Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ldcore.dll Issues


  • Please log in to reply
17 replies to this topic

#1 rps79

rps79

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 08 December 2007 - 02:09 AM

I have followed each step of the preparation page before posting a log, but I cannot get ldcore.dll off of my laptop. I have run Spybot, Adaware, HouseCall & McAfee Stinger, but none will removed ldcore. I attempted removal with Spybot three times and all three times, it would freeze. Spybot identified the file as SmitFraud-C. so I tried following directions for removing it, but still no luck. I have tried running scans in safe mode as well, but nothing is removing this file. I tried using the autoruns.exe to removed ldcore.dll from the autorun on start up list, but it kept re-appearing after every reboot. the actual file is in my c:\windows\system32 file. I have no idea what to do at this point. Please help!!!! Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:58 AM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [{3A-AC-CB-BE-ZN}] C:\Documents and Settings\Ryan Stem\Local Settings\Temp\T0CHD001_c.exe CHD001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Ryan Stem\Local Settings\Temp\T0CHD001_c.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://controlgroup.webex.com/client/v_con...ort/ieatgpc.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: WZCBDL Service (WZCBDLService) - Unknown owner - C:\Program Files\WZCBDL Service\WZCBDLS.exe (file missing)

--
End of file - 8103 bytes


I also ran the SmitFraudfix file and here's the log from it:

SmitFraudFix v2.258

Scan done at 18:40:51.11, Sat 12/08/2007
Run from C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0966B7CC-6610-40ED-B726-5BBF1346AB4E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A9EE0344-5892-49F6-9D78-DEE11F60C97F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23C98FB-823F-47DC-8C92-231C9FF03BAC}: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A9EE0344-5892-49F6-9D78-DEE11F60C97F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0966B7CC-6610-40ED-B726-5BBF1346AB4E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A9EE0344-5892-49F6-9D78-DEE11F60C97F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E23C98FB-823F-47DC-8C92-231C9FF03BAC}: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0966B7CC-6610-40ED-B726-5BBF1346AB4E}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A9EE0344-5892-49F6-9D78-DEE11F60C97F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E23C98FB-823F-47DC-8C92-231C9FF03BAC}: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End





Thank you in advance to anyone who might be able to offer assistance,

Ryan

Edited by rps79, 08 December 2007 - 06:58 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 11 December 2007 - 02:44 PM

Hello rps79,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Do Not run it yet, we will need it later.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt back onto the forum


*
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, SD fix report Report.txt, along with a new HijackThis log in your next reply.

Edited by SifuMike, 11 December 2007 - 02:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 13 December 2007 - 12:45 AM

SifuMike,

Thank you very much for responding. Here is the SDFix Report:

SDFix: Version 1.118

Run by Ryan Stem on Wed 12/12/2007 at 10:03 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Ryan Stem\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\system32\ldcore.dll - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 22:28:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\eDonkey2000\\edonkey2000.exe"="C:\\Program Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:edonkey2000"
"C:\\WINDOWS\\SYSTEM32\\p2pnetwork.exe"="C:\\WINDOWS\\SYSTEM32\\p2pnetwork.exe:*:Disabled:p2pnetwork"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\BearChat\\DBabble.exe"="C:\\Program Files\\BearChat\\DBabble.exe:*:Enabled:DBabble"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\WINDOWS\\LMI64.tmp\\rescue.exe"="C:\\WINDOWS\\LMI64.tmp\\rescue.exe:*:Enabled:LogMeIn Rescue"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\\Ceedo\\Program Files\\iTunes.exe"="E:\\Ceedo\\Program Files\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ...H. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Fri 28 Jan 2005 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sat 1 May 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 9 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 2 Jun 2004 25,600 ...H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL0003.tmp"
Tue 8 Aug 2006 52,224 ...H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL0005.tmp"
Sat 12 Nov 2005 23,552 ...H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL0726.tmp"
Sat 12 Nov 2005 23,552 ...H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL1277.tmp"
Mon 29 Mar 2004 151,552 A..H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL2707.tmp"
Sat 12 Nov 2005 24,064 ...H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL2846.tmp"
Sat 12 Nov 2005 23,552 ...H. --- "C:\Documents and Settings\Ryan Stem\My Documents\My files\~WRL3614.tmp"
Wed 4 Aug 2004 73,728 A.SH. --- "C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe"
Thu 15 Feb 2007 22,016 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 18 Feb 2007 22,016 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 21 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0005.tmp"
Sat 12 Nov 2005 24,064 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0112.tmp"
Sun 21 Oct 2007 7,399,936 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0247.tmp"
Sun 21 Oct 2007 7,394,304 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0438.tmp"
Sat 12 Nov 2005 25,088 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0589.tmp"
Sun 21 Oct 2007 7,397,888 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL0952.tmp"
Sun 21 Oct 2007 7,397,888 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL1962.tmp"
Mon 19 Feb 2007 32,768 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL2275.tmp"
Sun 21 Oct 2007 7,396,352 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL3048.tmp"
Sat 12 Nov 2005 29,696 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL3129.tmp"
Mon 19 Feb 2007 33,792 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL3631.tmp"
Sun 21 Oct 2007 7,397,888 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL3697.tmp"
Sun 21 Oct 2007 7,395,840 ...H. --- "C:\Documents and Settings\Ryan Stem\Application Data\Microsoft\Word\~WRL3740.tmp"

Finished!



