Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Fotomoto, Other Trojan Problems Can't Get Rid Of!


  • This topic is locked This topic is locked
19 replies to this topic

#1 stephensfamily5

stephensfamily5

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 08 December 2007 - 09:07 PM

I accidentally downloaded a file that I thought was legit a few weeks ago. Since then, I have had many problems with my computer from popups to problems with my email, etc. I have run McAfee, Windows Defender, Spy Sweeper, and Fix Vundo, all in safe mode repeatedly, but the trojans always show up again. I have followed all of the suggested steps before downloading Hijack this. Here is my file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:36 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\inf\svchost\svchost.exe
C:\WINDOWS\inf\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [a499f81a] "rundll32.exe" "C:\WINDOWS\system32\lfpwddys.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\WINDOWS\inf\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9263 bytes

Any help that you could give me would be much appreciated. I'm at a loss. :thumbsup:

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 09 December 2007 - 11:00 PM

Hello stephensfamily5,

I am SifuMike and I will be helping you.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable it again.

Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Disable your McAfee antivirus while we use ComboFix.


Let's run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 10 December 2007 - 10:21 AM

SifuMike, Thanks so much for your help! I'm just realizing that I didn't disconnect from the internet before I ran the ComboFix. I'll post here the log, but let me know if I need to run it again. Sorry. Anyway, here is the ComboFix log:

ComboFix 07-12-09.1 - StephensFamily 2007-12-10 9:55:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.661 [GMT -5:00]
Running from: C:\Documents and Settings\StephensFamily\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bisltsev.dll
C:\WINDOWS\system32\byxvvst.dll
C:\WINDOWS\system32\byxyabx.dll
C:\WINDOWS\system32\fccyxyv.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\hggebay.dll
C:\WINDOWS\system32\hxuulcmv.dll
C:\WINDOWS\system32\ifngvsqs.dll
C:\WINDOWS\system32\jkkliij.dll
C:\WINDOWS\system32\kqikqgpl.dll
C:\WINDOWS\system32\mljhfeb.dll
C:\WINDOWS\system32\mljjjgf.dll
C:\WINDOWS\system32\oafdexbg.dll
C:\WINDOWS\system32\odbhvgnc.dll
C:\WINDOWS\system32\vmcluuxh.ini
C:\WINDOWS\system32\wmnnddsg.dll
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\yygmdupn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-09 13:23 . 2007-12-09 18:17 843,032 --ahs---- C:\WINDOWS\system32\hkhuttgc.ini
2007-12-08 20:44 . 2007-12-08 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-08 11:43 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-08 07:36 . 2007-12-09 13:17 842,792 --ahs---- C:\WINDOWS\system32\syddwpfl.ini
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 07:40 . 2007-12-07 17:00 832,053 --ahs---- C:\WINDOWS\system32\errvxmid.ini
2007-12-06 20:45 . 2007-12-06 20:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-12-06 02:04 . 2007-12-07 07:32 831,675 --ahs---- C:\WINDOWS\system32\qiuqydrr.ini
2007-12-05 02:10 . 2007-12-05 05:25 354 --ahs---- C:\WINDOWS\system32\ajglonga.ini
2007-12-04 02:00 . 2007-12-05 02:10 294 --ahs---- C:\WINDOWS\system32\kasikcdb.ini
2007-12-03 02:10 . 2007-12-03 07:25 792,252 --ahs---- C:\WINDOWS\system32\wthvykao.ini
2007-12-02 02:06 . 2007-12-02 02:06 294 --ahs---- C:\WINDOWS\system32\khudevnj.ini
2007-11-30 14:04 . 2007-12-01 15:17 354 --ahs---- C:\WINDOWS\system32\hvkelgka.ini
2007-11-28 17:55 . 2007-11-28 17:57 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-27 17:58 . 2007-11-27 17:58 49 --a------ C:\WINDOWS\hpntwksetup.ini
2007-11-27 17:04 . 2007-11-27 17:05 116,458 --------- C:\WINDOWS\hpoins11.dat.temp
2007-11-27 17:04 . 2006-05-05 16:18 11,634 --------- C:\WINDOWS\hpomdl11.dat.temp
2007-11-25 18:13 . 2007-11-25 18:14 166,064 --a------ C:\Program Files\FixVundo.exe
2007-11-25 00:10 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-25 00:09 . 2007-11-25 00:09 164 --a------ C:\install.dat
2007-11-25 00:06 . 2007-11-25 00:07 14,651,472 --a------ C:\Program Files\SpySweeperRegSetup_EN.exe
2007-11-24 21:27 . 2007-12-10 10:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-24 21:27 . 2007-11-24 21:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Program Files\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-24 21:24 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-24 21:24 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-24 21:24 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-24 21:24 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-24 21:21 . 2007-11-24 21:23 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\GetRightToGo
2007-11-20 19:22 . 2007-11-20 19:22 <DIR> d-------- C:\Program Files\Red Kawa
2007-11-20 19:22 . 2007-11-20 19:22 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-20 19:17 . 2007-12-07 13:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:51 . 2007-11-18 22:51 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 15:07 --------- d-----w C:\Program Files\Steam
2007-12-08 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 19:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 03:14 --------- d-----w C:\Program Files\Dell Support
2007-12-07 02:38 140 ----a-w C:\Program Files\FixVundo.log
2007-11-24 21:31 5,154,304 ----a-w C:\Program Files\WindowsDefender.msi
2007-11-21 23:24 --------- d-----w C:\Program Files\McAfee
2007-11-20 23:18 --------- d-----w C:\Program Files\Broderbund
2007-11-02 22:08 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-18 22:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 22:18 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\AdobeUM
2007-10-15 01:06 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\BitTorrent
2007-10-03 08:58 685,568 ----a-w C:\WINDOWS\inf\svchost\svchost.exe
2007-10-03 08:57 1,020,416 ----a-w C:\WINDOWS\inf\svchost.exe
2007-10-03 08:48 425,984 ----a-w C:\WINDOWS\inf\svchost\extract_cert.exe
2007-09-28 10:38 27,648 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\auth.exe
2007-09-23 23:29 749,352 ----a-w C:\WINDOWS\SSCRG.exe
2007-09-22 23:27 839,976 ----a-w C:\WINDOWS\SSLS.exe
2007-09-21 18:53 1,187,840 ----a-w C:\WINDOWS\inf\svchost\ChilkatCert_NT4.dll
2007-09-10 20:40 953,344 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.exe
2007-09-10 20:40 56,320 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\gnu_regex.dll
2007-09-10 20:40 200,704 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\ssleay32.dll
2007-09-10 20:40 1,850,594 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.debug.exe
2007-09-10 20:40 1,097,728 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\libeay32.dll
2007-05-02 23:23 950,329 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_gd2.dll
2007-05-02 23:23 90,112 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fribidi.dll
2007-05-02 23:23 69,689 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_bz2.dll
2007-05-02 23:23 65,597 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_openssl.dll
2007-05-02 23:23 57,410 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache_hooks.dll
2007-05-02 23:23 57,401 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_zip.dll
2007-05-02 23:23 57,344 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\msql.dll
2007-05-02 23:23 49,213 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_sockets.dll
