Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iinfected With Malware?


  • This topic is locked This topic is locked
14 replies to this topic

#1 harper

harper

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 15 December 2007 - 06:07 PM

Runnning Windows XP, using IE as browser
Have McAfee and Spyware Doctor installed and up to date

Constantly having pop ups and computer is very slow (especially after installing Spyware Dr.)
McAfee doesn't find virus, Dr. keeps finding things and I remove them but pop ups continue. Maybe on reboot?
Have scanned in safe mode under all users and admin. and problems exist.

Here is TrendHijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:38 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\rcnfersd.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8385 bytes

Would love some input on how to fix.

Thanks.

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 16 December 2007 - 07:39 AM

Hello harper :thumbsup:

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

--------------------------

Can you first please Disable Spyware Doctor, Click the Onguard button to the left, Remove the check from the Activate OnGuard option in the next window to disable all protection.

Then Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\rcnfersd.dll",b

Close any Explorer windows which may be open and click the "Fix Checked" button.


Download this latest version of VundoFix to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt in your next reply
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.

Once you have done that please Re-scan with HijackThis and post the new log and the C:\vundofix.txt

Thank you

#3 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 December 2007 - 01:30 PM

ourwilly,

Thanks for the reply. Was doing some surfing while waiting for a reply and came across a similar complaint as mine and they mentioned vundofix. Ran it and removed files.

Now when I go to follow your help I can no longer find :

O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\rcnfersd.dll",b

Seems to be replaced with:

O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\ywppyagl.dll",b

Which coincidentally, I now receive an error loading message for this ywppyagl.dll

Here is the C:\vudofix.txt from last night
ld versions of java are exploitable and should be removed.

Scan started at 8:30:14 PM 12/15/2007

Listing files found while scanning....

