Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected To Random Web Pages


  • Please log in to reply
9 replies to this topic

#1 Steve Wiegand

Steve Wiegand

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 11 December 2007 - 07:17 PM

I had something in my allow cookies list called *.starsdoor.com I got rid of it using advice from this site. The only problem is I still get redirected to a new page every 5 minutes. I ran ad aware and spybot removed allot of files, but I still have the problem. If anyone can help me please let me know. Thank you.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:51 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\system32\xtjnncef.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [2c90ab23] rundll32.exe "C:\WINDOWS\system32\vojwvfgu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\CURITY~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Vhuylrrn] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\xtjnncef.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6219 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:20 PM

Posted 12 December 2007 - 08:04 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:20 PM

Posted 12 December 2007 - 07:34 PM

Hello,

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows


2. Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINNT\system32\xtjnncef.exe
  • Please post back the results of the scan in your next post.
  • You can try the same at Virustotal: http://www.virustotal.com/
3. Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 Steve Wiegand

Steve Wiegand
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 13 December 2007 - 05:48 PM

Here is the scan from Jotti, sorry I just copied the hole page I didn't want to lose anything you may need.Thank you.




Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: xtjnncef.exe
Status: INFECTED/MALWARE
MD5: 8a676da328990c090dc27855e2b19bd8
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 13 Dec 2007 22:40:17 (GMT)
A-Squared Found nothing
AntiVir Found ADSPY/Agent.74304
ArcaVir Found Trojan.Agent.Czt
Avast Found nothing
AVG Antivirus Found BackDoor.Agent.PTA
BitDefender Found Trojan.Fotomoto.H
ClamAV Found nothing
CPsecure Found BackDoor.W32.Agent.czu
Dr.Web Found Trojan.EzulaAd
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Agent.AGBD
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Adware.Ezula application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.Agent.dbm

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: L2Fun.rar (MD5: 9c45ecc2caef93e4a2a1a6416d7ae293, size: 897029 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:LdPinch-UV
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Trojan-Downloader.Win32.Banload.AF
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus Mal/Packer
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

2004-2007 Jordi Bosveld <jotti@jotti.org>

#5 Steve Wiegand

Steve Wiegand
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 13 December 2007 - 06:13 PM