2007-05-02 23:23 49,211 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mysql.dll
2007-05-02 23:23 417,792 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fdftk.dll
2007-05-02 23:23 41,020 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mcrypt.dll
2007-05-02 23:23 41,017 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php-cgi.exe
2007-05-02 23:23 4,771,896 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5ts.dll
2007-05-02 23:23 385,024 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\libswish-e.dll
2007-05-02 23:23 360,448 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\yaz.dll
2007-05-02 23:23 36,934 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2_filter.dll
2007-05-02 23:23 36,932 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_filter.dll
2007-05-02 23:23 36,927 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2.dll
2007-05-02 23:23 36,925 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2.dll
2007-05-02 23:23 36,924 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache.dll
2007-05-02 23:23 346,624 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\gds32.dll
2007-05-02 23:23 32,825 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php-win.exe
2007-05-02 23:23 32,821 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php.exe
2007-05-02 23:23 28,731 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5nsapi.dll
2007-05-02 23:23 28,731 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5isapi.dll
2007-05-02 23:23 278,800 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ntwdblib.dll
2007-05-02 23:23 237,626 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_curl.dll
2007-05-02 23:23 200,704 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ssleay32.dll
2007-05-02 23:23 166,912 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libmcrypt.dll
2007-05-02 23:23 1,531,904 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libmysql.dll
2007-04-07 21:22 1,692,672 --sha-w C:\Program Files\ehthumbs.db
2007-01-10 03:20 77,891 ----a-w C:\WINDOWS\inf\Apache2.2\bin\htdbm.exe
2007-01-10 03:20 77,889 ----a-w C:\WINDOWS\inf\Apache2.2\bin\abs.exe
2007-01-10 03:20 73,798 ----a-w C:\WINDOWS\inf\Apache2.2\bin\htpasswd.exe
2007-01-10 03:20 69,702 ----a-w C:\WINDOWS\inf\Apache2.2\bin\htdigest.exe
2007-01-10 03:20 65,600 ----a-w C:\WINDOWS\inf\Apache2.2\bin\ab.exe
2007-01-10 03:20 53,322 ----a-w C:\WINDOWS\inf\Apache2.2\bin\htcacheclean.exe
2007-01-10 03:20 45,128 ----a-w C:\WINDOWS\inf\Apache2.2\bin\rotatelogs.exe
2007-01-10 03:20 41,041 ----a-w C:\WINDOWS\inf\Apache2.2\bin\ApacheMonitor.exe
2007-01-10 03:20 20,554 ----a-w C:\WINDOWS\inf\Apache2.2\bin\wintty.exe
2007-01-10 03:20 20,552 ----a-w C:\WINDOWS\inf\Apache2.2\bin\logresolve.exe
2007-01-10 03:17 266,302 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libhttpd.dll
2007-01-10 03:17 20,539 ----a-w C:\WINDOWS\inf\Apache2.2\bin\httpd.exe
2007-01-10 03:16 168,018 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libaprutil-1.dll
2007-01-10 03:08 36,948 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libapriconv-1.dll
2007-01-10 03:07 127,049 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libapr-1.dll
2007-01-10 03:02 278,593 ----a-w C:\WINDOWS\inf\Apache2.2\bin\openssl.exe
2007-01-10 02:59 200,770 ----a-w C:\WINDOWS\inf\Apache2.2\bin\ssleay32.dll
2007-01-10 02:58 1,069,122 ----a-w C:\WINDOWS\inf\Apache2.2\bin\libeay32.dll
2006-09-27 19:23 73,783 ----a-w C:\WINDOWS\inf\Apache2.2\bin\zlib1.dll
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F36218C-9386-4115-9906-FE1B2B12958D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8cb295fb-809d-4cd8-a70d-9cd7ed92f2d2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c73c5cbe-fd53-403a-9608-de1bbb749803}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-01 15:17]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2K"="C:\WINDOWS\Cyb2k.exe" [2006-07-11 07:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 21:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnopop]
pmnopop.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R2 WMSELService;Windows Management Extended Licence Service;C:\WINDOWS\inf\svchost\svchost.exe
R2 WMSLService;Windows Management Licence Service;C:\WINDOWS\inf\svchost.exe
S2 Apache2.2;Apache2.2;"C:\WINDOWS\inf\Apache2.2\bin\httpd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f7e1bc7-2b69-11dc-9091-001320e0829d}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcf0ac88-ec49-11db-906a-001320e0829d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 18:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 06:29:37 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-10 15:09:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 10:07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 10:11:05 - machine was rebooted
.
--- E O F ---


Here is the latest Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:47 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe

Thank you so much. Those files are Greek to me! :blink: Your help is much appreciated and I will be overjoyed to make a donation if you can help me figure this out! :thumbsup:

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 10 December 2007 - 01:01 PM

Hi stephensfamily5,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\inf\svchost.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next file:

C:\WINDOWS\inf\svchost\svchost.exe


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

****************

You posted a partial Hijackthis log. Please post the entire log so I can see what is left to delete.
Thanks. :thumbsup:

Edited by SifuMike, 10 December 2007 - 01:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 10 December 2007 - 02:14 PM

SifuMike,

I ran VirusTotal on the file C:WINDOWS/inf/svchost.exe, but there was no file C:WINDOWS/inf/svchost/svchost.exe.