C:\WINDOWS\system32\bdmjftxl.dll
C:\WINDOWS\system32\bllmiyyh.ini
C:\WINDOWS\system32\csbcsrrw.dll
C:\WINDOWS\system32\ctbqcuoa.dll
C:\WINDOWS\system32\cxrhfjvr.dll
C:\WINDOWS\system32\dexhhflm.dll
C:\WINDOWS\system32\dflktglk.dll
C:\WINDOWS\system32\dgpnyycy.dll
C:\WINDOWS\system32\drrsvvbh.dll
C:\WINDOWS\system32\dxxodgho.dll
C:\WINDOWS\system32\gargokso.dll
C:\WINDOWS\system32\gonghrdk.dll
C:\WINDOWS\system32\hriavhoq.dll
C:\WINDOWS\system32\hyyimllb.dll
C:\WINDOWS\system32\idgdupjo.dll
C:\WINDOWS\system32\jajqoinb.dll
C:\WINDOWS\system32\jeconxdk.dll
C:\WINDOWS\system32\jljlanky.dll
C:\WINDOWS\system32\jpichhaf.dll
C:\WINDOWS\system32\juuwdbjk.dll
C:\WINDOWS\system32\kdrhgnog.ini
C:\WINDOWS\system32\leaobibg.dll
C:\WINDOWS\system32\lojwxmtk.dll
C:\WINDOWS\system32\maklifdg.dll
C:\WINDOWS\system32\mlfhhxed.ini
C:\WINDOWS\system32\mlrswlrr.dll
C:\WINDOWS\system32\mmplaeyk.dll
C:\WINDOWS\system32\nkkitrjj.dll
C:\WINDOWS\system32\nvhvidno.dll
C:\WINDOWS\system32\oiiuivtk.dll
C:\WINDOWS\system32\okkuhicx.dll
C:\WINDOWS\system32\omgwkfmy.dll
C:\WINDOWS\system32\opsqvqkd.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\ppjoywwo.dll
C:\WINDOWS\system32\qpegghed.dll
C:\WINDOWS\system32\qqhlvcja.dll
C:\WINDOWS\system32\qwoaavbb.dll
C:\WINDOWS\system32\rcnfersd.dll
C:\WINDOWS\system32\rjrwolvu.dll
C:\WINDOWS\system32\rvjfhrxc.ini
C:\WINDOWS\system32\sdqibnma.dll
C:\WINDOWS\system32\skjhgrxh.dll
C:\WINDOWS\system32\tjslwxdo.dll
C:\WINDOWS\system32\tmpthojm.dll
C:\WINDOWS\system32\ubchhlpr.dll
C:\WINDOWS\system32\vmirgwxe.dll
C:\WINDOWS\system32\wrjpcikb.dll
C:\WINDOWS\system32\wrrscbsc.ini
C:\WINDOWS\system32\wvwwhjbm.dll
C:\WINDOWS\system32\xgdijqmg.dll
C:\WINDOWS\system32\xgsidcej.dll
C:\WINDOWS\system32\xqpdljca.dll
C:\WINDOWS\system32\yckioffd.dll
C:\WINDOWS\system32\ycyynpgd.ini
C:\WINDOWS\system32\yrowhlrq.dll
C:\WINDOWS\system32\ywppyagl.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bdmjftxl.dll
C:\WINDOWS\system32\bdmjftxl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bllmiyyh.ini
C:\WINDOWS\system32\bllmiyyh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\csbcsrrw.dll
C:\WINDOWS\system32\csbcsrrw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ctbqcuoa.dll
C:\WINDOWS\system32\ctbqcuoa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cxrhfjvr.dll
C:\WINDOWS\system32\cxrhfjvr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dexhhflm.dll
C:\WINDOWS\system32\dexhhflm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dflktglk.dll
C:\WINDOWS\system32\dflktglk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgpnyycy.dll
C:\WINDOWS\system32\dgpnyycy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\drrsvvbh.dll
C:\WINDOWS\system32\drrsvvbh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dxxodgho.dll
C:\WINDOWS\system32\dxxodgho.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gargokso.dll
C:\WINDOWS\system32\gargokso.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gonghrdk.dll
C:\WINDOWS\system32\gonghrdk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hriavhoq.dll
C:\WINDOWS\system32\hriavhoq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hyyimllb.dll
C:\WINDOWS\system32\hyyimllb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\idgdupjo.dll
C:\WINDOWS\system32\idgdupjo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jajqoinb.dll
C:\WINDOWS\system32\jajqoinb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jeconxdk.dll
C:\WINDOWS\system32\jeconxdk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jljlanky.dll
C:\WINDOWS\system32\jljlanky.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jpichhaf.dll
C:\WINDOWS\system32\jpichhaf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\juuwdbjk.dll
C:\WINDOWS\system32\juuwdbjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kdrhgnog.ini
C:\WINDOWS\system32\kdrhgnog.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\leaobibg.dll
C:\WINDOWS\system32\leaobibg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lojwxmtk.dll
C:\WINDOWS\system32\lojwxmtk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\maklifdg.dll
C:\WINDOWS\system32\maklifdg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlfhhxed.ini
C:\WINDOWS\system32\mlfhhxed.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlrswlrr.dll
C:\WINDOWS\system32\mlrswlrr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mmplaeyk.dll
C:\WINDOWS\system32\mmplaeyk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nkkitrjj.dll
C:\WINDOWS\system32\nkkitrjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nvhvidno.dll
C:\WINDOWS\system32\nvhvidno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oiiuivtk.dll
C:\WINDOWS\system32\oiiuivtk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\okkuhicx.dll
C:\WINDOWS\system32\okkuhicx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\omgwkfmy.dll
C:\WINDOWS\system32\omgwkfmy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opsqvqkd.dll
C:\WINDOWS\system32\opsqvqkd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\pmnli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ppjoywwo.dll
C:\WINDOWS\system32\ppjoywwo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpegghed.dll
C:\WINDOWS\system32\qpegghed.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqhlvcja.dll
C:\WINDOWS\system32\qqhlvcja.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qwoaavbb.dll
C:\WINDOWS\system32\qwoaavbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rcnfersd.dll
C:\WINDOWS\system32\rcnfersd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rjrwolvu.dll
C:\WINDOWS\system32\rjrwolvu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rvjfhrxc.ini
C:\WINDOWS\system32\rvjfhrxc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sdqibnma.dll
C:\WINDOWS\system32\sdqibnma.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\skjhgrxh.dll
C:\WINDOWS\system32\skjhgrxh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tjslwxdo.dll
C:\WINDOWS\system32\tjslwxdo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmpthojm.dll
C:\WINDOWS\system32\tmpthojm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ubchhlpr.dll
C:\WINDOWS\system32\ubchhlpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vmirgwxe.dll
C:\WINDOWS\system32\vmirgwxe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wrjpcikb.dll
C:\WINDOWS\system32\wrjpcikb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wrrscbsc.ini
C:\WINDOWS\system32\wrrscbsc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvwwhjbm.dll
C:\WINDOWS\system32\wvwwhjbm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xgdijqmg.dll
C:\WINDOWS\system32\xgdijqmg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xgsidcej.dll
C:\WINDOWS\system32\xgsidcej.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xqpdljca.dll
C:\WINDOWS\system32\xqpdljca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yckioffd.dll
C:\WINDOWS\system32\yckioffd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycyynpgd.ini
C:\WINDOWS\system32\ycyynpgd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yrowhlrq.dll
C:\WINDOWS\system32\yrowhlrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ywppyagl.dll
C:\WINDOWS\system32\ywppyagl.dll Has been deleted!