I just looked in my system32 folder and ldcore.dll is gone, but another .dll file that kept tripping up McAfee, ddcccyy.dll, is still there. McAfee called this one Vundu, but I'm not getting the typical McAfee warning anymore. Also, I tried deleting the ddcccyy.dll file and an error message stated another program was using it and it could not be deleted. I am going to run the drweb program now and will include that report plus another Hijackthis report as well.

Thanks again!

Ryan

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 13 December 2007 - 12:53 PM

Hi Ryan,

I am going to run the drweb program now and will include that report plus another Hijackthis report as well.


OK. I will need to see those reports before we can proceed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 13 December 2007 - 11:12 PM

Hey SifuMike,

This is the drweb express scan report

sdcmon.dll;c:\program files\support.com\bin;Probably DLOADER.Trojan;Deleted.;
ddcccyy.dll;c:\windows\system32;Trojan.Virtumod.240;Deleted.;






Here is the drweb complete scan report

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
tgupdate.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0138016.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829;Trojan.NtRootKit.103;Deleted.;
A0147358.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP832;Trojan.Virtumod.240;Deleted.;
A0147359.ddd;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP832;Trojan.DownLoader.origin;Incurable.Moved.;
A0151452.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP834;Trojan.DownLoader.origin;Incurable.Moved.;
A0151487.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP835;Trojan.Virtumod.240;Deleted.;
A0151488.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP835;Probably DLOADER.Trojan;Incurable.Moved.;
lhkljhlkjhlk;C:\WINDOWS\SYSTEM32;Trojan.DownLoader.origin;Incurable.Moved.;







and here is the most recent hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:25 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\HiJackThis.exe
c:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [{3A-AC-CB-BE-ZN}] C:\Documents and Settings\Ryan Stem\Local Settings\Temp\T0CHD001_c.exe CHD001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://controlgroup.webex.com/client/v_con...ort/ieatgpc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: WZCBDL Service (WZCBDLService) - Unknown owner - C:\Program Files\WZCBDL Service\WZCBDLS.exe (file missing)

--
End of file - 7301 bytes


Thanks again,

Ryan

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 14 December 2007 - 12:02 AM

Hi ryan,

This computer is very infected. :thumbsup:

I still think you have Vundo malware on this computer, so we will run some more tools.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKLM\..\Run: [{3A-AC-CB-BE-ZN}] C:\Documents and Settings\Ryan Stem\Local Settings\Temp\T0CHD001_c.exe CHD001

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
? Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
? Clean all the entries in the "Windows Explorer" section.
? Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
? Clean any others that you choose.

In the Applications Tab:
? Clean all including cookies in the Firefox/Mozilla section if you use it.
? Clean all in the Opera section if you use it.
? Clean Sun Java in the Internet Section.
? Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot Your computer to the Normal Mode.


Let's run ComboFix.

Disable you McAfee antivirus, as that will prevent ComboFix from completing.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 16 December 2007 - 04:58 PM

Hey SifuMike,

I ran CCcleaner and then I started Compofix. The combofix, at first, seemed to be running corretly, but it sat there for much longer than I expeced to and still did not complete. I allowed the combofix to run for approximately 46 hours, yet nothing seemed to be happening on the laptop. I couldn't leave my laptop in a state like that so I rebooted the computer.This is the log file from combofix:

ComboFix 07-12-15.1 - Ryan Stem 2007-12-14 20:17:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan Stem\Desktop\ComboFix.exe
* Created a new restore point
.





Here is the most recent HighJack report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49, on 2007-12-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\HiJackThis.exe
C:\Program Files\Support.com\SecurityPatch5665.exe
C:\DOCUME~1\RYANST~1\LOCALS~1\Temp\is-U67P6.tmp\is-LJ30J.tmp
C:\DOCUME~1\RYANST~1\LOCALS~1\Temp\is-5CVLT.tmp\_isetup\_RegDLL.tmp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://controlgroup.webex.com/client/v_con...ort/ieatgpc.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: WZCBDL Service (WZCBDLService) - Unknown owner - C:\Program Files\WZCBDL Service\WZCBDLS.exe (file missing)

--
End of file - 6711 bytes









Now when I close "my computer" my entire screen goes blank and the windows bar at the bottom of the screen disappears. I have to use my task manager to switch back and forth now. Does this have something ComboFix? I did everything exactly as the directions sate; turned off my virus protection, disconnected my internet. Why did it seem like nothing happened in the 42 hours ComboFix was supposed to be Running? The laptop is still running quite slow and it seems liek there's still something wrong. What is going on with my computer???

-Ryan

Edited by rps79, 16 December 2007 - 04:59 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 16 December 2007 - 05:06 PM

Hi Ryan,

The combofix, at first, seemed to be running corretly, but it sat there for much longer than I expeced to and still did not complete. I allowed the combofix to run for approximately 46 hours, yet nothing seemed to be happening on the laptop. I couldn't leave my laptop in a state like that so I rebooted the computer.This is the log file from combofix:

ComboFix 07-12-15.1 - Ryan Stem 2007-12-14 20:17:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan Stem\Desktop\ComboFix.exe
* Created a new restore point


Sounds like something is preventing ComboFix from running. It should take 10 minutes to run on a lightly infected computer, maybe 20 minutes on a heavily infected computer.

