Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Crack.exe And Other Problems...


  • This topic is locked This topic is locked
20 replies to this topic

#1 Amy_KB

Amy_KB

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 08 November 2007 - 06:50 PM

I've got a couple of problems.

First, I posted in the Am I Infected forum, with this post...

I've been fighting some trojan horses and a worm, but I can't figure this out. When I scan the computer for viruses, it gets stuck for quite a while in the Windows\Fonts folder, and comes up with a lot of weird names that almost all end in crack or keygen. When I search for crack.exe I get a file that appears to be in this folder, but if I open the folder I can't find it. Also, if I delete it, it comes back. Does anyone know what this is and how to get rid of it? I have searched the forums here and searched Google and can't seem to find it. Thanks.
http://www.bleepingcomputer.com/forums/t/115284/am-i-infected-cant-get-rid-of-file-crackexe/

and quietman7 helped me as much as he could. But it didn't solve my problem.

Now, this is what I've got:

on start-up, it says jyvqcvjl.dll cannot be found,

Housecall said it could not remove adw_syscare.c,

and McAfee keeps popping up and saying I have the trojan Vundo. It says it cleans it, but it keeps coming back.

I followed the "what to do first" and here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:07 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\ehome\ehtray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: {456d07e9-887d-e5d9-5654-5e859754cc50} - {05cc4579-58e5-4565-9d5e-d7889e70d654} - C:\WINDOWS\system32\fdpkwqfo.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {956ED805-5E8B-43FE-ADE3-DD9685DDEDCE} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\fccbcaa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft" Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ac764335] rundll32.exe "C:\WINDOWS\system32\jyvqcvjl.dll",b
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161655312531
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...156/mcfscan.cab
O20 - Winlogon Notify: fccbcaa - C:\WINDOWS\SYSTEM32\fccbcaa.dll
O20 - Winlogon Notify: jfwvnbmi - jfwvnbmi.dll (file missing)
O20 - Winlogon Notify: rqrpomm - rqrpomm.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11696 bytes


Hopefully someone here can help me. I have decent computer knowledge, but I'm not an expert by any means. I can only work on it for a couple of hours in the evening, so if you give me something to do and I don't reply for a while that's why.

Whatever help you can give me - thanks!!

Amy

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 AM

Posted 09 November 2007 - 02:43 AM

Hi,

First of all, I see yiu have McAfee installed which already includes a Firewall. On top you installed the Zonealarm Firewall. This is a real bad idea, because more than 1 Antivirus and Firewall installed may cause a lot of problems, system crashes and a real system slowdown. So in your case, if you did purchase McAfee, then uninstall Zonealarm.

Then, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 09 November 2007 - 07:45 PM

Combofix log:

ComboFix 07-11-08.1 - Compaq_Administrator 2007-11-09 19:21:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Compaq_Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Compaq_Administrator\iexplorer.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\svchost.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\jfwvnbmi.dllbox
C:\WINDOWS\system32\pac.txt
C:\z.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-09 19:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-08 18:32 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-08 18:31 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-08 18:31 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-08 18:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-07 22:21 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-07 00:03 35,328 --a------ C:\WINDOWS\system32\pmnommj.dll
2007-11-06 18:26 <DIR> d-------- C:\sysclean
2007-11-06 01:12 35,328 --a------ C:\WINDOWS\system32\ljjgfef.dll
2007-11-05 10:06 35,328 --a------ C:\WINDOWS\system32\fccbcaa.dll
2007-11-04 16:06 786 --a------ C:\6134.bat
2007-11-04 13:56 786 --a------ C:\3817.bat
2007-11-04 13:51 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-11-04 13:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-04 13:51 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SiteAdvisor
2007-11-04 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-04 13:50 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-04 13:50 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-04 13:50 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-04 13:50 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-04 13:50 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-04 13:49 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-04 13:48 <DIR> d-------- C:\Program Files\McAfee.com
2007-11-04 13:48 <DIR> d-------- C:\Program Files\McAfee
2007-11-04 13:48 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-04 13:48 786 --a------ C:\8630.bat
2007-11-04 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-04 13:15 786 --a------ C:\7163.bat
2007-11-04 11:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-04 10:37 4,414 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-04 00:13 786 --a------ C:\7327.bat
2007-11-03 20:32 <DIR> d-------- C:\Deckard
2007-11-03 15:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-03 14:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 14:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-03 12:04 164 --a------ C:\install.dat
2007-11-03 11:46 406,338 --ahs---- C:\WINDOWS\system32\ilkkj.bak2
2007-11-03 11:34 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\AdwareAlert
2007-11-02 23:46 6,465 --ahs---- C:\WINDOWS\system32\ilkkj.bak1
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\.housecall6.6
2007-10-31 22:40 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2007-10-31 22:28 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-31 22:25 82 --a------ C:\n.bat
2007-10-31 22:25 0 --a------ C:\z.dat
2007-10-31 22:24 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-10-31 22:24 <DIR> d-------- C:\temp\mZOr
2007-10-31 22:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 12:21 <DIR> d-------- C:\Program Files\FishTycoonSave

