F ---

#7 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 10:39 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38, on 2007-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
Z:\ABACUS\msgs.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B488F497-E802-4143-A662-898C3F98CFD6} - C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Abacus msgs] "Z:\ABACUS\msgs.exe" /"Z:\Abacus\"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6021\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\Software\..\Telephony: DomainName = mobleylawoffice.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8070 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 October 2007 - 10:51 AM

First temporarily disable SpySweeper by following the info here:
http://wiki.castlecops.com/Malware_Removal...toring_Programs

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Have Hijack This fix the following,if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {B488F497-E802-4143-A662-898C3F98CFD6} - C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll

Exit Hijackthis.

Restart your pc.
Post a new Hijackthis log.
Let me know how things are going now please.
Posted Image
Posted Image

#9 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 11:33 AM

I get the following error message when trying to run KillBox:

"PendingFileRenameOperationsRegistry Data has been Removed by External Process!"

The only option it gives me is "OK"

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 October 2007 - 01:38 PM

I get the following error message when trying to run KillBox:

"PendingFileRenameOperationsRegistry Data has been Removed by External Process!"

The only option it gives me is "OK"

Click OK at any 'PendingFileRenameOperations' prompt,then carry on with the rest of the instructions please.
Posted Image
Posted Image

#11 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 02:04 PM

Still getting popups; new log . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03, on 2007-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\SiteAdvisor\6021\SAService.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79C9F73B-74BD-4701-8F14-963CAD865705} - C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Abacus msgs] "Z:\ABACUS\msgs.exe" /"Z:\Abacus\"
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6021\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\Software\..\Telephony: DomainName = mobleylawoffice.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mobleylawoffice.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{B3D47149-8AEC-4637-B038-17974167C3B7}: NameServer = 192.168.1.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6021\SAService.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7776 bytes

Edited by dgm, 17 October 2007 - 02:16 PM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 October 2007 - 02:32 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {94C7AB89-795F-4D93-852C-0F565188246B} - C:\DOCUME~1\Regina\LOCALS~1\Temp\mljjg.dll
Exit Hijackthis.

Find and delete if present:
C:\Documents and Settings\Regina\Local Settings\Temp\mljjg.dll

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Restart your pc normally.


Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste the contents of that report in your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#13 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 04:26 PM

Rebooted to Safe Mode
Hijack this did not successfully fix the line noted (it still showed on new scan).

I then tried to delete "mljjg.dll" but got something similar to "Cannot Delete. The file is in use by another program."
I then rebooted into Safe Mode Command Prompt and tried deleting it there and got a similar message.

Can we prevent the process from loading that's using the file so we can delete it or am I not on the right track?

I do appreciate your continued persistance! I will be making a "Donation" once we get this resolved.

Edited by dgm, 17 October 2007 - 04:35 PM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 October 2007 - 04:38 PM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Download VirtumundoBegone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Save VirtumundoBeGone.exe to your desktop.
Run VirtumundoBeGone.exe and follow the instructions.
Do not worry if you see a BLUE SCREEN "Fatal Error" Message, this is normal and expected.
When it has finished, restart your pc.
It will create a log on your desktop called VBG.TXT,post the entire contents of that log into your next reply.
Posted Image
Posted Image

#15 dgm

dgm
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 17 October 2007 - 04:59 PM

VundoFix did not find any infections on 2 passes. You'll see earlier scan as I'd already attempted this (before I started this post) as well. I had ran VirtumundoBegone prior to posting, too -- so there are entries for this morning and most recently in the log.


VundoFix V6.5.10

Checking Java version...

Scan started at 09:57:33 2007-10-17

Listing files found while scanning....

C:\WINDOWS\system32\dycwcwvk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dycwcwvk.dll
C:\WINDOWS\system32\dycwcwvk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Scan started at 17:47:14 2007-10-17

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Scan started at 17:51:28 2007-10-17

Listing files found while scanning....

No infected files were found.

-------------------------------------------------


[10/17/2007, 10:08:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Desktop\VirtumundoBeGone.exe" )
[10/17/2007, 10:08:38] - Detected System Information:
[10/17/2007, 10:08:38] - Windows Version: 5.1.2600, Service Pack 2
[10/17/2007, 10:08:38] - Current Username: Administrator (Admin)
[10/17/2007, 10:08:38] - Windows is in SAFE mode.
[10/17/2007, 10:08:38] - Searching for Browser Helper Objects:
[10/17/2007, 10:08:38] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[10/17/2007, 10:08:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/17/2007, 10:08:38] - No filename found. Continuing.
[10/17/2007, 10:08:38] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/17/2007, 10:08:38] - BHO 3: {089FD14D-132B-48FC-8861-0048AE113215} ()
[10/17/2007, 10:08:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/17/2007, 10:08:38] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[10/17/2007, 10:08:38] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[10/17/2007, 10:08:38] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[10/17/2007, 10:08:38] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/17/2007, 10:08:38] - BHO 6: {9E3A2358-BB9B-41B0-A901-C53D19668E3F} ()
[10/17/2007, 10:08:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/17/2007, 10:08:38] - Checking for HKLM\...\Winlogon\Notify\mljjg
[10/17/2007, 10:08:38] - Key not found: HKLM\...\Winlogon\Notify\mljjg, continuing.
[10/17/2007, 10:08:38] - Finished Searching Browser Helper Objects
[10/17/2007, 10:08:38] - Finishing up...
[10/17/2007, 10:08:38] - Nothing found! Exiting...

[10/17/2007, 17:57:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator.MOBLEYLAWOFFICE\Desktop\VirtumundoBeGone.exe" )
[10/17/2007, 17:57:23] - Detected System Information:
[10/17/2007, 17:57:23] - Windows Version: 5.1.2600, Service Pack 2
[10/17/2007, 17:57:23] - Current Username: Administrator (Admin)
[10/17/2007, 17:57:23] - Windows is in NORMAL mode.
[10/17/2007, 17:57:23] - Searching for Browser Helper Objects:
[10/17/2007, 17:57:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[10/17/2007, 17:57:23] - BHO 2: {089FD14D-132B-48FC-8861-0048AE113215} ()
[10/17/2007, 17:57:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/17/2007, 17:57:23] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[10/17/2007, 17:57:23] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[10/17/2007, 17:57:23] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[10/17/2007, 17:57:23] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/17/2007, 17:57:23] - BHO 5: {E3A49B59-8F5D-4959-B6C2-5D1ADF582D09} ()
[10/17/2007, 17:57:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/17/2007, 17:57:23] - Checking for HKLM\...\Winlogon\Notify\mljjg
[10/17/2007, 17:57:23] - Key not found: HKLM\...\Winlogon\Notify\mljjg, continuing.
[10/17/2007, 17:57:24] - Finished Searching Browser Helper Objects
[10/17/2007, 17:57:24] - Finishing up...
[10/17/2007, 17:57:24] - Nothing found! Exiting...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users