Did you disable your McAfee antivirus before running ComboFix?
Dont run it again, just let me know what you did.

Edited by SifuMike, 16 December 2007 - 05:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 16 December 2007 - 07:22 PM

Yes, I disabled both the Mcafee antivirus and windows firewall. Also, how do I get the time off of military time?

Edited by rps79, 16 December 2007 - 07:23 PM.


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 16 December 2007 - 07:27 PM

Hi Ryan,

Something is stopping ComboFix from running correctly.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know when your done and we shall continue. :thumbsup:

Edited by SifuMike, 16 December 2007 - 07:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 16 December 2007 - 07:30 PM

Okay, just did that. Based on the HighJack this report, is my laptop still infected?

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 16 December 2007 - 07:39 PM

Hi rps79,

The looks log, but it does not show all the registry that can still be infected so we have to dig deeper.

Download     WinPFind3U.exe to your Desktop and double-click on it to extract the files.
 
It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.


When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is, then click on it to uncheck it.

Please post the resulting log here as an attachment.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 16 December 2007 - 09:03 PM

Hey SifuMike,

Here's the Winpfind3u scan log:

WinPFind3 logfile created on: 12/16/2007 8:41:20 PM
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\Ryan Stem\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

254.33 Mb Total Physical Memory | 33.78 Mb Available Physical Memory | 13.28% Memory free
625.33 Mb Paging File | 410.84 Mb Available in Paging File | 65.70% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.58 Gb Total Space | 7.39 Gb Free Space | 39.79% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: RYAN
Current User Name: Ryan Stem
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
dkservice.exe -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe -> Diskeeper Corporation [Ver = 10.0.593.0 | Size = 765952 bytes | Modified Date = 11/23/2005 8:58:04 AM | Attr = ]
hwapi.exe -> %CommonProgramFiles%\McAfee\HackerWatch\HWAPI.exe -> McAfee, Inc. [Ver = 8.3.105.0 | Size = 540776 bytes | Modified Date = 2/13/2007 11:09:12 AM | Attr = ]
isuspm.exe -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> Macrovision Corporation [Ver = 6, 0, 100, 54472 | Size = 218032 bytes | Modified Date = 9/11/2006 3:40:32 AM | Attr = ]
mcagent.exe -> %ProgramFiles%\McAfee.com\Agent\mcagent.exe -> McAfee, Inc. [Ver = 7,2,142,0 | Size = 566872 bytes | Modified Date = 1/5/2007 3:21:16 PM | Attr = ]
mcmscsvc.exe -> %ProgramFiles%\McAfee\MSC\mcmscsvc.exe -> McAfee, Inc. [Ver = 7,2,142,0 | Size = 361560 bytes | Modified Date = 1/5/2007 3:22:12 PM | Attr = ]
mcnasvc.exe -> %CommonProgramFiles%\McAfee\MNA\McNASvc.exe -> McAfee, Inc. [Ver = 1,2,108,0 | Size = 2213416 bytes | Modified Date = 3/9/2007 3:36:10 AM | Attr = ]
mcods.exe -> %ProgramFiles%\McAfee\VirusScan\mcods.exe -> McAfee, Inc. [Ver = 11,2,121,0 | Size = 362064 bytes | Modified Date = 1/16/2007 5:03:36 PM | Attr = ]
mcpromgr.exe -> %ProgramFiles%\McAfee\MSC\mcpromgr.exe -> McAfee, Inc. [Ver = 7,2,142,0 | Size = 493144 bytes | Modified Date = 1/5/2007 3:21:40 PM | Attr = ]
mcshield.exe -> %ProgramFiles%\McAfee\VirusScan\Mcshield.exe -> McAfee, Inc. [Ver = VSCORE.13.3.2.116.x86 | Size = 144960 bytes | Modified Date = 6/25/2007 9:56:42 AM | Attr = ]
mcsysmon.exe -> %ProgramFiles%\McAfee\VirusScan\mcsysmon.exe -> McAfee, Inc. [Ver = 11,2,131,0 | Size = 643664 bytes | Modified Date = 1/25/2007 5:01:58 PM | Attr = ]
mcvsshld.exe -> %ProgramFiles%\McAfee\VirusScan\mcvsshld.exe -> McAfee, Inc. [Ver = 11,2,121,0 | Size = 370256 bytes | Modified Date = 1/16/2007 5:03:34 PM | Attr = ]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 11:42:38 AM | Attr = ]