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 14:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-08 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 11:49 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-07 05:06 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2007-11-04 18:45 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\AVG7
2007-11-04 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-03 21:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-03 21:08 --------- d-----w C:\Program Files\iTunes
2007-11-03 21:06 --------- d-----w C:\Program Files\Google
2007-11-03 21:04 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-02 00:00 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\WeatherBug
2007-11-01 03:04 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Azureus
2007-10-31 23:27 --------- d-----w C:\Program Files\Azureus
2007-10-29 17:21 324 ----a-w C:\Program Files\FTinfo.pts
2007-10-29 17:21 123,884 ----a-w C:\Program Files\FSGB1.pts
2007-10-08 11:47 --------- d-----w C:\Program Files\iPod
2007-10-08 11:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-07 02:10 --------- d-----w C:\Program Files\Java
2007-09-11 03:21 --------- d-----w C:\Program Files\CloneDVD
2006-07-17 00:58 0 -c--a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2006-01-10 04:55 774,144 ----a-r C:\Program Files\RngInterstitial.dll
2005-05-13 22:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 16:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 02:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-03 03:56:32 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2005-10-08 00:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 17:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 05:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 15:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 18:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 05:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05cc4579-58e5-4565-9d5e-d7889e70d654}]
C:\WINDOWS\system32\fdpkwqfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{956ED805-5E8B-43FE-ADE3-DD9685DDEDCE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-05 10:06 35328 --a------ C:\WINDOWS\system32\fccbcaa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 04:56 C:\WINDOWS\sm56hlpr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-05 11:28]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2004-06-23 19:22]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 03:19]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"ac764335"="C:\WINDOWS\system32\jyvqcvjl.dll" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 14:02]
"PPWebCap"="C:\Program Files\Visioneer\PaperPort\PPWebCap.exe" [1999-04-13 02:28]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 07:50]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\fccbcaa.dll [2007-11-05 10:06 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbcaa]
fccbcaa.dll 2007-11-05 10:06 35328 C:\WINDOWS\system32\fccbcaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jfwvnbmi]
jfwvnbmi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpomm]
rqrpomm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\PROGRA~1\VISION~2\ONETOU~2.EXE

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 SQTECH907B;EZCam(PID_907B_00);C:\WINDOWS\system32\Drivers\Capt907B.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7996e2dc-a9a1-11da-9a67-0013d48b815d}]
\Shell\AutoRun\command - K:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-11-06 01:48:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-09 21:58:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
"2007-11-04 18:49:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-04 18:49:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 19:32:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 19:36:24 - machine was rebooted
.
--- E O F ---


new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:56 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: {456d07e9-887d-e5d9-5654-5e859754cc50} - {05cc4579-58e5-4565-9d5e-d7889e70d654} - C:\WINDOWS\system32\fdpkwqfo.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {956ED805-5E8B-43FE-ADE3-DD9685DDEDCE} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\fccbcaa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft" Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ac764335] rundll32.exe "C:\WINDOWS\system32\jyvqcvjl.dll",b
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161655312531
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...156/mcfscan.cab
O20 - Winlogon Notify: fccbcaa - C:\WINDOWS\SYSTEM32\fccbcaa.dll
O20 - Winlogon Notify: jfwvnbmi - jfwvnbmi.dll (file missing)
O20 - Winlogon Notify: rqrpomm - rqrpomm.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 10624 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 AM

Posted 10 November 2007 - 01:33 AM

Hi,

I notice that you have Weatherbug installed on your computer This is very much an ad-enabled application which in addition to providing current outdoor temperature information in the System Tray together with real-time weather alerts can also draw unwanted ads and popups to your computer. This in case you didn't purchase it.
You may also want to read this why weatherbug is not recommended: http://fravia.com/weatherbug.htm

Our recommendation would be to uninstall it using the Add or Remove Programs feature in Control Panel.

If you want a program which provides weather information there is an ad-free alternative to Weatherbug called WeatherWatcher which is available free from http://www.snapfiles.com/get/weatherwatcher.html.