Alright here is the Combo Fix log






ComboFix 07-12-12.3 - Kristie Kelly 2007-12-13 17:59:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.626 [GMT -5:00]
Running from: C:\Documents and Settings\Kristie Kelly\Local Settings\Temporary Internet Files\Content.IE5\3F1JVH04\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Kristie Kelly\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Kristie Kelly\My Documents\PPPATC~1
C:\Documents and Settings\Kristie Kelly\My Documents\SSTEM3~1
C:\Documents and Settings\Kristie Kelly\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Kristie Kelly\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kristie Kelly\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Program Files\icroso~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinBudget
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\curity~1
C:\WINDOWS\curity~1\??curity\
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\system32\alpvhmqo.dll
C:\WINDOWS\system32\bhcqedqi.dll
C:\WINDOWS\system32\btiietlp.dll
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cyrbebpa.dllbox
C:\WINDOWS\system32\djopoxyr.dll
C:\WINDOWS\system32\girsexkh.exe
C:\WINDOWS\system32\gwlpouhs.dll
C:\WINDOWS\system32\htndpvnj.dll
C:\WINDOWS\system32\jalfnbnx.dll
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jplmerxv.exe
C:\WINDOWS\system32\jwvfsmlo.dllbox
C:\WINDOWS\system32\kjcelnsp.ini
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\oqmhvpla.ini
C:\WINDOWS\system32\osiumxib.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pkanqscm.exe
C:\WINDOWS\system32\plteiitb.ini
C:\WINDOWS\system32\psnlecjk.dll
C:\WINDOWS\system32\puvqfuxs.dll
C:\WINDOWS\system32\rtbdllgv.dll
C:\WINDOWS\system32\skgugvkj.dll
C:\WINDOWS\system32\sxufqvup.ini
C:\WINDOWS\system32\tflfreth.dll
C:\WINDOWS\system32\tjobhjow.dll
C:\WINDOWS\system32\wnsintsv32.exe
C:\WINDOWS\system32\wnwkoucy.dll
C:\WINDOWS\system32\wojhbojt.ini
C:\WINDOWS\system32\xqdkxnfd.dll
C:\WINDOWS\system32\xtjnncef.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-11 19:13 . 2007-12-11 19:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-11 17:41 . 2007-12-12 17:41 889,470 --ahs---- C:\WINDOWS\system32\ugfvwjov.ini
2007-12-11 16:44 . 2007-12-11 17:30 883,419 --ahs---- C:\WINDOWS\system32\xmglnfkl.ini
2007-12-10 19:38 . 2005-10-31 10:46 36,679 --a------ C:\WINDOWS\system32\drivers\NETMD052.sys
2007-12-10 19:37 . 2007-01-13 08:24 770,048 --a------ C:\WINDOWS\system32\CDDBUISony.dll
2007-12-10 19:37 . 2007-01-13 08:22 655,360 --a------ C:\WINDOWS\system32\CDDBControlSony.dll
2007-12-10 19:37 . 2007-01-13 08:22 589,824 --a------ C:\WINDOWS\system32\CddbMusicIDSony.dll
2007-12-10 19:37 . 2007-01-13 08:25 532,480 --a------ C:\WINDOWS\system32\CddbPlaylist2Sony.dll
2007-12-10 19:37 . 2007-01-13 08:24 73,728 --a------ C:\WINDOWS\system32\CddbLinkSony.dll
2007-12-10 16:26 . 2007-12-11 16:38 991,444 --ahs---- C:\WINDOWS\system32\fmqubapf.ini
2007-12-09 16:47 . 2007-12-11 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 11:29 . 2007-12-09 11:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 11:29 . 2007-12-09 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-09 11:28 . 2007-12-09 11:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-09 10:45 . 2007-12-09 14:33 834,580 --ahs---- C:\WINDOWS\system32\adoxcjtq.ini
2007-12-08 10:43 . 2007-12-09 10:43 834,460 --ahs---- C:\WINDOWS\system32\igypyipw.ini
2007-12-07 16:18 . 2007-12-08 09:40 834,229 --ahs---- C:\WINDOWS\system32\tspwvaet.ini
2007-12-04 21:10 . 2007-12-04 21:10 <DIR> d-------- C:\Documents and Settings\Kristie Kelly\Application Data\SiteAdvisor
2007-12-04 18:33 . 2007-12-05 17:47 805,528 --ahs---- C:\WINDOWS\system32\kvujciti.ini
2007-12-04 18:30 . 2007-12-04 18:30 79,424 --a------ C:\WINDOWS\system32\uuvtvohf.dll
2007-12-04 18:02 . 2007-12-13 18:07 24,549 --a------ C:\WINDOWS\system32\Config.MPF
2007-12-04 18:00 . 2007-12-04 18:01 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-04 18:00 . 2007-12-05 06:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-04 18:00 . 2007-12-04 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-04 17:59 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-12-04 17:56 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-04 17:56 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-12-04 17:56 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-04 17:56 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-12-04 17:56 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-04 17:56 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-12-04 17:51 . 2007-12-04 17:56 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-04 16:44 . 2007-12-04 16:44 14 --a------ C:\WINDOWS\ASSE.dat
2007-12-03 18:50 . 2007-12-03 18:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-03 18:47 . 2007-12-03 19:59 <DIR> d-------- C:\Documents and Settings\Kristie Kelly\.housecall6.6
2007-12-03 06:21 . 2007-12-03 06:24 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-01 18:10 . 2007-12-01 18:10 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-01 18:08 . 2007-12-01 18:08 <DIR> d-------- C:\Program Files\HP
2007-12-01 18:07 . 2007-12-01 18:07 <DIR> d-------- C:\temp\HP_WebRelease
2007-12-01 18:07 . 2007-12-13 18:03 <DIR> d-------- C:\temp
2007-12-01 18:07 . 2007-12-01 18:10 103,535 --a------ C:\WINDOWS\hpoins04.dat
2007-12-01 18:07 . 2004-06-22 08:04 17,176 --------- C:\WINDOWS\hpomdl04.dat
2007-12-01 17:54 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-01 17:54 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-01 17:51 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-01 17:51 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-23 18:41 . 2007-11-23 18:42 <DIR> d-------- C:\Program Files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 22:33 --------- d-----w C:\Program Files\McAfee
2007-12-11 00:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 00:33 --------- d-----w C:\Program Files\Sony
2007-12-11 00:18 --------- d-----w C:\Program Files\Soulseek
2007-12-05 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-04 23:06 --------- d-----w C:\Program Files\McAfee.com
2007-12-04 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-03 22:59 --------- d-----w C:\Program Files\Google
2007-12-03 02:09 --------- d-----w C:\Program Files\MSN Games
2007-12-02 18:12 --------- d-----w C:\Documents and Settings\Kristie Kelly\Application Data\AdobeUM
2007-11-23 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-23 23:41 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-23 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 23:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-23 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-10-23 21:54 --------- d-----w C:\Program Files\Dell
2007-05-04 02:50 88 --sh--r C:\WINDOWS\system32\45BC3E0E9D.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 81,920 2005-06-10 15:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 249,856 2005-06-10 15:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