nicserv.exe -> %ProgramFiles%\Linksys\Wireless-G Notebook Adapter\NICServ.exe -> [Ver = 1.1.0.0 | Size = 455680 bytes | Modified Date = 11/13/2003 1:29:40 PM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3959 | Size = 185896 bytes | Modified Date = 6/4/2007 9:20:40 PM | Attr = ]
redirsvc.exe -> %CommonProgramFiles%\McAfee\RedirSvc\RedirSvc.exe -> McAfee, Inc. [Ver = 1,3,109,0 | Size = 256096 bytes | Modified Date = 3/8/2007 2:42:42 PM | Attr = ]
seasyncservices.exe -> %ProgramFiles%\Seagate\Sync\SeaSyncServices.exe -> Seagate Technology LLC [Ver = 2, 0, 0, 7 | Size = 24120 bytes | Modified Date = 1/18/2007 12:20:24 PM | Attr = ]
tgcmd.exe -> %ProgramFiles%\support.com\bin\tgcmd.exe -> SupportSoft, Inc. [Ver = 5,6,1125,0 | Size = 1773568 bytes | Modified Date = 3/7/2007 9:58:20 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 14, 0, 0 | Size = 110592 bytes | Modified Date = 9/6/2007 12:28:18 PM | Attr = ]
(Bonjour Service) Bonjour Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 11:42:38 AM | Attr = ]
(Diskeeper) Diskeeper [Win32_Own | Auto | Running] -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe -> Diskeeper Corporation [Ver = 10.0.593.0 | Size = 765952 bytes | Modified Date = 11/23/2005 8:58:04 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(Emproxy) McAfee E-mail Proxy [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\McAfee\EmProxy\emproxy.exe -> McAfee, Inc. [Ver = 11,2,214,0 | Size = 341328 bytes | Modified Date = 10/5/2007 4:33:26 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/3/2005 11:41:10 PM | Attr = ]
(McAfee HackerWatch Service) McAfee HackerWatch Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\McAfee\HackerWatch\HWAPI.exe -> McAfee, Inc. [Ver = 8.3.105.0 | Size = 540776 bytes | Modified Date = 2/13/2007 11:09:12 AM | Attr = ]
(mcmispupdmgr) McAfee Update Manager [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\McAfee\MSC\mcupdmgr.exe -> McAfee, Inc. [Ver = 7,2,142,0 | Size = 689752 bytes | Modified Date = 1/5/2007 3:22:18 PM | Attr = ]
(mcmscsvc) McAfee Services [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee\MSC\mcmscsvc.exe -> McAfee, Inc. [Ver = 7,2,142,0 | Size = 361560 bytes | Modified Date = 1/5/2007 3:22:12 PM | Attr = ]
(McNASvc) McAfee Network Agent [Win32_Own | Auto | Running] -> %CommonProgramFiles%\McAfee\MNA\McNASvc.exe -> McAfee, Inc. [Ver = 1,2,108,0 | Size = 2213416 bytes | Modified Date = 3/9/2007 3:36:10 AM | Attr = ]
(McODS) McAfee Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee\VirusScan\mcods.exe -> McAfee, Inc. [Ver = 11,2,121,0 | Size = 362064 bytes | Modified Date = 1/16/2007 5:03:36 PM | Attr = ]
(mcpromgr) McAfee Protection Manager [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee\MSC\mcpromgr.exe -> McAfee, Inc. [Ver = 7,2,142,0 | Size = 493144 bytes | Modified Date = 1/5/2007 3:21:40 PM | Attr = ]
(McRedirector) McAfee Redirector Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\McAfee\RedirSvc\RedirSvc.exe -> McAfee, Inc. [Ver = 1,3,109,0 | Size = 256096 bytes | Modified Date = 3/8/2007 2:42:42 PM | Attr = ]
(McShield) McAfee Real-time Scanner [Win32_Own | Unknown | Running] -> -> File not found
(McSysmon) McAfee SystemGuards [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee\VirusScan\mcsysmon.exe -> McAfee, Inc. [Ver = 11,2,131,0 | Size = 643664 bytes | Modified Date = 1/25/2007 5:01:58 PM | Attr = ]
(NICSer_WPC54G) NICSer_WPC54G [Win32_Own | Auto | Running] -> %ProgramFiles%\Linksys\Wireless-G Notebook Adapter\NICServ.exe -> [Ver = 1.1.0.0 | Size = 455680 bytes | Modified Date = 11/13/2003 1:29:40 PM | Attr = ]
(Seagate Sync Service) Seagate Sync Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Seagate\Sync\SeaSyncServices.exe -> Seagate Technology LLC [Ver = 2, 0, 0, 7 | Size = 24120 bytes | Modified Date = 1/18/2007 12:20:24 PM | Attr = ]
(WZCBDLService) WZCBDL Service [Win32_Shared | Auto | Stopped] -> %ProgramFiles%\WZCBDL Service\WZCBDLS.exe -> File not found