Of course this remains entirely your choice, but please be aware that if you decide to continue using Weatherbug, your computer will be at an increased risk of infection from malware. In case you purchased Weatherbug, then there's no need to uninstall it.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\system32\pmnommj.dll
C:\WINDOWS\system32\ljjgfef.dll
C:\WINDOWS\system32\fccbcaa.dll
C:\6134.bat
C:\3817.bat
C:\8630.bat
C:\7163.bat
C:\7327.bat
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
C:\n.bat
C:\z.dat

Folder::
C:\WINDOWS\system32\Mz18r
C:\temp\mZOr

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05cc4579-58e5-4565-9d5e-d7889e70d654}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{956ED805-5E8B-43FE-ADE3-DD9685DDEDCE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
"ac764335"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbcaa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jfwvnbmi]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpomm]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 10 November 2007 - 01:51 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 10 November 2007 - 01:38 PM

I removed WeatherBug and am giving the other one a try.

New Combofix log:

ComboFix 07-11-08.1 - Compaq_Administrator 2007-11-10 13:00:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\3817.bat
C:\6134.bat
C:\7163.bat
C:\7327.bat
C:\8630.bat
C:\n.bat
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\fccbcaa.dll
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ljjgfef.dll
C:\WINDOWS\system32\pmnommj.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
C:\z.dat
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3817.bat
C:\6134.bat
C:\7163.bat
C:\7327.bat
C:\8630.bat
C:\n.bat
C:\temp\mZOr
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\fccbcaa.dll
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak2
C:\WINDOWS\system32\ljjgfef.dll
C:\WINDOWS\system32\Mz18r
C:\WINDOWS\system32\pmnommj.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-10 11:09 <DIR> d-------- C:\Program Files\Weather Watcher
2007-11-10 11:09 102,400 --a------ C:\WINDOWS\system32\unzip32.dll
2007-11-09 19:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-08 18:32 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-11-08 18:31 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-08 18:31 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-08 18:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-07 22:21 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-06 18:26 <DIR> d-------- C:\sysclean
2007-11-04 13:51 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-11-04 13:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-04 13:51 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SiteAdvisor
2007-11-04 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-04 13:50 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-04 13:50 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-04 13:50 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-04 13:50 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-04 13:50 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-04 13:49 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-04 13:48 <DIR> d-------- C:\Program Files\McAfee.com
2007-11-04 13:48 <DIR> d-------- C:\Program Files\McAfee
2007-11-04 13:48 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-04 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-04 11:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-04 10:37 4,414 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-03 20:32 <DIR> d-------- C:\Deckard
2007-11-03 15:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-03 14:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 14:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-03 12:04 164 --a------ C:\install.dat
2007-11-03 11:34 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\AdwareAlert
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\.housecall6.6
2007-10-31 22:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 12:21 <DIR> d-------- C:\Program Files\FishTycoonSave

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 16:06 --------- d-----w C:\Program Files\AWS
2007-11-10 01:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-08 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 05:06 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\LimeWire
2007-11-04 18:45 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\AVG7
2007-11-04 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-03 21:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-03 21:08 --------- d-----w C:\Program Files\iTunes
2007-11-03 21:06 --------- d-----w C:\Program Files\Google
2007-11-03 21:04 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-11-01 03:04 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Azureus
2007-10-31 23:27 --------- d-----w C:\Program Files\Azureus
2007-10-29 17:21 324 ----a-w C:\Program Files\FTinfo.pts
2007-10-29 17:21 123,884 ----a-w C:\Program Files\FSGB1.pts
2007-10-08 11:47 --------- d-----w C:\Program Files\iPod
2007-10-08 11:26 --------- d-----w C:\Program Files\Apple Software Update
2007-10-07 02:10 --------- d-----w C:\Program Files\Java
2007-09-11 03:21 --------- d-----w C:\Program Files\CloneDVD
2006-07-17 00:58 0 -c--a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2006-01-10 04:55 774,144 ----a-r C:\Program Files\RngInterstitial.dll
2005-05-13 22:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 16:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 02:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-03 03:56:32 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2005-10-08 00:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 17:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 05:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 15:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 18:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 05:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-09_19.35.34.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-09 18:52:19 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-10 15:36:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-09 18:52:19 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-10 15:36:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 04:56 C:\WINDOWS\sm56hlpr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-05 11:28]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 18:41]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2004-06-23 19:22]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 15:44]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 03:19]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"PPWebCap"="C:\Program Files\Visioneer\PaperPort\PPWebCap.exe" [1999-04-13 02:28]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 07:50]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2007-05-12 10:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\PROGRA~1\VISION~2\ONETOU~2.EXE

