Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad Infected: Ldcore.dll, Abetterinternet, Virtumonde, Etc


  • This topic is locked This topic is locked
13 replies to this topic

#1 RodneyG99

RodneyG99

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 14 December 2007 - 10:03 PM

Who ever can help,

I have an infection that won't seem to go away. After a slew of scans by McAfee, Ad-aware, Spybot and Panda, I still seem to have an adware program running. Most browser actions that I take cause any number of other browser windows to pop up with a series of different sites: Pogo, Setthetrend.com, eBay, etc.

Even after scans that end up getting rid of most of it, ABetterInternet always seems to remain. Also, ldcore.dll seems to be resilient after deletions, rename, etc.

An HJT Log is below.

Help, please!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:09 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SlimServer\server\slim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\kpdsrngk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://krmtest.webex.com/client/v_mywebex-...ent/ieatgpc.cab
O18 - Protocol: bw+0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 25135 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 24 December 2007 - 01:01 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days, please post a new HijackThis log.

Thank you for your patience. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 RodneyG99

RodneyG99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 24 December 2007 - 01:12 PM

No problem, I understand it's a bit busy. Here is a new HJT below. I have continued to run some scans since my original post...but to no avail. These infections just keep popping up. Thanks in advance for your help.

Rodney

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:37 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SlimServer\server\slim.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Money 2006\MNYCoreFiles\msmoney.exe
C:\Program Files\Microsoft Money 2006\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\SlimServer\server\Bin\MSWin32-x86-multi-thread\mov123.exe
C:\Program Files\SlimServer\server\Bin\MSWin32-x86-multi-thread\flac.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P53 "Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN" /O24 "\\RODNEY-KITCHEN\Printer" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\Lisaspc\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P40 "\\Lisaspc\EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [64c894c2] rundll32.exe "C:\WINDOWS\system32\eaibthig.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://krmtest.webex.com/client/v_mywebex-...ent/ieatgpc.cab
O18 - Protocol: bw+0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xgmrduah.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 26249 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 24 December 2007 - 02:14 PM

Let's run ComboFix.

I don't believe Logitech Desktop Messenger is something you will ever miss, but instead of uninstalling it, just follow my instructions below (which will stop it running) but will still leave it available for you to run manualy, should you so desire...



Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [64c894c2] rundll32.exe "C:\WINDOWS\system32\eaibthig.dll",b
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


"Fix" all of the O18 - Protocol: s
O18 - Protocol: bw+0 - {CBD30124-3838-4556-9969-F7CA38A55B97} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xgmrduah.exe (file missing)


*******************************************

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\ldcore.dll
    C:\WINDOWS\system32\eaibthig.dll


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer.



Please disable you McAfee antivirus, and Ad-Watch as those will prevent SDfix from working.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log and OTMoveit log.

Edited by SifuMike, 24 December 2007 - 02:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 RodneyG99

RodneyG99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 26 December 2007 - 07:03 PM

Hey SifuMike,

Here is update:

********************************

HiJackThis "Fix Checked" run per instructions.

********************************

OTMoveIt run. Here is log:

File/Folder c:\windows\system32\ldcore.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\eaibthig.dll
C:\WINDOWS\system32\eaibthig.dll NOT unregistered.
C:\WINDOWS\system32\eaibthig.dll moved successfully.

Created on 12/26/2007 17:17:50

********************************

CCleaner Run

********************************

SDFix Run. Here is Report.txt


SDFix: Version 1.119

Run by Rodney Gayle on Wed 12/26/2007 at 05:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\RODNEY~1\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Temp\bkR11 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 18:11:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\yqvkecyx.exe"="C:\\WINDOWS\\system32\\yqv"
"C:\\WINDOWS\\system32\\oxgylkda.exe"="C:\\WINDOWS\\system32\\oxg"
"C:\\WINDOWS\\system32\\pjfwtihi.exe"="C:\\WINDOWS\\system32\\pjf"
"C:\\WINDOWS\\system32\\jtjtddtd.exe"="C:\\WINDOWS\\system32\\jtj"
"C:\\WINDOWS\\system32\\xgmrduah.exe"="C:\\WINDOWS\\system32\\xgm"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\RODNEY~1\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 9 Aug 2003 233,553 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Mon 25 Oct 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 21 Dec 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 21 Dec 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 9 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 20 Mar 2004 28,160 A..H. --- "C:\Documents and Settings\Rodney Gayle\My Documents\TandBSheehan HardDrive Backup\My Documents\~WRL2993.tmp"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Mon 4 Jun 2007 29,184 ...H. --- "C:\Documents and Settings\Rodney Gayle\My Documents\Woodside\TH-CE Follow-up Team\Reporter In the Street\~WRL0002.tmp"
Mon 31 Oct 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rodney Gayle\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rodney Gayle\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rodney Gayle\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rodney Gayle\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