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 10/10/2007 6:51:56 PM | Attr = ]
ClientGW -> -> File not found
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.3 | Size = 286720 bytes | Modified Date = 10/19/2007 8:16:26 PM | Attr = ]
tgcmd -> %ProgramFiles%\support.com\bin\tgcmd.exe -> SupportSoft, Inc. [Ver = 5,6,1125,0 | Size = 1773568 bytes | Modified Date = 3/7/2007 9:58:20 AM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3959 | Size = 185896 bytes | Modified Date = 6/4/2007 9:20:40 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ISUSPM -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> Macrovision Corporation [Ver = 6, 0, 100, 54472 | Size = 218032 bytes | Modified Date = 9/11/2006 3:40:32 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.4342 | Size = 348160 bytes | Modified Date = 10/19/2005 8:59:14 AM | Attr = ]
NavLogon -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> *.local ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 10:08:42 PM | Attr = ]
{1875e2a1-2708-49ac-94eb-cb67193bf314} [HKLM] -> %System32%\jytgkqhq.dll [Reg Data - Value does not exist] -> [Ver = | Size = 77376 bytes | Modified Date = 12/3/2007 11:04:46 PM | Attr = ]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} [HKLM] -> %ProgramFiles%\ComcastToolbar\comcasttoolbar.dll [Comcast Toolbar] -> Comcast Cable Communications. [Ver = 5.0.0.72 | Size = 1821184 bytes | Modified Date = 11/7/2006 2:21:58 PM | Attr = ]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} [HKLM] -> %ProgramFiles%\McAfee\VirusScan\scriptcl.dll [scriptproxy] -> McAfee, Inc. [Ver = VSCORE.13.3.2.116.x86 | Size = 67136 bytes | Modified Date = 6/25/2007 9:57:44 AM | Attr = ]
{84EA8634-2F02-4DD9-91E2-EE2EB605FDE7} [HKLM] -> %System32%\cbxww.dll [Reg Data - Value does not exist] -> [Ver = | Size = 324192 bytes | Modified Date = 12/1/2007 7:21:56 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} [HKLM] -> %ProgramFiles%\ComcastToolbar\comcasttoolbar.dll [Comcast Toolbar] -> Comcast Cable Communications. [Ver = 5.0.0.72 | Size = 1821184 bytes | Modified Date = 11/7/2006 2:21:58 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} [HKLM] -> %ProgramFiles%\ComcastToolbar\comcasttoolbar.dll [Comcast Toolbar] -> Comcast Cable Communications. [Ver = 5.0.0.72 | Size = 1821184 bytes | Modified Date = 11/7/2006 2:21:58 PM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{0966B7CC-6610-40ED-B726-5BBF1346AB4E} -> (Broadcom 440x 10/100 Integrated Controller) ->
{26B1B528-F940-441C-937E-B1114A2C6863} -> () ->
{A9EE0344-5892-49F6-9D78-DEE11F60C97F} -> (D-Link Air DWL-650 Wireless Cardbus Adapter(rev.M)) ->
{E23C98FB-823F-47DC-8C92-231C9FF03BAC} -> (Wireless-G Notebook Adapter WPC54GS V1) ->
{EF60C597-D5E6-470A-BB46-CBA123FC65A2} -> (Westell WireSpeed Dual Connect Modem) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 94208 bytes | Modified Date = 2/28/2006 11:42:30 AM | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0713E8D2-850A-101B-AFC0-4210102A8DA7} -> Microsoft ProgressBar Control, version 5.0 (SP2) - CodeBase = http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab ->
{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} -> Musicnotes Viewer - CodeBase = http://www.musicnotes.com/download/mnviewer.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll ->
{3253344D-0000-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/mpg4sax.cab ->
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB ->
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc.cab ->
{42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} -> HomePrintingCtrl Class - CodeBase = http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> - CodeBase = http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{5ED80217-570B-4DA9-BF44-BE107C0EC166} -> Windows Live Safety Center Base Module - CodeBase = https://scan.safety.live.com/resource/downl...lscbase3401.cab ->
{74C861A1-D548-4916-BC8A-FDE92EDFF62C} -> - CodeBase = http://mediaplayer.walmart.com/installer/install.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab ->
{A8F2B9BD-A6A0-486A-9744-18920D898429} -> ScorchPlugin Class - CodeBase = http://www.sibelius.com/download/software/...tiveXPlugin.cab ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -> - CodeBase = http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab ->
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -> Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab ->
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -> GpcContainer Class - CodeBase = https://controlgroup.webex.com/client/v_con...ort/ieatgpc.cab ->