Here are the results from the scan:

File svchost.exe received on 10.24.2007 18:26:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - HEUR/Crypted
Authentium - - Possibly a new variant of W32/Threat-SysVenFak-based!Maximus
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - W32/Threat-SysVenFak-based!Maximus
F-Secure - - -
Ikarus - - Trojan-Proxy.Win32.Delf.bx
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - Trojan Horse
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Heuristic.Crypted
Additional information
MD5: 5b696630fe96083c111cfc2a9f92daab


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

I ran Hijack This again, and here's what I came up with. Hopefully this is the entire scan this time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:49 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\inf\svchost\svchost.exe
C:\WINDOWS\inf\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566.../www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7F36218C-9386-4115-9906-FE1B2B12958D} - (no file)
O2 - BHO: (no name) - {8cb295fb-809d-4cd8-a70d-9cd7ed92f2d2} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {c73c5cbe-fd53-403a-9608-de1bbb749803} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: pmnopop - pmnopop.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\WINDOWS\inf\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10496 bytes

Thanks again! :thumbsup:

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 10 December 2007 - 03:27 PM

Hi stephensfamily5,


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {7F36218C-9386-4115-9906-FE1B2B12958D} - (no file)
O2 - BHO: (no name) - {8cb295fb-809d-4cd8-a70d-9cd7ed92f2d2} - (no file)
O2 - BHO: (no name) - {c73c5cbe-fd53-403a-9608-de1bbb749803} - (no file)
O20 - Winlogon Notify: pmnopop - pmnopop.dll (file missing)



Make sure Windows Defender and Teatimer is disabled.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\inf\svchost.exe
C:\WINDOWS\system32\hkhuttgc.ini
C:\WINDOWS\system32\syddwpfl.ini
C:\WINDOWS\system32\errvxmid.ini
C:\WINDOWS\system32\qiuqydrr.ini
C:\WINDOWS\system32\ajglonga.ini
C:\WINDOWS\system32\kasikcdb.ini
C:\WINDOWS\system32\wthvykao.ini
C:\WINDOWS\system32\khudevnj.ini
C:\WINDOWS\system32\hvkelgka.ini


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 10 December 2007 - 03:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 10 December 2007 - 07:26 PM