Performing Repairs to the registry.
Done!


And here is a new HJT
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:44 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {0a04a6d7-5259-1e4b-10f4-0957237f8cf7} - {7fc8f732-7590-4f01-b4e1-95257d6a40a0} - C:\WINDOWS\system32\gargokso.dll (file missing)
O2 - BHO: (no name) - {987DA7B8-2141-4C69-845A-0444FADA8749} - C:\WINDOWS\system32\pmnli.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\ywppyagl.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3388343466-673415731-620953523-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'kathy')
O4 - HKUS\S-1-5-21-3388343466-673415731-620953523-1006\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler (User 'kathy')
O4 - HKUS\S-1-5-21-3388343466-673415731-620953523-1006\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'kathy')
O4 - HKUS\S-1-5-21-3388343466-673415731-620953523-1006\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'kathy')
O4 - HKUS\S-1-5-21-3388343466-673415731-620953523-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kathy')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O23 - Service: McAfee Application Installer Cleanup (0091401197824499) (0091401197824499mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\009140~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 10215 bytes


Hope I didn't screw things up!

#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 16 December 2007 - 02:12 PM

Hello harper :thumbsup:

Now when I go to follow your help I can no longer find :
O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\rcnfersd.dll",b

Seems to be replaced with:
O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\ywppyagl.dll",b


Thank you for that information, "Ok" It looks like the Vundofix tool has helped to clean up some of the infection here, so let's try this next

----------------------------

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O2 - BHO: {0a04a6d7-5259-1e4b-10f4-0957237f8cf7} - {7fc8f732-7590-4f01-b4e1-95257d6a40a0} - C:\WINDOWS\system32\gargokso.dll (file missing)
O2 - BHO: (no name) - {987DA7B8-2141-4C69-845A-0444FADA8749} - C:\WINDOWS\system32\pmnli.dll (file missing)
O4 - HKLM\..\Run: [f0c21cae] rundll32.exe "C:\WINDOWS\system32\ywppyagl.dll",b

Close any Explorer windows which may be open and click the "Fix Checked" button.



Can you please now Download "ComboFix.exe" from one of these links and save this onto your desktop

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick "combofix.exe" to launch the application Follow the prompts that will be displayed on the screen.

Important: Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it will produce a log called "combofix.txt" by default saved into your C folder
navigate to: Start >> My Computer >> Local Disk C and Copy and Paste combofix.txt log along with and a new HijackThis log.

Thank you.