[Files/Folders - Created Within 30 days]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 12/12/2007 9:55:25 PM | Attr = ]
$NtUninstallKB938127$ -> %SystemRoot%\$NtUninstallKB938127$ -> [Folder | Created Date = 12/3/2007 10:25:38 PM | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Created Date = 12/3/2007 10:27:18 PM | Attr = H ]
$NtUninstallKB941568$ -> %SystemRoot%\$NtUninstallKB941568$ -> [Folder | Created Date = 12/14/2007 1:27:55 AM | Attr = H ]
$NtUninstallKB941569$ -> %SystemRoot%\$NtUninstallKB941569$ -> [Folder | Created Date = 12/14/2007 1:29:58 AM | Attr = H ]
$NtUninstallKB942615$ -> %SystemRoot%\$NtUninstallKB942615$ -> [Folder | Created Date = 12/14/2007 1:18:33 AM | Attr = H ]
$NtUninstallKB942763$ -> %SystemRoot%\$NtUninstallKB942763$ -> [Folder | Created Date = 12/14/2007 1:31:50 AM | Attr = H ]
$NtUninstallKB942840$ -> %SystemRoot%\$NtUninstallKB942840$ -> [Folder | Created Date = 12/14/2007 1:37:55 AM | Attr = H ]
$NtUninstallKB944653$ -> %SystemRoot%\$NtUninstallKB944653$ -> [Folder | Created Date = 12/14/2007 1:06:35 AM | Attr = H ]
adaway.lic -> %SystemRoot%\adaway.lic -> [Ver = | Size = 256 bytes | Created Date = 12/8/2007 6:24:09 PM | Attr = ]
cookies.ini -> %SystemRoot%\cookies.ini -> [Ver = | Size = 364 bytes | Created Date = 12/2/2007 11:24:13 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 12/12/2007 10:01:04 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 11/25/2007 8:42:13 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 11/25/2007 8:42:13 PM | Attr = H ]
cbxww.dll -> %System32%\cbxww.dll -> [Ver = | Size = 324192 bytes | Created Date = 12/1/2007 7:21:50 AM | Attr = ]
daSgo02 -> %System32%\daSgo02 -> [Folder | Created Date = 11/30/2007 11:16:04 PM | Attr = ]
daSgo06 -> %System32%\daSgo06 -> [Folder | Created Date = 12/4/2007 4:50:22 PM | Attr = ]
jytgkqhq.dll -> %System32%\jytgkqhq.dll -> [Ver = | Size = 77376 bytes | Created Date = 12/3/2007 11:04:44 PM | Attr = ]
rurxdhpr.dll -> %System32%\rurxdhpr.dll -> [Ver = | Size = 76864 bytes | Created Date = 12/2/2007 7:35:08 PM | Attr = ]
spupdsvc.inf -> %System32%\spupdsvc.inf -> [Ver = | Size = 230 bytes | Created Date = 12/2/2007 11:40:28 PM | Attr = ]
syahakgs.ini -> %System32%\syahakgs.ini -> [Ver = | Size = 794340 bytes | Created Date = 12/3/2007 11:07:48 PM | Attr = HS]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2534 bytes | Created Date = 12/8/2007 6:41:50 PM | Attr = ]
utdwfruv.ini -> %System32%\utdwfruv.ini -> [Ver = | Size = 793664 bytes | Created Date = 12/2/2007 2:05:21 PM | Attr = HS]
wbtglipd.dll -> %System32%\wbtglipd.dll -> [Ver = | Size = 76864 bytes | Created Date = 12/2/2007 1:59:08 PM | Attr = ]
wwxbc.ini -> %System32%\wwxbc.ini -> [Ver = | Size = 5689 bytes | Created Date = 12/1/2007 7:21:58 AM | Attr = HS]
wwxbc.ini2 -> %System32%\wwxbc.ini2 -> [Ver = | Size = 5689 bytes | Created Date = 12/1/2007 7:22:00 AM | Attr = HS]
xnhpdxlt.ini -> %System32%\xnhpdxlt.ini -> [Ver = | Size = 793913 bytes | Created Date = 12/2/2007 7:32:10 PM | Attr = HS]
hosts.20071204-010920.backup -> %System32%\drivers\ETC\hosts.20071204-010920.backup -> [Ver = | Size = 734 bytes | Created Date = 12/4/2007 1:09:20 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
archive -> %SystemDrive%\archive -> [Folder | Modified Date = 12/13/2007 11:09:58 PM | Attr = ]
BOOT.INI -> %SystemDrive%\BOOT.INI -> [Ver = | Size = 211 bytes | Modified Date = 11/17/2007 11:32:36 PM | Attr = HS]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 12/14/2007 1:15:00 AM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 12/14/2007 7:40:00 PM | Attr = R ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 12/13/2007 12:21:20 AM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 12/16/2007 7:30:40 PM | Attr = HS]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 11/30/2007 11:16:04 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 12/16/2007 8:16:42 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 12/13/2007 11:38:10 PM | Attr = H ]
$NtUninstallKB938127$ -> %SystemRoot%\$NtUninstallKB938127$ -> [Folder | Modified Date = 12/3/2007 10:25:42 PM | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Modified Date = 12/3/2007 10:27:34 PM | Attr = H ]
$NtUninstallKB941568$ -> %SystemRoot%\$NtUninstallKB941568$ -> [Folder | Modified Date = 12/14/2007 1:28:00 AM | Attr = H ]
$NtUninstallKB941569$ -> %SystemRoot%\$NtUninstallKB941569$ -> [Folder | Modified Date = 12/14/2007 1:30:08 AM | Attr = H ]
$NtUninstallKB942615$ -> %SystemRoot%\$NtUninstallKB942615$ -> [Folder | Modified Date = 12/14/2007 1:20:08 AM | Attr = H ]
$NtUninstallKB942763$ -> %SystemRoot%\$NtUninstallKB942763$ -> [Folder | Modified Date = 12/14/2007 1:31:54 AM | Attr = H ]
$NtUninstallKB942840$ -> %SystemRoot%\$NtUninstallKB942840$ -> [Folder | Modified Date = 12/14/2007 1:37:58 AM | Attr = H ]
$NtUninstallKB944653$ -> %SystemRoot%\$NtUninstallKB944653$ -> [Folder | Modified Date = 12/14/2007 1:06:40 AM | Attr = H ]
adaway.lic -> %SystemRoot%\adaway.lic -> [Ver = | Size = 256 bytes | Modified Date = 12/8/2007 6:24:10 PM | Attr = ]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT -> [Ver = | Size = 2048 bytes | Modified Date = 12/16/2007 8:37:36 PM | Attr = S]