Okay, here is the Combofix.txt

ComboFix 07-12-09.1 - StephensFamily 2007-12-10 19:16:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.355 [GMT -5:00]
Running from: C:\Documents and Settings\StephensFamily\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\StephensFamily\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\inf\svchost.exe
C:\WINDOWS\system32\ajglonga.ini
C:\WINDOWS\system32\errvxmid.ini
C:\WINDOWS\system32\hkhuttgc.ini
C:\WINDOWS\system32\hvkelgka.ini
C:\WINDOWS\system32\kasikcdb.ini
C:\WINDOWS\system32\khudevnj.ini
C:\WINDOWS\system32\qiuqydrr.ini
C:\WINDOWS\system32\syddwpfl.ini
C:\WINDOWS\system32\wthvykao.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\inf\svchost.exe
C:\WINDOWS\system32\ajglonga.ini
C:\WINDOWS\system32\errvxmid.ini
C:\WINDOWS\system32\hkhuttgc.ini
C:\WINDOWS\system32\hvkelgka.ini
C:\WINDOWS\system32\kasikcdb.ini
C:\WINDOWS\system32\khudevnj.ini
C:\WINDOWS\system32\qiuqydrr.ini
C:\WINDOWS\system32\syddwpfl.ini
C:\WINDOWS\system32\wthvykao.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-08 20:44 . 2007-12-08 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-08 11:43 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-06 20:45 . 2007-12-06 20:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-28 17:55 . 2007-11-28 17:57 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-27 17:58 . 2007-11-27 17:58 49 --a------ C:\WINDOWS\hpntwksetup.ini
2007-11-27 17:04 . 2007-11-27 17:05 116,458 --------- C:\WINDOWS\hpoins11.dat.temp
2007-11-27 17:04 . 2006-05-05 16:18 11,634 --------- C:\WINDOWS\hpomdl11.dat.temp
2007-11-25 18:13 . 2007-11-25 18:14 166,064 --a------ C:\Program Files\FixVundo.exe
2007-11-25 00:10 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-25 00:09 . 2007-11-25 00:09 164 --a------ C:\install.dat
2007-11-25 00:06 . 2007-11-25 00:07 14,651,472 --a------ C:\Program Files\SpySweeperRegSetup_EN.exe
2007-11-24 21:27 . 2007-12-10 11:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-24 21:27 . 2007-11-24 21:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Program Files\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-24 21:24 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-24 21:24 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-24 21:24 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-24 21:24 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-24 21:21 . 2007-11-24 21:23 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\GetRightToGo
2007-11-20 19:22 . 2007-11-20 19:22 <DIR> d-------- C:\Program Files\Red Kawa
2007-11-20 19:22 . 2007-11-20 19:22 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-20 19:17 . 2007-12-07 13:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:51 . 2007-11-18 22:51 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 16:35 --------- d-----w C:\Program Files\Steam
2007-12-08 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 19:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 03:14 --------- d-----w C:\Program Files\Dell Support
2007-12-07 02:38 140 ----a-w C:\Program Files\FixVundo.log
2007-11-24 21:31 5,154,304 ----a-w C:\Program Files\WindowsDefender.msi
2007-11-21 23:24 --------- d-----w C:\Program Files\McAfee
2007-11-20 23:18 --------- d-----w C:\Program Files\Broderbund
2007-11-02 22:08 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-18 22:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 22:18 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\AdobeUM
2007-10-15 01:06 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\BitTorrent
2007-10-08 01:59 245,160 ----a-w C:\WINDOWS\system32\DelZip179.dll
2007-10-03 08:58 685,568 ----a-w C:\WINDOWS\inf\svchost\svchost.exe
2007-10-03 08:48 425,984 ----a-w C:\WINDOWS\inf\svchost\extract_cert.exe
2007-09-28 19:52 9,636 ----a-w C:\WINDOWS\system32\gnfil.dll
2007-09-28 19:52 88,076 ----a-w C:\WINDOWS\system32\adwfil.dll
2007-09-28 19:52 8,652 ----a-w C:\WINDOWS\system32\jbfil.dll
2007-09-28 19:52 7,582 ----a-w C:\WINDOWS\system32\movfil.dll
2007-09-28 19:52 7,504 ----a-w C:\WINDOWS\system32\auctfil.dll
2007-09-28 19:52 7,036 ----a-w C:\WINDOWS\system32\pkmon.dll
2007-09-28 19:52 6,830 ----a-w C:\WINDOWS\system32\swfil.dll
2007-09-28 19:52 5,394 ----a-w C:\WINDOWS\system32\wrestfil.dll
2007-09-28 19:52 5,180 ----a-w C:\WINDOWS\system32\iawfil.dll
2007-09-28 19:52 4,826 ----a-w C:\WINDOWS\system32\vgamfil.dll
2007-09-28 19:52 4,442 ----a-w C:\WINDOWS\system32\hatfil.dll
2007-09-28 19:52 3,818 ----a-w C:\WINDOWS\system32\viofil.dll
2007-09-28 19:52 3,444 ----a-w C:\WINDOWS\system32\srchin.dll
2007-09-28 19:52 3,286 ----a-w C:\WINDOWS\system32\lgwfil.dll
2007-09-28 19:52 22,384 ----a-w C:\WINDOWS\system32\perfil.dll
2007-09-28 19:52 17,488 ----a-w C:\WINDOWS\system32\nvgamfil.dll
2007-09-28 19:52 16,732 ----a-w C:\WINDOWS\system32\popfil.dll
2007-09-28 19:52 157,916 ----a-w C:\WINDOWS\system32\pxyfil.dll
2007-09-28 19:52 14,412 ----a-w C:\WINDOWS\system32\tafil.dll
2007-09-28 19:52 13,112 ----a-w C:\WINDOWS\system32\finfil.dll
2007-09-28 19:52 13,034 ----a-w C:\WINDOWS\system32\gblfil.dll
2007-09-28 19:52 12,502 ----a-w C:\WINDOWS\system32\psyfil.dll
2007-09-28 19:52 12,350 ----a-w C:\WINDOWS\system32\entfil.dll
2007-09-28 19:52 12,114 ----a-w C:\WINDOWS\system32\sporfil.dll
2007-09-28 19:52 11,164 ----a-w C:\WINDOWS\system32\fmfil.dll
2007-09-28 19:52 10,862 ----a-w C:\WINDOWS\system32\chtfil.dll
2007-09-28 10:38 27,648 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\auth.exe
2007-09-23 23:29 749,352 ----a-w C:\WINDOWS\SSCRG.exe
2007-09-22 23:27 839,976 ----a-w C:\WINDOWS\SSLS.exe
2007-09-21 18:53 1,187,840 ----a-w C:\WINDOWS\inf\svchost\ChilkatCert_NT4.dll
2007-09-17 06:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-10 20:40 953,344 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.exe
2007-09-10 20:40 56,320 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\gnu_regex.dll
2007-09-10 20:40 200,704 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\ssleay32.dll
2007-09-10 20:40 1,850,594 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.debug.exe
2007-09-10 20:40 1,097,728 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\libeay32.dll
2007-05-02 23:23 950,329 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_gd2.dll
2007-05-02 23:23 90,112 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fribidi.dll
2007-05-02 23:23 69,689 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_bz2.dll
2007-05-02 23:23 65,597 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_openssl.dll
2007-05-02 23:23 57,410 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache_hooks.dll
2007-05-02 23:23 57,401 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_zip.dll
2007-05-02 23:23 57,344 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\msql.dll
2007-05-02 23:23 49,213 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_sockets.dll
2007-05-02 23:23 49,211 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mysql.dll
2007-05-02 23:23 417,792 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fdftk.dll
2007-05-02 23:23 41,020 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mcrypt.dll
2007-05-02 23:23 41,017 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php-cgi.exe
2007-05-02 23:23 4,771,896 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5ts.dll
2007-05-02 23:23 385,024 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\libswish-e.dll
2007-05-02 23:23 360,448 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\yaz.dll
2007-05-02 23:23 36,934 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2_filter.dll
2007-05-02 23:23 36,932 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_filter.dll
2007-05-02 23:23 36,927 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_10.09.23.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-10 12:13:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-10 20:44:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-10 12:13:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-10 20:44:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-10 20:44:10 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-10 16:44:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_62c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-01 15:17]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2K"="C:\WINDOWS\Cyb2k.exe" [2006-07-11 07:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 21:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R2 WMSELService;Windows Management Extended Licence Service;C:\WINDOWS\inf\svchost\svchost.exe
R2 WMSLService;Windows Management Licence Service;C:\WINDOWS\inf\svchost.exe
S2 Apache2.2;Apache2.2;"C:\WINDOWS\inf\Apache2.2\bin\httpd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f7e1bc7-2b69-11dc-9091-001320e0829d}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcf0ac88-ec49-11db-906a-001320e0829d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 18:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 06:29:37 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-10 16:37:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 19:19:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 19:20:13
C:\ComboFix2.txt ... 2007-12-10 10:11
.
--- E O F ---


Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:02 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\inf\svchost\svchost.exe
C:\WINDOWS\inf\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\WINDOWS\inf\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)

--
End of file - 9834 bytes

Thanks so much. My computer seems to be running faster. :thumbsup:

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 11 December 2007 - 12:31 AM

Hi stephensfamily5,

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\inf\svchost\extract_cert.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:
C:\WINDOWS\inf\svchost\svchost.exe

Once scanned, copy and paste the results also in your next reply.