****************************

Here is fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:50 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SlimServer\server\slim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P53 "Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN" /O24 "\\RODNEY-KITCHEN\Printer" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\Lisaspc\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P40 "\\Lisaspc\EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://krmtest.webex.com/client/v_mywebex-...ent/ieatgpc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12027 bytes


*********************************

When it booted and I opened a browser session for this forum...I did get a pop-up for some cleaner...so it looks like there is something still persistent.

Thanks again for your help.

Rodney

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 26 December 2007 - 09:21 PM

Hi Rodney,


Let's run ComboFix.

Disable your McAfee Antivirus and Ad-Watch before running ComboFix, as they will stop ComboFix from working.

You can re-enable Ad-Watch after you're clean.
To disable AdWatch:

Open AdAware SE.
Go to Ad-Watch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.



You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Edited by SifuMike, 26 December 2007 - 09:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 RodneyG99

RodneyG99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 27 December 2007 - 10:10 AM

Done. Here is the ComboFix Log:

ComboFix 07-12-21.4 - Rodney Gayle 2007-12-27 9:46:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.392 [GMT -5:00]
Running from: C:\Documents and Settings\Rodney Gayle\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\hg173.exe
C:\WINDOWS\SYSTEM32\acttrcwk.ini
C:\WINDOWS\system32\amriyagu.dll
C:\WINDOWS\SYSTEM32\apfkufty.ini
C:\WINDOWS\system32\cqruiect.dll
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\SYSTEM32\dlkprqih.ini
C:\WINDOWS\system32\hiqrpkld.dll
C:\WINDOWS\system32\ideyfxvv.dll
C:\WINDOWS\system32\kagbxpjk.dll
C:\WINDOWS\system32\kwcrttca.dll
C:\WINDOWS\system32\lqhxkoqj.dll
C:\WINDOWS\SYSTEM32\nxislvys.ini
C:\WINDOWS\system32\omayasxe.dll
C:\WINDOWS\system32\skwrdxrw.dll
C:\WINDOWS\SYSTEM32\srutv.ini
C:\WINDOWS\SYSTEM32\srutv.ini2
C:\WINDOWS\system32\syvlsixn.dll
C:\WINDOWS\SYSTEM32\tceiurqc.ini
C:\WINDOWS\system32\ulspdnlb.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\SYSTEM32\wrxdrwks.ini
C:\WINDOWS\system32\wvursrr.dll
C:\WINDOWS\SYSTEM32\xuesmsmy.ini
C:\WINDOWS\system32\ymsmseux.dll
C:\WINDOWS\system32\ytfukfpa.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 17:54 . 2007-12-26 17:55 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-26 17:21 . 2007-12-26 17:21 <DIR> d-------- C:\Program Files\CCleaner
2007-12-24 08:59 . 2007-12-24 08:59 992,776 --ahs---- C:\WINDOWS\SYSTEM32\gihtbiae.ini
2007-12-14 21:55 . 2007-12-14 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 20:47 . 2007-12-14 20:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-14 20:47 . 2007-12-14 20:47 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-14 20:47 . 2007-12-14 20:47 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-14 20:47 . 2007-12-14 20:47 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-10 14:46 . 2007-12-11 19:40 859,220 --ahs---- C:\WINDOWS\SYSTEM32\uybvxahx.ini
2007-12-09 14:42 . 2007-12-10 14:43 858,944 --ahs---- C:\WINDOWS\SYSTEM32\xfenmfqa.ini
2007-12-09 11:39 . 2007-12-09 11:39 834,160 --ahs---- C:\WINDOWS\SYSTEM32\qlnkrnil.ini
2007-12-08 11:39 . 2007-12-08 12:50 834,127 --ahs---- C:\WINDOWS\SYSTEM32\cbdvfkih.ini
2007-12-07 17:05 . 2007-12-14 17:38 305 --a------ C:\WINDOWS\wininit.ini
2007-12-07 16:00 . 2007-12-26 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 10:49 . 2007-12-07 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 10:31 . 2007-12-24 18:30 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-07 10:24 . 2007-12-07 10:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-06 09:19 . 2007-12-06 09:20 807,588 --ahs---- C:\WINDOWS\SYSTEM32\tihavrcl.ini
2007-12-05 09:10 . 2007-12-06 09:11 807,528 --ahs---- C:\WINDOWS\SYSTEM32\blxfpybc.ini
2007-12-04 21:14 . 2007-12-05 08:58 805,330 --ahs---- C:\WINDOWS\SYSTEM32\xqcqlntm.ini
2007-12-03 21:05 . 2007-12-03 21:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo06
2007-12-02 23:12 . 2007-12-07 12:01 621 --a------ C:\WINDOWS\SYSTEM32\old_ldinfo_old.txt.ldr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 14:21 --------- d-----w C:\Program Files\McAfee
2007-12-11 01:08 --------- d-----w C:\Documents and Settings\Rodney Gayle\Application Data\SiteAdvisor
2007-12-07 15:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:41 --------- d-----w C:\Program Files\DYMO Label
2007-11-09 00:54 --------- d-----w C:\Program Files\iTunes
2007-11-09 00:53 --------- d-----w C:\Program Files\iPod
2007-11-09 00:51 --------- d-----w C:\Program Files\QuickTime
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2003-11-19 22:34 1,696 ----a-w C:\Program Files\INSTALL.LOG
1999-07-16 16:45 25,887 ----a-w C:\Program Files\ircodes.ini
1999-07-14 02:32 739,328 ----a-w C:\Program Files\PLATOTW.EXE
1998-05-31 04:54 41,472 ----a-w C:\Program Files\x10dll.dll
1997-08-06 03:52 580,288 ----a-w C:\Program Files\PLATOTW.HLP
1997-08-06 03:05 3,826 ----a-w C:\Program Files\PLATOTW.TIP
1997-07-10 05:34 920 ----a-w C:\Program Files\PLATOTW.cnt
1997-07-03 14:44 82,864 ----a-w C:\Program Files\UNWISE.EXE
1997-02-06 01:26 10,987 ----a-w C:\Program Files\LATLONG.DAT
1994-10-06 03:55 107,645 ----a-w C:\Program Files\WINCAP.EXE
1994-09-05 21:41 283,958 ----a-w C:\Program Files\HOUSE.BMP
1994-09-05 21:41 221,686 ----a-w C:\Program Files\DEN.BMP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"LDM"="\Program\" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 20:22]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-30 17:05]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-11-13 17:28]
"hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" [2000-10-05 01:00]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-11-13 17:28]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"nwiz"="nwiz.exe" [2004-03-24 10:04 C:\WINDOWS\SYSTEM32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-25 19:51]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 11:17]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [2007-02-08 21:39]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 11:33]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 02:00]
"\\Lisaspc\EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 02:00]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32]