cookies.ini -> %SystemRoot%\cookies.ini -> [Ver = | Size = 364 bytes | Modified Date = 12/2/2007 11:24:14 PM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 12/14/2007 7:44:14 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 12/12/2007 10:01:24 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 12/2/2007 11:50:36 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 12/2/2007 11:48:16 PM | Attr = ]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 12/14/2007 1:38:30 AM | Attr = ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 12/14/2007 1:15:08 AM | Attr = HS]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 12/2/2007 11:32:14 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 12/14/2007 7:44:08 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 12/16/2007 3:50:02 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 11/17/2007 11:32:34 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 11/25/2007 8:42:14 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 12/1/2007 4:26:36 PM | Attr = H ]
SYSTEM.INI -> %SystemRoot%\SYSTEM.INI -> [Ver = | Size = 268 bytes | Modified Date = 11/17/2007 11:32:36 PM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 12/16/2007 7:29:46 PM | Attr = HS]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 12/16/2007 8:41:06 PM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 12/2/2007 11:32:16 PM | Attr = ]
WIN.INI -> %SystemRoot%\WIN.INI -> [Ver = | Size = 764 bytes | Modified Date = 11/17/2007 11:32:36 PM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 244 bytes | Modified Date = 12/6/2007 11:12:52 PM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 12/6/2007 8:33:26 AM | Attr = ]
McDefragTask.job -> %SystemRoot%\tasks\McDefragTask.job -> [Ver = | Size = 348 bytes | Modified Date = 12/15/2007 2:38:28 AM | Attr = ]
McQcTask.job -> %SystemRoot%\tasks\McQcTask.job -> [Ver = | Size = 340 bytes | Modified Date = 12/1/2007 1:02:02 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 12/16/2007 8:37:52 PM | Attr = H ]
Uniblue SpeedUpMyPC Nag.job -> %SystemRoot%\tasks\Uniblue SpeedUpMyPC Nag.job -> [Ver = | Size = 274 bytes | Modified Date = 12/15/2007 8:22:24 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 12/14/2007 7:58:12 PM | Attr = ]
cbxww.dll -> %System32%\cbxww.dll -> [Ver = | Size = 324192 bytes | Modified Date = 12/1/2007 7:21:56 AM | Attr = ]
daSgo02 -> %System32%\daSgo02 -> [Folder | Modified Date = 11/30/2007 11:16:06 PM | Attr = ]
daSgo06 -> %System32%\daSgo06 -> [Folder | Modified Date = 12/4/2007 4:50:30 PM | Attr = ]
DLLCACHE -> %System32%\DLLCACHE -> [Folder | Modified Date = 12/14/2007 1:38:08 AM | Attr = RHS]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 12/14/2007 8:18:04 PM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 12/2/2007 11:50:36 PM | Attr = ]
jytgkqhq.dll -> %System32%\jytgkqhq.dll -> [Ver = | Size = 77376 bytes | Modified Date = 12/3/2007 11:04:46 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 12/16/2007 7:30:40 PM | Attr = ]
rurxdhpr.dll -> %System32%\rurxdhpr.dll -> [Ver = | Size = 76864 bytes | Modified Date = 12/2/2007 7:35:10 PM | Attr = ]
spupdsvc.inf -> %System32%\spupdsvc.inf -> [Ver = | Size = 230 bytes | Modified Date = 12/2/2007 11:40:30 PM | Attr = ]
syahakgs.ini -> %System32%\syahakgs.ini -> [Ver = | Size = 794340 bytes | Modified Date = 12/4/2007 4:51:14 PM | Attr = HS]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2534 bytes | Modified Date = 12/8/2007 6:46:16 PM | Attr = ]
utdwfruv.ini -> %System32%\utdwfruv.ini -> [Ver = | Size = 793664 bytes | Modified Date = 12/2/2007 2:05:28 PM | Attr = HS]
wbtglipd.dll -> %System32%\wbtglipd.dll -> [Ver = | Size = 76864 bytes | Modified Date = 12/2/2007 1:59:12 PM | Attr = ]
WPA.DBL -> %System32%\WPA.DBL -> [Ver = | Size = 1170 bytes | Modified Date = 12/16/2007 8:40:32 PM | Attr = ]
wwxbc.ini -> %System32%\wwxbc.ini -> [Ver = | Size = 5689 bytes | Modified Date = 12/16/2007 8:41:14 PM | Attr = HS]
wwxbc.ini2 -> %System32%\wwxbc.ini2 -> [Ver = | Size = 5689 bytes | Modified Date = 12/16/2007 8:41:16 PM | Attr = HS]
xnhpdxlt.ini -> %System32%\xnhpdxlt.ini -> [Ver = | Size = 793913 bytes | Modified Date = 12/3/2007 10:35:26 PM | Attr = HS]
ETC -> %System32%\drivers\ETC -> [Folder | Modified Date = 12/12/2007 10:09:24 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\DFRG.MSC -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr = ]
Thawte Consulting , -> %System32%\mfimgvwr.ocx -> MyFamily.com, Inc. [Ver = 2.0.0.1 | Size = 189976 bytes | Modified Date = 10/18/2006 1:52:24 PM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2764 | Size = 185952 bytes | Modified Date = 6/4/2007 9:22:40 PM | Attr = ]
winsync , -> %System32%\WBDBASE.DEU -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 6:00:00 AM | Attr = ]
PTech , -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]
abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %System32%\drivers\ETC\hosts-old -> [Ver = | Size = 213867 bytes | Modified Date = 12/4/2007 1:09:26 AM | Attr = R ]