Please double-click on My Computer and locate the file C:\WINDOWS\inf\svchost\extract_cert.exe.
Right-click on it and choose "Properties",
then click on the "Version" tab at the top.
Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.

Then repeat the above with this file:
C:\WINDOWS\inf\svchost\svchost.exe

Edited by SifuMike, 11 December 2007 - 12:42 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 11 December 2007 - 11:36 AM

Hi SifuMike,

My computer seems to be running much better. Here are the results of the scans:

File extract_cert.exe received on 12.11.2007 17:05:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.12.11.2 2007.12.11 -
AntiVir 7.6.0.40 2007.12.11 -
Authentium 4.93.8 2007.12.11 -
Avast 4.7.1098.0 2007.12.10 -
AVG 7.5.0.503 2007.12.10 -
BitDefender 7.2 2007.12.11 -
CAT-QuickHeal 9.00 2007.12.11 -
ClamAV 0.91.2 2007.12.11 -
DrWeb 4.44.0.09170 2007.12.11 -
eSafe 7.0.15.0 2007.12.11 -
eTrust-Vet 31.3.5369 2007.12.11 -
Ewido 4.0 2007.12.11 -
FileAdvisor 1 2007.12.11 -
Fortinet 3.14.0.0 2007.12.11 -
F-Prot 4.4.2.54 2007.12.10 -
F-Secure 6.70.13030.0 2007.12.11 -
Ikarus T3.1.1.12 2007.12.11 -
Kaspersky 7.0.0.125 2007.12.11 -
McAfee 5182 2007.12.10 -
Microsoft 1.3007 2007.12.11 -
NOD32v2 2716 2007.12.11 -
Norman 5.80.02 2007.12.10 -
Panda 9.0.0.4 2007.12.10 -
Prevx1 V2 2007.12.11 -
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.11 -
Sunbelt 2.2.907.0 2007.12.07 -
Symantec 10 2007.12.11 -
TheHacker 6.2.9.155 2007.12.10 -
VBA32 3.12.2.5 2007.12.10 -
VirusBuster 4.3.26:9 2007.12.11 -
Webwasher-Gateway 6.0.1 2007.12.11 -
Additional information
File size: 425984 bytes
MD5: 11b1007c6add15a9e3ea2b96476acd4c
SHA1: 38334b320982f6d094548430f3d913a5501903c8
PEiD: -


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.



File svchost.exe received on 12.11.2007 17:12:44 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 9/32 (28.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.12.11.2 2007.12.11 Win-Trojan/Agent.685568
AntiVir 7.6.0.40 2007.12.11 HEUR/Crypted
Authentium 4.93.8 2007.12.11 Possibly a new variant of W32/Threat-SysVenFak-based!Maximus
Avast 4.7.1098.0 2007.12.10 Win32:Trojan-gen {Delphi}
AVG 7.5.0.503 2007.12.10 -
BitDefender 7.2 2007.12.11 -
CAT-QuickHeal 9.00 2007.12.11 -
ClamAV 0.91.2 2007.12.11 -
DrWeb 4.44.0.09170 2007.12.11 -
eSafe 7.0.15.0 2007.12.11 -
eTrust-Vet 31.3.5369 2007.12.11 -
Ewido 4.0 2007.12.11 -
FileAdvisor 1 2007.12.11 -
Fortinet 3.14.0.0 2007.12.11 Spy/Banker
F-Prot 4.4.2.54 2007.12.10 W32/Threat-SysVenFak-based!Maximus
F-Secure 6.70.13030.0 2007.12.11 -
Ikarus T3.1.1.12 2007.12.11 Virus.Win32.Trojan
Kaspersky 7.0.0.125 2007.12.11 -
McAfee 5182 2007.12.10 -
Microsoft 1.3007 2007.12.11 -
NOD32v2 2716 2007.12.11 -
Norman 5.80.02 2007.12.10 -
Panda 9.0.0.4 2007.12.10 Suspicious file
Prevx1 V2 2007.12.11 -
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.11 -
Sunbelt 2.2.907.0 2007.12.07 -
Symantec 10 2007.12.11 -
TheHacker 6.2.9.155 2007.12.10 -
VBA32 3.12.2.5 2007.12.10 -
VirusBuster 4.3.26:9 2007.12.11 -
Webwasher-Gateway 6.0.1 2007.12.11 Heuristic.Crypted
Additional information
File size: 685568 bytes
MD5: 846a5758269f3de565817fa8aab51a95
SHA1: 54b016eccf7f7a95b6f128e81a26ff3fd66a2dc3
PEiD: -


I went to My Properties for this file: C:\WINDOWS\inf\svchost\extract_cert.exe but there was no VERSION tab.

The next file, C:\WINDOWS\inf\svchost\svchost.exe , did have a VERSION tab, and this is what it said. There was no COMMENTS. Under COMPANY it said Microsoft Corporation. Under FILE VERSION is said 5.1.0.0 Under INTERNAL NAME it said Windows Management Extended Licence Service.

Once again, thank you. :thumbsup:

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 11 December 2007 - 06:51 PM

Hi stephensfamily5,


Your very welcome. :thumbsup:

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)

Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixServices.bat


@echo off
sc stop WMSLService
sc delete WMSLService
exit

Double click FixServices.bat. A window will open and close. This is normal.


.Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\inf\svchost\svchost.exe


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 11 December 2007 - 06:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 12 December 2007 - 12:35 AM

Hi Sifu Mike,

I'm hoping that our great online relationship will soon be coming to a close. My computer is working much better. I appreciate so much your help.