C:\Documents and Settings\Rodney Gayle\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-07-20 12:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2003-11-11 09:10:59]
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-03-08 13:07:03]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-11-11 09:04:44]
eFax.com Tray Menu.lnk - C:\Program Files\Common Files\efax\HotTray.exe [2003-12-16 22:34:40]
Live Menu.lnk - C:\Program Files\Common Files\efax\Dllcmd32.exe [2003-12-16 22:34:39]
Logitech Harmony Remote.lnk - C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe [2005-04-18 15:31:34]
PageKeeper Jobs.lnk - C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe [2003-12-16 22:35:59]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 21:49:48]
SlimServer Tray Tool.lnk - C:\Program Files\SlimServer\SlimTray.exe [2005-11-14 16:38:54]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 13:04:38]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 EUSBMMC;eUSB Driver for MultiMediaCard;C:\WINDOWS\system32\DRIVERS\EUSBMMC.SYS [2000-06-12 13:31]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 22:21:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 06:13:11 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-01 06:00:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 10:00:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\Lisaspc\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P40 \"\\\\Lisaspc\\EPSON Stylus Photo R300 Series\" /O6 \"USB002\" /M \"Stylus Photo R300\""
.
Completion time: 2007-12-27 10:02:06 - machine was rebooted
.
2007-12-12 01:56:31 --- E O F ---


*&*&*&*&*&*&*&*&*&*&**&&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*

And a fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:59 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SlimServer\server\slim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P53 "Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN" /O24 "\\RODNEY-KITCHEN\Printer" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\Lisaspc\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P40 "\\Lisaspc\EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://krmtest.webex.com/client/v_mywebex-...ent/ieatgpc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13330 bytes


*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&**&*&*&*&*&*&*&*&*&*&*&*&*&*&*