----a-w 185,896 2006-10-29 21:42:43 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 98,304 2006-05-03 07:12:00 C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe

----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 110,592 2005-09-26 14:26:58 C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe

----a-w 1,121,792 2005-08-12 20:16:44 C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe

----a-w 303,104 2005-09-22 22:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 212,992 2006-01-11 16:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
----a-w 394,576 2007-08-18 08:12:10 C:\Program Files\McAfee.com\Agent\mcupdate.exe

----a-w 69,632 2006-05-10 17:32:32 C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\bak\calcheck.exe

----a-w 282,624 2006-10-25 23:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 81,920 2005-06-03 12:16:00 C:\Program Files\Sony\SonicStage\bak\SsAAD.exe
----a-w 476,728 2007-02-05 15:11:10 C:\Program Files\Sony\SonicStage\SSAAD.exe

-c--a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-04-06 00:19:18 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-04-06 00:23:14 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-04-06 00:22:32 C:\WINDOWS\system32\bak\igfxtray.exe

-c--a-w 122,940 2005-09-08 10:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Sen"="C:\WINDOWS\CURITY~1\dvdplay.exe" []
"Vhuylrrn"="C:\Program Files\?icrosoft\r?gedit.exe" []
"QdrModule10"="C:\Program Files\QdrModule\QdrModule10.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-12 21:48:22]
EPSON Background Monitor.lnk - C:\Program Files\EPSON\ESM2\STMS.exe [1999-06-07 11:11:18]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe -startup


.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 22:55:20 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 18:07:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 18:10:16 - machine was rebooted
.
2007-12-12 04:05:47 --- E O F ---

#6 Steve Wiegand

Steve Wiegand
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 13 December 2007 - 06:15 PM

And here is the HIJACKTHIS LOG. Thank you so much for helping me!!!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:02 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\CURITY~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [Vhuylrrn] "C:\Program Files\?icrosoft\r?gedit.exe"
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6631 bytes

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:20 PM

Posted 14 December 2007 - 06:04 PM

Hello,

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Click HERE to download FindAWF.exe and save it to your desktop.
Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe
C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe
C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
C:\Program Files\McAfee.com\Agent\mcupdate.exe
C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\bak\calcheck.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Sony\SonicStage\bak\SsAAD.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ugfvwjov.ini
C:\WINDOWS\system32\xmglnfkl.ini
C:\WINDOWS\system32\fmqubapf.ini
C:\WINDOWS\system32\adoxcjtq.ini
C:\WINDOWS\system32\igypyipw.ini
C:\WINDOWS\system32\tspwvaet.ini
C:\WINDOWS\system32\kvujciti.ini
C:\WINDOWS\system32\uuvtvohf.dll

Folder::
C:\Program Files\QdrModule

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vhuylrrn"=-
"QdrModule10"=-

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


In your next reply, please post:
- Results from FindAWF
- Results from ComboFix
- New HijackThis log.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 Steve Wiegand

Steve Wiegand
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 15 December 2007 - 11:11 AM

Here is the findawf scan




Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sat 12/15/2007
The current time is: 10:58:13.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
04/05/2005 07:19 PM 77,824 hkcmd.exe
04/05/2005 07:23 PM 114,688 igfxpers.exe
04/05/2005 07:22 PM 94,208 igfxtray.exe
4 File(s) 302,080 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 07:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

05/03/2006 02:12 AM 98,304 DMXLauncher.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK

09/26/2005 09:26 AM 110,592 MskAgent.exe
08/12/2005 03:16 PM 1,121,792 MSKDetct.exe
2 File(s) 1,232,384 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 05:29 PM 303,104 mcagent.exe
01/11/2006 11:05 AM 212,992 mcupdate.exe
2 File(s) 516,096 bytes

Directory of C:\PROGRA~1\NOVADE~1\PHOTOE~1.0\BAK

05/10/2006 12:32 PM 69,632 calcheck.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

06/03/2005 07:16 AM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/08/2005 05:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