< End of report >



-Ryan

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 PM

Posted 16 December 2007 - 10:19 PM

Hi rps79,

You still are heavily infected. We will see how you look after we run this.

Start WinPFind3U.
Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {1875e2a1-2708-49ac-94eb-cb67193bf314} [HKLM] -> %System32%\jytgkqhq.dll [Reg Data - Value does not exist]
YY -> {84EA8634-2F02-4DD9-91E2-EE2EB605FDE7} [HKLM] -> %System32%\cbxww.dll [Reg Data - Value does not exist]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8]
[Files/Folders - Created Within 30 days]
NY -> cbxww.dll -> %System32%\cbxww.dll
NY -> jytgkqhq.dll -> %System32%\jytgkqhq.dll
NY -> rurxdhpr.dll -> %System32%\rurxdhpr.dll
NY -> syahakgs.ini -> %System32%\syahakgs.ini
NY -> utdwfruv.ini -> %System32%\utdwfruv.ini
NY -> wbtglipd.dll -> %System32%\wbtglipd.dll
NY -> wwxbc.ini -> %System32%\wwxbc.ini
NY -> wwxbc.ini2 -> %System32%\wwxbc.ini2
NY -> xnhpdxlt.ini -> %System32%\xnhpdxlt.ini
[Files/Folders - Modified Within 30 days]
NY -> cbxww.dll -> %System32%\cbxww.dll
NY -> jytgkqhq.dll -> %System32%\jytgkqhq.dll
NY -> rurxdhpr.dll -> %System32%\rurxdhpr.dll
NY -> syahakgs.ini -> %System32%\syahakgs.ini
NY -> utdwfruv.ini -> %System32%\utdwfruv.ini
NY -> wbtglipd.dll -> %System32%\wbtglipd.dll
NY -> wwxbc.ini -> %System32%\wwxbc.ini
NY -> wwxbc.ini2 -> %System32%\wwxbc.ini2
NY -> xnhpdxlt.ini -> %System32%\xnhpdxlt.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]


 

The fix should only take a very short time.
When the fix is completed a message box will popup telling you that it is finished.
Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post that information back here (the log of actions) along with a new WinPFind3u scan.
I would like the WinPFind3u log as an attachment (because it is big).

I will review the information when it comes back in.

Edited by SifuMike, 16 December 2007 - 10:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 rps79

rps79
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 17 December 2007 - 10:20 AM

Hey SifuMike,

Here is the WinPFind3u fix log:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1875e2a1-2708-49ac-94eb-cb67193bf314} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1875e2a1-2708-49ac-94eb-cb67193bf314} deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\jytgkqhq.dll
C:\WINDOWS\SYSTEM32\jytgkqhq.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\jytgkqhq.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84EA8634-2F02-4DD9-91E2-EE2EB605FDE7} not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\cbxww.dll
C:\WINDOWS\SYSTEM32\cbxww.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\cbxww.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66} deleted successfully.
[Files/Folders - Created Within 30 days]
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\cbxww.dll
C:\WINDOWS\SYSTEM32\cbxww.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\cbxww.dll scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\jytgkqhq.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\rurxdhpr.dll
C:\WINDOWS\SYSTEM32\rurxdhpr.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\rurxdhpr.dll moved successfully.
C:\WINDOWS\SYSTEM32\syahakgs.ini moved successfully.
C:\WINDOWS\SYSTEM32\utdwfruv.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\wbtglipd.dll
C:\WINDOWS\SYSTEM32\wbtglipd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\wbtglipd.dll moved successfully.
C:\WINDOWS\SYSTEM32\wwxbc.ini moved successfully.
C:\WINDOWS\SYSTEM32\wwxbc.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\xnhpdxlt.ini moved successfully.
[Files/Folders - Modified Within 30 days]
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\cbxww.dll
C:\WINDOWS\SYSTEM32\cbxww.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\cbxww.dll scheduled to be moved on reboot.
File C:\WINDOWS\SYSTEM32\jytgkqhq.dll not found!
File C:\WINDOWS\SYSTEM32\rurxdhpr.dll not found!
File C:\WINDOWS\SYSTEM32\syahakgs.ini not found!
File C:\WINDOWS\SYSTEM32\utdwfruv.ini not found!
File C:\WINDOWS\SYSTEM32\wbtglipd.dll not found!
File C:\WINDOWS\SYSTEM32\wwxbc.ini not found!
File C:\WINDOWS\SYSTEM32\wwxbc.ini2 not found!
File C:\WINDOWS\SYSTEM32\xnhpdxlt.ini not found!
[Empty Temp Folders]
C:\DOCUME~1\RYANST~1\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Ryan Stem\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 12/17/2007 09:53:11







I have attached the most recent WinPFind3u file and here is the most recent HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:48 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan Stem\My Documents\Downloaded Files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.ofoto.com/downloads/hmpr/HMPR_W..._1/axhomepr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://controlgroup.webex.com/client/v_con...ort/ieatgpc.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: WZCBDL Service (WZCBDLService) - Unknown owner - C:\Program Files\WZCBDL Service\WZCBDLS.exe (file missing)

--
End of file - 6356 bytes


Thanks,

RyanAttached File  WinPFind3afterfix.txt   29.13KB   12 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users