Thanks,
Rodney

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 27 December 2007 - 01:19 PM

Hello RodneyG99,

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\SYSTEM32\gihtbiae.ini
C:\WINDOWS\SYSTEM32\uybvxahx.ini
C:\WINDOWS\SYSTEM32\xfenmfqa.ini
C:\WINDOWS\SYSTEM32\qlnkrnil.ini
C:\WINDOWS\SYSTEM32\cbdvfkih.ini
C:\WINDOWS\SYSTEM32\tihavrcl.ini
C:\WINDOWS\SYSTEM32\blxfpybc.ini
C:\WINDOWS\SYSTEM32\xqcqlntm.ini

Folder:: 
C:\WINDOWS\SYSTEM32\daSgo06


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 RodneyG99

RodneyG99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 28 December 2007 - 03:40 PM

Ok, here is update:

ComboFix log:

ComboFix 07-12-21.4 - Rodney Gayle 2007-12-28 15:31:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.276 [GMT -5:00]
Running from: C:\Documents and Settings\Rodney Gayle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rodney Gayle\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\blxfpybc.ini
C:\WINDOWS\SYSTEM32\cbdvfkih.ini
C:\WINDOWS\SYSTEM32\gihtbiae.ini
C:\WINDOWS\SYSTEM32\qlnkrnil.ini
C:\WINDOWS\SYSTEM32\tihavrcl.ini
C:\WINDOWS\SYSTEM32\uybvxahx.ini
C:\WINDOWS\SYSTEM32\xfenmfqa.ini
C:\WINDOWS\SYSTEM32\xqcqlntm.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\blxfpybc.ini
C:\WINDOWS\SYSTEM32\cbdvfkih.ini
C:\WINDOWS\SYSTEM32\daSgo06
C:\WINDOWS\SYSTEM32\gihtbiae.ini
C:\WINDOWS\SYSTEM32\qlnkrnil.ini
C:\WINDOWS\SYSTEM32\tihavrcl.ini
C:\WINDOWS\SYSTEM32\uybvxahx.ini
C:\WINDOWS\SYSTEM32\xfenmfqa.ini
C:\WINDOWS\SYSTEM32\xqcqlntm.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-26 17:54 . 2007-12-26 17:55 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-26 17:21 . 2007-12-26 17:21 <DIR> d-------- C:\Program Files\CCleaner
2007-12-14 21:55 . 2007-12-14 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 20:47 . 2007-12-14 20:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-14 20:47 . 2007-12-14 20:47 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-14 20:47 . 2007-12-14 20:47 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-14 20:47 . 2007-12-14 20:47 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-07 17:05 . 2007-12-14 17:38 305 --a------ C:\WINDOWS\wininit.ini
2007-12-07 16:00 . 2007-12-26 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 10:49 . 2007-12-07 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 10:31 . 2007-12-24 18:30 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp
2007-12-07 10:24 . 2007-12-07 10:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-02 23:12 . 2007-12-07 12:01 621 --a------ C:\WINDOWS\SYSTEM32\old_ldinfo_old.txt.ldr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 14:21 --------- d-----w C:\Program Files\McAfee
2007-12-11 01:08 --------- d-----w C:\Documents and Settings\Rodney Gayle\Application Data\SiteAdvisor
2007-12-07 15:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 19:41 --------- d-----w C:\Program Files\DYMO Label
2007-11-09 00:54 --------- d-----w C:\Program Files\iTunes
2007-11-09 00:53 --------- d-----w C:\Program Files\iPod
2007-11-09 00:51 --------- d-----w C:\Program Files\QuickTime
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2003-11-19 22:34 1,696 ----a-w C:\Program Files\INSTALL.LOG
1999-07-16 16:45 25,887 ----a-w C:\Program Files\ircodes.ini
1999-07-14 02:32 739,328 ----a-w C:\Program Files\PLATOTW.EXE
1998-05-31 04:54 41,472 ----a-w C:\Program Files\x10dll.dll
1997-08-06 03:52 580,288 ----a-w C:\Program Files\PLATOTW.HLP
1997-08-06 03:05 3,826 ----a-w C:\Program Files\PLATOTW.TIP
1997-07-10 05:34 920 ----a-w C:\Program Files\PLATOTW.cnt
1997-07-03 14:44 82,864 ----a-w C:\Program Files\UNWISE.EXE
1997-02-06 01:26 10,987 ----a-w C:\Program Files\LATLONG.DAT
1994-10-06 03:55 107,645 ----a-w C:\Program Files\WINCAP.EXE
1994-09-05 21:41 283,958 ----a-w C:\Program Files\HOUSE.BMP
1994-09-05 21:41 221,686 ----a-w C:\Program Files\DEN.BMP
.