06/10/2005 10:44 AM 81,920 issch.exe
06/10/2005 10:44 AM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/29/2006 04:42 PM 185,896 realsched.exe
1 File(s) 185,896 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 15 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Apr 5 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Apr 5 2005 "C:\drivers\video\onboard\hkcmd.exe"
77824 Apr 5 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 5 2005 "C:\WINDOWS\system32\igfxpers.exe"
114688 Apr 5 2005 "C:\drivers\video\onboard\igfxpers.exe"
114688 Apr 5 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Apr 5 2005 "C:\WINDOWS\system32\igfxtray.exe"
94208 Apr 5 2005 "C:\drivers\video\onboard\igfxtray.exe"
94208 Apr 5 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
1404928 Oct 14 2004 "C:\drivers\audio\onboard\SMax4PNP.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
98304 May 3 2006 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
141640 Aug 24 2007 "C:\Program Files\McAfee\MSK\mskagent.exe"
110592 Sep 26 2005 "C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe"
1121792 Aug 12 2005 "C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
394576 Aug 18 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
69632 May 10 2006 "C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\bak\calcheck.exe"
476728 Feb 5 2007 "C:\Program Files\Sony\SonicStage\SSAAD.exe"
81920 Jun 3 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
81920 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
249856 Jun 10 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
185896 Oct 29 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

#9 Steve Wiegand

Steve Wiegand
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 15 December 2007 - 11:32 AM

Here is the COMBOFIX




ComboFix 07-12-15.5 - Kristie Kelly 2007-12-15 11:23:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.660 [GMT -5:00]
Running from: C:\Documents and Settings\Kristie Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kristie Kelly\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\adoxcjtq.ini
C:\WINDOWS\system32\fmqubapf.ini
C:\WINDOWS\system32\igypyipw.ini
C:\WINDOWS\system32\kvujciti.ini
C:\WINDOWS\system32\tspwvaet.ini
C:\WINDOWS\system32\ugfvwjov.ini
C:\WINDOWS\system32\uuvtvohf.dll
C:\WINDOWS\system32\xmglnfkl.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adoxcjtq.ini
C:\WINDOWS\system32\fmqubapf.ini
C:\WINDOWS\system32\igypyipw.ini
C:\WINDOWS\system32\kvujciti.ini
C:\WINDOWS\system32\tspwvaet.ini
C:\WINDOWS\system32\ugfvwjov.ini
C:\WINDOWS\system32\uuvtvohf.dll
C:\WINDOWS\system32\xmglnfkl.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-15 10:58 . 2005-04-05 19:23 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-12-15 10:58 . 2005-04-05 19:22 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-15 10:58 . 2005-04-05 19:19 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-11 19:13 . 2007-12-11 19:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 19:38 . 2005-10-31 10:46 36,679 --a------ C:\WINDOWS\system32\drivers\NETMD052.sys
2007-12-10 19:37 . 2007-01-13 08:24 770,048 --a------ C:\WINDOWS\system32\CDDBUISony.dll
2007-12-10 19:37 . 2007-01-13 08:22 655,360 --a------ C:\WINDOWS\system32\CDDBControlSony.dll
2007-12-10 19:37 . 2007-01-13 08:22 589,824 --a------ C:\WINDOWS\system32\CddbMusicIDSony.dll
2007-12-10 19:37 . 2007-01-13 08:25 532,480 --a------ C:\WINDOWS\system32\CddbPlaylist2Sony.dll
2007-12-10 19:37 . 2007-01-13 08:24 73,728 --a------ C:\WINDOWS\system32\CddbLinkSony.dll
2007-12-09 16:47 . 2007-12-11 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 11:29 . 2007-12-09 11:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-09 11:29 . 2007-12-09 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-09 11:28 . 2007-12-09 11:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 21:10 . 2007-12-04 21:10 <DIR> d-------- C:\Documents and Settings\Kristie Kelly\Application Data\SiteAdvisor
2007-12-04 18:02 . 2007-12-15 10:55 24,549 --a------ C:\WINDOWS\system32\Config.MPF
2007-12-04 18:00 . 2007-12-04 18:01 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-04 18:00 . 2007-12-05 06:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-04 18:00 . 2007-12-04 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-04 17:59 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-12-04 17:56 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-04 17:56 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-12-04 17:56 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-04 17:56 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-12-04 17:56 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-04 17:56 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-12-04 17:51 . 2007-12-04 17:56 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-04 16:44 . 2007-12-04 16:44 14 --a------ C:\WINDOWS\ASSE.dat
2007-12-03 18:50 . 2007-12-03 18:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-03 18:47 . 2007-12-03 19:59 <DIR> d-------- C:\Documents and Settings\Kristie Kelly\.housecall6.6
2007-12-03 06:21 . 2007-12-03 06:24 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-01 18:10 . 2007-12-01 18:10 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-01 18:08 . 2007-12-01 18:08 <DIR> d-------- C:\Program Files\HP
2007-12-01 18:07 . 2007-12-01 18:07 <DIR> d-------- C:\temp\HP_WebRelease
2007-12-01 18:07 . 2007-12-13 18:03 <DIR> d-------- C:\temp
2007-12-01 18:07 . 2007-12-01 18:10 103,535 --a------ C:\WINDOWS\hpoins04.dat
2007-12-01 18:07 . 2004-06-22 08:04 17,176 --------- C:\WINDOWS\hpomdl04.dat
2007-12-01 17:54 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-01 17:54 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-01 17:51 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-01 17:51 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-23 18:41 . 2007-11-23 18:42 <DIR> d-------- C:\Program Files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 11:25 --------- d-----w C:\Program Files\McAfee
2007-12-11 23:44 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-11 00:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 00:33 --------- d-----w C:\Program Files\Sony
2007-12-11 00:18 --------- d-----w C:\Program Files\Soulseek
2007-12-05 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-04 23:06 --------- d-----w C:\Program Files\McAfee.com
2007-12-04 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-03 22:59 --------- d-----w C:\Program Files\Google
2007-12-03 02:09 --------- d-----w C:\Program Files\MSN Games
2007-12-02 18:12 --------- d-----w C:\Documents and Settings\Kristie Kelly\Application Data\AdobeUM
2007-11-23 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-23 23:41 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-23 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 23:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-10-23 21:54 --------- d-----w C:\Program Files\Dell
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-04 02:50 88 --sh--r C:\WINDOWS\system32\45BC3E0E9D.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_18.08.12.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-13 21:18:56 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-15 15:09:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-13 21:18:56 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-15 15:09:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-13 21:18:56 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-15 15:09:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-09-08 10:20:00 122,940 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW.EXE
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-14 02:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,404,928 2004-10-15 00:42:54 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 81,920 2005-06-10 15:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 249,856 2005-06-10 15:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