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 SQTECH907B;EZCam(PID_907B_00);C:\WINDOWS\system32\Drivers\Capt907B.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7996e2dc-a9a1-11da-9a67-0013d48b815d}]
\Shell\AutoRun\command - K:\JDSecure\Windows\JDSecure20.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-11-06 01:48:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-10 17:58:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
"2007-11-04 18:49:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-04 18:49:25 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 13:10:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 13:13:01 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-09 19:36
.
--- E O F ---


New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:45 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft" Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161655312531
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...156/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 9976 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 AM

Posted 10 November 2007 - 01:58 PM

Hi,

Check and fix next entry in HijackThis:

R3 - URLSearchHook: (no name) - <default> - (no file)

The rest looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 10 November 2007 - 03:06 PM

When I searched for crack.exe it doesn't come up, but crack.0xe does. Should I delete this file? I was going to scan again and watch it, but I didn't know if I should delete this first.

I also noticed that when I click on a link in my e-mail, Internet Explorer opens but nothing happens.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 AM

Posted 10 November 2007 - 06:55 PM

Hi,

crack.0xe does. Should I delete this file?

Yes. That's because you ran F-Secure online scan previously and it renamed crack.exe into crack.0xe.

I also noticed that when I click on a link in my e-mail, Internet Explorer opens but nothing happens.

First, open your Internet Explorer, Click on Tools > Options > Security tab > In Security Zones, change the Zone from Restricted to Internet.
Then apply and re-open outlook and see if that works.
If not...
Please read the solution with screenshots here: http://borris83.googlepages.com/linksinout...doesn'twork
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 10 November 2007 - 08:30 PM

Well, crack.exe is gone and didn't come back when I deleted it, but the other files still show up when I scan. Here are some examples:

Alien Shooter Vengeance Crack.zip
Baby Fat #8 keygen.zip
Barely Legal 69 keygen.zip

etc...

They say they're in C:\Windows\Fonts\'\ when I'm scanning, but I can't find them if I look and they don't show up in search.

Any ideas?

Edited by Amy_KB, 11 November 2007 - 02:58 AM.


#10 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 11 November 2007 - 02:57 AM

My scan's done, and it also says I'm still coming up with the trojan Vundo.

#11 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 11 November 2007 - 03:31 AM

All right, I may have gotten rid of those files. I did a search for "barely" since it was one of the ones I wrote down, and of course came up empty. Then I set the search to also look for system files, and I found them. I then opened the folder and deleted them all. There was over 11,000 of them! I then emptied the recycle bin. I rebooted and searched again with the system files turned on and came up empty. So if it did really work and they just didn't find some new way to hide, all I should have left is the Vundo trojan.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 AM

Posted 11 November 2007 - 04:15 AM

Hi,

Good to hear you deleted all the "crack" files. Strange that McAfee was not able to delete them though..

all I should have left is the Vundo trojan.

Please let me know where your scanner is still finding this one. The exact path to the file.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 11 November 2007 - 12:05 PM

There's a bunch.

c:\windows\system32\awtsq.dll
cuvhwlmx.0ll
fdpkwqfo.0ll
ddabb.dll
ddabc.dll
ddaby.dll
ddayv.dll
ddayw.dll
ddayx.dll
ddayy.dll
ddccb.dll
ddcyw.dll
gebcc.dll
gebcd.dll
geeba.dll
geedb.dll
geedc.dll
jkhfc.dll
jkhfd.dll
jkhhe.dll
jkhhf.dll
jkhhh.dll
jkkig.dll
jkkji.dll
jkkjj.dll
jkklk.dll
mljgd.dll
pmkhh.dll
pmnli.dll
pmnll.dll
pmnln.dll
pmnnn.dll
ssqpq.dll
ssttq.dll
vtsqo.dll
vtstr.dll
vtsts.dll
vtutr.dll
c:\documents and settings\compaq_administrator\local settings\temporary internet files\content.ie5\9mtl2od0\css4[1]

And that's just the ones McAfee has quarantined.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:20 AM

Posted 11 November 2007 - 12:14 PM

Hi,

Is Mcafee currently still finding these AFTER the steps with Combofix and the step to uninstall Combofix?
Because this actually doesn't make sense, unless you got reinfected...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 11 November 2007 - 12:32 PM

Yes, it is. Some of them are from when I scanned last night.

Edited by Amy_KB, 11 November 2007 - 12:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users