((((((((((((((((((((((((((((( snapshot@2007-12-27_10.01.04.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-27 14:33:26 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-12-28 20:11:49 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-12-27 14:33:26 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-12-28 20:11:49 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-12-28 20:11:49 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 20:07:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a50.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"LDM"="\Program\" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 20:22]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-30 17:05]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-11-13 17:28]
"hpppta"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" [2000-10-05 01:00]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-11-13 17:28]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"nwiz"="nwiz.exe" [2004-03-24 10:04 C:\WINDOWS\SYSTEM32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-25 19:51]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 11:17]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [2007-02-08 21:39]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 11:33]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 02:00]
"\\Lisaspc\EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 02:00]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-10-31 15:32]

C:\Documents and Settings\Rodney Gayle\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-07-20 12:57:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2003-11-11 09:10:59]
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-03-08 13:07:03]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-11-11 09:04:44]
eFax.com Tray Menu.lnk - C:\Program Files\Common Files\efax\HotTray.exe [2003-12-16 22:34:40]
Live Menu.lnk - C:\Program Files\Common Files\efax\Dllcmd32.exe [2003-12-16 22:34:39]
Logitech Harmony Remote.lnk - C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe [2005-04-18 15:31:34]
PageKeeper Jobs.lnk - C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe [2003-12-16 22:35:59]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 21:49:48]
SlimServer Tray Tool.lnk - C:\Program Files\SlimServer\SlimTray.exe [2005-11-14 16:38:54]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 13:04:38]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 EUSBMMC;eUSB Driver for MultiMediaCard;C:\WINDOWS\system32\DRIVERS\EUSBMMC.SYS [2000-06-12 13:31]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]

*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 22:21:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 06:13:11 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-12-01 06:00:10 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 15:37:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\Lisaspc\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P40 \"\\\\Lisaspc\\EPSON Stylus Photo R300 Series\" /O6 \"USB002\" /M \"Stylus Photo R300\""
.
Completion time: 2007-12-28 15:39:17
C:\ComboFix2.txt ... 2007-12-27 10:02
.
2007-12-12 01:56:31 --- E O F ---


*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*

Fresh HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:22 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\SlimServer\SlimTray.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SlimServer\server\slim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\PROGRA~1\SLIMSE~1\server\Bin\MSWIN3~1\mysqld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P53 "Auto EPSON Stylus Photo R300 Series on RODNEY-KITCHEN" /O24 "\\RODNEY-KITCHEN\Printer" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\Lisaspc\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P40 "\\Lisaspc\EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SlimServer Tray Tool.lnk = C:\Program Files\SlimServer\SlimTray.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://krmtest.webex.com/client/v_mywebex-...ent/ieatgpc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13334 bytes


*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*&*

Thanks,
Rodney

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 28 December 2007 - 06:48 PM

Hi Rodney,

Your log looks clean! :thumbsup: Good job on the cleanup!


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 RodneyG99

RodneyG99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 28 December 2007 - 08:39 PM

Hey SifuMike,

Thanks for your help. I made a donation through PayPal.

I deleted ComboFix as you suggested...should I keep any of the rest of the utilities? (SDFix, KillBox, OT Move It, McAfee Stinger)

Thanks again.

Rodney

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 28 December 2007 - 11:39 PM

Hi Rodney,

Thanks for the donation. :thumbsup:

I deleted ComboFix as you suggested...should I keep any of the rest of the utilities? (SDFix, KillBox, OT Move It, McAfee Stinger)


I hope you uninstalled ComboFix with way recommended previously, rather than delete it. It is far cleaner to uninstall that way.

You can find and delete SDFix, OTMoveIt, C:\_OTMoveIt, KillBox and McAfee Stinger.

You should not be using SDFix, OTMoveIt and ComboFix except under supervision of a malware expert. They are not approved for personal use.

Edited by SifuMike, 28 December 2007 - 11:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 RodneyG99

RodneyG99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 29 December 2007 - 09:38 AM

Hey SifuMike,

Yes, I "uninstalled" as prescribed. I will do the same for the others.

Thanks again for your help. Running faster and no pop-ups / ads. :thumbsup:

Rodney

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 03 January 2008 - 06:20 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users