----a-w 185,896 2006-10-29 21:42:43 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 98,304 2006-05-03 07:12:00 C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe

----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 110,592 2005-09-26 14:26:58 C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe

----a-w 1,121,792 2005-08-12 20:16:44 C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe

----a-w 303,104 2005-09-22 22:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 582,992 2007-08-04 03:33:14 C:\Program Files\McAfee.com\Agent\mcagent.exe

----a-w 212,992 2006-01-11 16:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
----a-w 394,576 2007-08-18 08:12:10 C:\Program Files\McAfee.com\Agent\mcupdate.exe

----a-w 69,632 2006-05-10 17:32:32 C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\bak\calcheck.exe

----a-w 282,624 2006-10-25 23:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 81,920 2005-06-03 12:16:00 C:\Program Files\Sony\SonicStage\bak\SsAAD.exe
----a-w 476,728 2007-02-05 15:11:10 C:\Program Files\Sony\SonicStage\SSAAD.exe

-c--a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-04-06 00:19:18 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 77,824 2005-04-06 00:19:18 C:\WINDOWS\system32\hkcmd.exe

----a-w 114,688 2005-04-06 00:23:14 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 114,688 2005-04-06 00:23:14 C:\WINDOWS\system32\igfxpers.exe

----a-w 94,208 2005-04-06 00:22:32 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 94,208 2005-04-06 00:22:32 C:\WINDOWS\system32\igfxtray.exe

-c--a-w 122,940 2005-09-08 10:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE
----a-w 122,940 2005-09-08 10:20:00 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Sen"="C:\WINDOWS\CURITY~1\dvdplay.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-12 21:48:22]
EPSON Background Monitor.lnk - C:\Program Files\EPSON\ESM2\STMS.exe [1999-06-07 11:11:18]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe -startup


.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 22:55:20 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 11:25:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 11:25:52
C:\ComboFix2.txt ... 2007-12-13 18:10
.
2007-12-12 04:05:47 --- E O F ---











Here is the HIJACK THIS LOG







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:43 AM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\CURITY~1\dvdplay.exe" -vt yazb
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6666 bytes




THANKS AGAIN!!!!

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:20 PM

Posted 19 December 2007 - 01:48 PM

Hello,

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\ANALOG~1\CORE\BAK
C:\PROGRA~1\DELL\MEDIAE~1\BAK
C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK
C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
C:\PROGRA~1\NOVADE~1\PHOTOE~1.0\BAK
C:\PROGRA~1\SONY\SONICS~1\BAK
C:\WINDOWS\SYSTEM32\DLA\BAK
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply and a new HijackThis log.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users