Here are the files from ComboFix

ComboFix 07-12-09.1 - StephensFamily 2007-12-12 0:24:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.535 [GMT -5:00]
Running from: C:\Documents and Settings\StephensFamily\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\StephensFamily\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\inf\svchost\svchost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\inf\svchost\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-08 20:44 . 2007-12-08 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-08 11:43 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-06 20:45 . 2007-12-06 20:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-28 17:55 . 2007-11-28 17:57 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-27 17:58 . 2007-11-27 17:58 49 --a------ C:\WINDOWS\hpntwksetup.ini
2007-11-27 17:04 . 2007-11-27 17:05 116,458 --------- C:\WINDOWS\hpoins11.dat.temp
2007-11-27 17:04 . 2006-05-05 16:18 11,634 --------- C:\WINDOWS\hpomdl11.dat.temp
2007-11-25 18:13 . 2007-11-25 18:14 166,064 --a------ C:\Program Files\FixVundo.exe
2007-11-25 00:10 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-25 00:09 . 2007-11-25 00:09 164 --a------ C:\install.dat
2007-11-25 00:06 . 2007-11-25 00:07 14,651,472 --a------ C:\Program Files\SpySweeperRegSetup_EN.exe
2007-11-24 21:27 . 2007-12-11 07:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-24 21:27 . 2007-11-24 21:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Program Files\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-24 21:24 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-24 21:24 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-24 21:24 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-24 21:24 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-24 21:21 . 2007-11-24 21:23 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\GetRightToGo
2007-11-20 19:22 . 2007-11-20 19:22 <DIR> d-------- C:\Program Files\Red Kawa
2007-11-20 19:22 . 2007-11-20 19:22 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-20 19:17 . 2007-12-07 13:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:51 . 2007-11-18 22:51 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 12:17 --------- d-----w C:\Program Files\Steam
2007-12-08 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 19:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 03:14 --------- d-----w C:\Program Files\Dell Support
2007-12-07 02:38 140 ----a-w C:\Program Files\FixVundo.log
2007-11-24 21:31 5,154,304 ----a-w C:\Program Files\WindowsDefender.msi
2007-11-21 23:24 --------- d-----w C:\Program Files\McAfee
2007-11-20 23:18 --------- d-----w C:\Program Files\Broderbund
2007-11-02 22:08 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-18 22:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 22:18 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\AdobeUM
2007-10-15 01:06 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\BitTorrent
2007-10-08 01:59 245,160 ----a-w C:\WINDOWS\system32\DelZip179.dll
2007-10-03 08:48 425,984 ----a-w C:\WINDOWS\inf\svchost\extract_cert.exe
2007-09-28 19:52 9,636 ----a-w C:\WINDOWS\system32\gnfil.dll
2007-09-28 19:52 88,076 ----a-w C:\WINDOWS\system32\adwfil.dll
2007-09-28 19:52 8,652 ----a-w C:\WINDOWS\system32\jbfil.dll
2007-09-28 19:52 7,582 ----a-w C:\WINDOWS\system32\movfil.dll
2007-09-28 19:52 7,504 ----a-w C:\WINDOWS\system32\auctfil.dll
2007-09-28 19:52 7,036 ----a-w C:\WINDOWS\system32\pkmon.dll
2007-09-28 19:52 6,830 ----a-w C:\WINDOWS\system32\swfil.dll
2007-09-28 19:52 5,394 ----a-w C:\WINDOWS\system32\wrestfil.dll
2007-09-28 19:52 5,180 ----a-w C:\WINDOWS\system32\iawfil.dll
2007-09-28 19:52 4,826 ----a-w C:\WINDOWS\system32\vgamfil.dll
2007-09-28 19:52 4,442 ----a-w C:\WINDOWS\system32\hatfil.dll
2007-09-28 19:52 3,818 ----a-w C:\WINDOWS\system32\viofil.dll
2007-09-28 19:52 3,444 ----a-w C:\WINDOWS\system32\srchin.dll
2007-09-28 19:52 3,286 ----a-w C:\WINDOWS\system32\lgwfil.dll
2007-09-28 19:52 22,384 ----a-w C:\WINDOWS\system32\perfil.dll
2007-09-28 19:52 17,488 ----a-w C:\WINDOWS\system32\nvgamfil.dll
2007-09-28 19:52 16,732 ----a-w C:\WINDOWS\system32\popfil.dll
2007-09-28 19:52 157,916 ----a-w C:\WINDOWS\system32\pxyfil.dll
2007-09-28 19:52 14,412 ----a-w C:\WINDOWS\system32\tafil.dll
2007-09-28 19:52 13,112 ----a-w C:\WINDOWS\system32\finfil.dll
2007-09-28 19:52 13,034 ----a-w C:\WINDOWS\system32\gblfil.dll
2007-09-28 19:52 12,502 ----a-w C:\WINDOWS\system32\psyfil.dll
2007-09-28 19:52 12,350 ----a-w C:\WINDOWS\system32\entfil.dll
2007-09-28 19:52 12,114 ----a-w C:\WINDOWS\system32\sporfil.dll
2007-09-28 19:52 11,164 ----a-w C:\WINDOWS\system32\fmfil.dll
2007-09-28 19:52 10,862 ----a-w C:\WINDOWS\system32\chtfil.dll
2007-09-28 10:38 27,648 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\auth.exe
2007-09-23 23:29 749,352 ----a-w C:\WINDOWS\SSCRG.exe
2007-09-22 23:27 839,976 ----a-w C:\WINDOWS\SSLS.exe
2007-09-21 18:53 1,187,840 ----a-w C:\WINDOWS\inf\svchost\ChilkatCert_NT4.dll
2007-09-17 06:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-10 20:40 953,344 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.exe
2007-09-10 20:40 56,320 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\gnu_regex.dll
2007-09-10 20:40 200,704 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\ssleay32.dll
2007-09-10 20:40 1,850,594 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.debug.exe
2007-09-10 20:40 1,097,728 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\libeay32.dll
2007-05-02 23:23 950,329 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_gd2.dll
2007-05-02 23:23 90,112 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fribidi.dll
2007-05-02 23:23 69,689 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_bz2.dll
2007-05-02 23:23 65,597 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_openssl.dll
2007-05-02 23:23 57,410 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache_hooks.dll
2007-05-02 23:23 57,401 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_zip.dll
2007-05-02 23:23 57,344 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\msql.dll
2007-05-02 23:23 49,213 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_sockets.dll
2007-05-02 23:23 49,211 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mysql.dll
2007-05-02 23:23 417,792 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fdftk.dll
2007-05-02 23:23 41,020 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mcrypt.dll
2007-05-02 23:23 41,017 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php-cgi.exe
2007-05-02 23:23 4,771,896 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5ts.dll
2007-05-02 23:23 385,024 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\libswish-e.dll
2007-05-02 23:23 360,448 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\yaz.dll
2007-05-02 23:23 36,934 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2_filter.dll
2007-05-02 23:23 36,932 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_filter.dll
2007-05-02 23:23 36,927 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2.dll
2007-05-02 23:23 36,925 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_10.09.23.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-10 12:13:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-12 02:41:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-10 12:13:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-12 02:41:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-12 02:41:00 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-11 18:05:59 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-01 15:17]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2K"="C:\WINDOWS\Cyb2k.exe" [2006-07-11 07:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 21:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
R2 WMSELService;Windows Management Extended Licence Service;C:\WINDOWS\inf\svchost\svchost.exe
S2 Apache2.2;Apache2.2;"C:\WINDOWS\inf\Apache2.2\bin\httpd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f7e1bc7-2b69-11dc-9091-001320e0829d}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcf0ac88-ec49-11db-906a-001320e0829d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 18:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 06:29:37 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-11 12:20:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 00:27:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 0:28:24
C:\ComboFix2.txt ... 2007-12-10 19:20
C:\ComboFix3.txt ... 2007-12-10 10:11
.
--- E O F ---

Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:23 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\inf\svchost\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\WINDOWS\inf\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Management Extended Licence Service (WMSELService) - Unknown owner - C:\WINDOWS\inf\svchost\svchost.exe (file missing)

--
End of file - 11459 bytes

I know we're looking better!! I just can't wait for you to tell me! :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 12 December 2007 - 12:48 AM

Hi stephensfamily5,

Sorry, but we still have a bad service running, so lets try killing it again.

Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixServices.bat

@echo off
sc stop WMSLService
sc delete WMSLService
exit

Double click FixServices.bat. A window will open and close. This is normal.

If you dont kill the service then the malware will reappear. Are you sure you are following my directions exactly?
Did the FixServices.bat work?




Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\inf\svchost\svchost.exe


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 12 December 2007 - 12:52 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 12 December 2007 - 07:51 AM

SifuMike,

I think that I did everything as you directed. This time I read everything twice first. Let's see if it worked. Here is the Combo Fix log:

ComboFix 07-12-09.1 - StephensFamily 2007-12-12 7:41:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.666 [GMT -5:00]
Running from: C:\Documents and Settings\StephensFamily\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\StephensFamily\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\inf\svchost\svchost.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-08 20:44 . 2007-12-08 20:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-08 11:43 . 2007-12-08 13:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-07 14:05 . 2007-12-07 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-06 20:45 . 2007-12-06 20:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-28 17:55 . 2007-11-28 17:57 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-27 17:58 . 2007-11-27 17:58 49 --a------ C:\WINDOWS\hpntwksetup.ini
2007-11-27 17:04 . 2007-11-27 17:05 116,458 --------- C:\WINDOWS\hpoins11.dat.temp
2007-11-27 17:04 . 2006-05-05 16:18 11,634 --------- C:\WINDOWS\hpomdl11.dat.temp
2007-11-25 18:13 . 2007-11-25 18:14 166,064 --a------ C:\Program Files\FixVundo.exe
2007-11-25 00:10 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-25 00:09 . 2007-11-25 00:09 164 --a------ C:\install.dat
2007-11-25 00:06 . 2007-11-25 00:07 14,651,472 --a------ C:\Program Files\SpySweeperRegSetup_EN.exe
2007-11-24 21:27 . 2007-12-12 06:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-24 21:27 . 2007-11-24 21:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Program Files\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-24 21:24 . 2007-11-24 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-24 21:24 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-24 21:24 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-24 21:24 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-24 21:24 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-24 21:21 . 2007-11-24 21:23 <DIR> d-------- C:\Documents and Settings\StephensFamily\Application Data\GetRightToGo
2007-11-20 19:22 . 2007-11-20 19:22 <DIR> d-------- C:\Program Files\Red Kawa
2007-11-20 19:22 . 2007-11-20 19:22 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-20 19:17 . 2007-12-07 13:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:51 . 2007-11-18 22:51 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 11:43 --------- d-----w C:\Program Files\Steam
2007-12-08 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 19:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 03:14 --------- d-----w C:\Program Files\Dell Support
2007-12-07 02:38 140 ----a-w C:\Program Files\FixVundo.log
2007-11-24 21:31 5,154,304 ----a-w C:\Program Files\WindowsDefender.msi
2007-11-21 23:24 --------- d-----w C:\Program Files\McAfee
2007-11-20 23:18 --------- d-----w C:\Program Files\Broderbund
2007-11-02 22:08 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-18 22:27 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 22:18 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\AdobeUM
2007-10-15 01:06 --------- d-----w C:\Documents and Settings\StephensFamily\Application Data\BitTorrent
2007-10-08 01:59 245,160 ----a-w C:\WINDOWS\system32\DelZip179.dll
2007-10-03 08:48 425,984 ----a-w C:\WINDOWS\inf\svchost\extract_cert.exe
2007-09-28 19:52 9,636 ----a-w C:\WINDOWS\system32\gnfil.dll
2007-09-28 19:52 88,076 ----a-w C:\WINDOWS\system32\adwfil.dll
2007-09-28 19:52 8,652 ----a-w C:\WINDOWS\system32\jbfil.dll
2007-09-28 19:52 7,582 ----a-w C:\WINDOWS\system32\movfil.dll
2007-09-28 19:52 7,504 ----a-w C:\WINDOWS\system32\auctfil.dll
2007-09-28 19:52 7,036 ----a-w C:\WINDOWS\system32\pkmon.dll
2007-09-28 19:52 6,830 ----a-w C:\WINDOWS\system32\swfil.dll
2007-09-28 19:52 5,394 ----a-w C:\WINDOWS\system32\wrestfil.dll
2007-09-28 19:52 5,180 ----a-w C:\WINDOWS\system32\iawfil.dll
2007-09-28 19:52 4,826 ----a-w C:\WINDOWS\system32\vgamfil.dll
2007-09-28 19:52 4,442 ----a-w C:\WINDOWS\system32\hatfil.dll
2007-09-28 19:52 3,818 ----a-w C:\WINDOWS\system32\viofil.dll
2007-09-28 19:52 3,444 ----a-w C:\WINDOWS\system32\srchin.dll
2007-09-28 19:52 3,286 ----a-w C:\WINDOWS\system32\lgwfil.dll
2007-09-28 19:52 22,384 ----a-w C:\WINDOWS\system32\perfil.dll
2007-09-28 19:52 17,488 ----a-w C:\WINDOWS\system32\nvgamfil.dll
2007-09-28 19:52 16,732 ----a-w C:\WINDOWS\system32\popfil.dll
2007-09-28 19:52 157,916 ----a-w C:\WINDOWS\system32\pxyfil.dll
2007-09-28 19:52 14,412 ----a-w C:\WINDOWS\system32\tafil.dll
2007-09-28 19:52 13,112 ----a-w C:\WINDOWS\system32\finfil.dll
2007-09-28 19:52 13,034 ----a-w C:\WINDOWS\system32\gblfil.dll
2007-09-28 19:52 12,502 ----a-w C:\WINDOWS\system32\psyfil.dll
2007-09-28 19:52 12,350 ----a-w C:\WINDOWS\system32\entfil.dll
2007-09-28 19:52 12,114 ----a-w C:\WINDOWS\system32\sporfil.dll
2007-09-28 19:52 11,164 ----a-w C:\WINDOWS\system32\fmfil.dll
2007-09-28 19:52 10,862 ----a-w C:\WINDOWS\system32\chtfil.dll
2007-09-28 10:38 27,648 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\auth.exe
2007-09-23 23:29 749,352 ----a-w C:\WINDOWS\SSCRG.exe
2007-09-22 23:27 839,976 ----a-w C:\WINDOWS\SSLS.exe
2007-09-21 18:53 1,187,840 ----a-w C:\WINDOWS\inf\svchost\ChilkatCert_NT4.dll
2007-09-17 06:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 05:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 05:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 05:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 05:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 05:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 05:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 05:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 05:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 05:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 05:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 05:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 05:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 05:07 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 05:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 05:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 05:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 05:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 05:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 05:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 05:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 05:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 05:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 05:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 05:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 05:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 05:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 05:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 05:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-10 20:40 953,344 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.exe
2007-09-10 20:40 56,320 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\gnu_regex.dll
2007-09-10 20:40 200,704 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\ssleay32.dll
2007-09-10 20:40 1,850,594 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\pserver.debug.exe
2007-09-10 20:40 1,097,728 ----a-w C:\WINDOWS\inf\Apache2.2\htdocs\anon_proxy_server\libeay32.dll
2007-05-02 23:23 950,329 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_gd2.dll
2007-05-02 23:23 90,112 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fribidi.dll
2007-05-02 23:23 69,689 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_bz2.dll
2007-05-02 23:23 65,597 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_openssl.dll
2007-05-02 23:23 57,410 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache_hooks.dll
2007-05-02 23:23 57,401 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_zip.dll
2007-05-02 23:23 57,344 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\msql.dll
2007-05-02 23:23 49,213 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_sockets.dll
2007-05-02 23:23 49,211 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mysql.dll
2007-05-02 23:23 417,792 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\fdftk.dll
2007-05-02 23:23 41,020 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\ext\php_mcrypt.dll
2007-05-02 23:23 41,017 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php-cgi.exe
2007-05-02 23:23 4,771,896 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5ts.dll
2007-05-02 23:23 385,024 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\libswish-e.dll
2007-05-02 23:23 360,448 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\yaz.dll
2007-05-02 23:23 36,934 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2_filter.dll
2007-05-02 23:23 36,932 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_filter.dll
2007-05-02 23:23 36,927 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2_2.dll
2007-05-02 23:23 36,925 ----a-w C:\WINDOWS\inf\Apache2.2\PHP\php5apache2.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_10.09.23.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-10 12:13:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-12 11:47:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-10 12:13:53 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-12 11:47:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-12 11:47:08 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 21:29]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-12-01 15:17]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2K"="C:\WINDOWS\Cyb2k.exe" [2006-07-11 07:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 06:00 C:\WINDOWS\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 21:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
S2 Apache2.2;Apache2.2;"C:\WINDOWS\inf\Apache2.2\bin\httpd.exe" -k runservice
S2 WMSELService;Windows Management Extended Licence Service;C:\WINDOWS\inf\svchost\svchost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f7e1bc7-2b69-11dc-9091-001320e0829d}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcf0ac88-ec49-11db-906a-001320e0829d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 18:35:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 06:29:37 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-01 06:00:21 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-12 12:03:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 07:43:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 7:44:55
C:\ComboFix2.txt ... 2007-12-12 00:28
C:\ComboFix3.txt ... 2007-12-10 19:20
.
--- E O F ---


Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:57 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\WINDOWS\inf\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Management Extended Licence Service (WMSELService) - Unknown owner - C:\WINDOWS\inf\svchost\svchost.exe (file missing)

--
End of file - 9410 bytes

Any better? :thumbsup: Thanks again!

#14 stephensfamily5

stephensfamily5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 12 December 2007 - 07:56 AM

Hi again! I couldn't tell if FixServices.bat did anything or not. A screen came up very briefly, but it disappeared so quickly that I couldn't read what it said. I did notice that what I had copied into Notepad was referring to WMSLService, and in the hijack log it refers to a WMSELService. Is there a typo?? Thanks. :thumbsup:

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:02 AM

Posted 12 December 2007 - 09:01 AM

Hi stephensfamily5,

Yes, the name of the service is not correct.

I think this time it will work.

Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixServices1.bat


@echo off
sc stop WMSELService
sc delete WMSELService
exit

Double click FixServices1.bat. A window will open and close. This is normal.




Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O23 - Service: Windows Management Extended Licence Service (WMSELService) - Unknown owner - C:\WINDOWS\inf\svchost\svchost.exe (file missing)



Reboot and post a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users