#5 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 December 2007 - 03:05 PM

OK - here are the results of the combofix and a new HTJ

ComboFix 07-12-16.3 - michael 2007-12-16 14:49:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT -5:00]
Running from: C:\Documents and Settings\michael\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\abW9
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy

.
((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 20:50 . 2007-12-15 20:50 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-15 20:40 . 2007-12-15 20:40 970,314 ---hs---- C:\WINDOWS\system32\lgayppwy.ini
2007-12-15 20:30 . 2007-12-15 20:30 <DIR> d-------- C:\VundoFix Backups
2007-12-15 19:36 . 2007-12-15 20:11 970,530 ---hs---- C:\WINDOWS\system32\ymfkwgmo.ini
2007-12-15 18:36 . 2007-12-15 18:36 970,434 ---hs---- C:\WINDOWS\system32\amnbiqds.ini
2007-12-15 18:33 . 2007-12-15 18:34 970,374 ---hs---- C:\WINDOWS\system32\mbjhwwvw.ini
2007-12-15 17:33 . 2007-12-15 17:34 970,314 ---hs---- C:\WINDOWS\system32\dsrefncr.ini
2007-12-15 16:31 . 2007-12-15 16:31 970,974 ---hs---- C:\WINDOWS\system32\fahhcipj.ini
2007-12-15 14:34 . 2007-12-15 14:34 970,854 ---hs---- C:\WINDOWS\system32\jecdisgx.ini
2007-12-15 13:28 . 2007-12-15 13:28 970,794 ---hs---- C:\WINDOWS\system32\bbvaaowq.ini
2007-12-15 13:25 . 2007-12-15 13:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 12:28 . 2007-12-15 13:06 970,752 ---hs---- C:\WINDOWS\system32\kjbdwuuj.ini
2007-12-15 11:28 . 2007-12-15 11:28 966,047 ---hs---- C:\WINDOWS\system32\bkicpjrw.ini
2007-12-15 10:25 . 2007-12-15 10:25 958,087 ---hs---- C:\WINDOWS\system32\ondivhvn.ini
2007-12-15 09:28 . 2007-12-15 09:28 956,876 ---hs---- C:\WINDOWS\system32\owwyojpp.ini
2007-12-15 09:22 . 2007-12-15 09:22 956,816 ---hs---- C:\WINDOWS\system32\ajcvlhqq.ini
2007-12-15 08:22 . 2007-12-15 08:23 956,756 ---hs---- C:\WINDOWS\system32\ktmxwjol.ini
2007-12-13 21:04 . 2007-12-14 18:11 952,323 ---hs---- C:\WINDOWS\system32\bnioqjaj.ini
2007-12-12 22:05 . 2007-12-12 22:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-12 18:12 . 2007-12-12 18:12 916,893 ---hs---- C:\WINDOWS\system32\yknaljlj.ini
2007-12-11 17:53 . 2007-12-11 17:53 912,962 ---hs---- C:\WINDOWS\system32\dkqvqspo.ini
2007-12-10 17:10 . 2007-12-10 21:37 858,936 ---hs---- C:\WINDOWS\system32\acjldpqx.ini
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-12-06 20:48 . 2007-12-06 20:48 831,417 ---hs---- C:\WINDOWS\system32\eyvxidwd.ini
2007-12-04 18:16 . 2007-12-04 18:16 805,321 ---hs---- C:\WINDOWS\system32\gbiboael.ini
2007-12-03 17:40 . 2007-12-03 18:05 794,418 ---hs---- C:\WINDOWS\system32\gdfilkam.ini
2007-12-02 08:13 . 2007-12-03 17:40 794,340 ---hs---- C:\WINDOWS\system32\iyijuwrw.ini
2007-12-01 07:27 . 2007-12-02 08:13 793,844 ---hs---- C:\WINDOWS\system32\lysattxy.ini
2007-11-30 18:21 . 2007-11-30 19:00 793,664 ---hs---- C:\WINDOWS\system32\rrlwsrlm.ini
2007-11-26 21:30 . 2007-10-10 18:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-26 21:30 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-26 21:30 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-26 21:30 . 2007-10-10 18:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-26 21:30 . 2007-10-10 18:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-26 21:30 . 2007-10-10 18:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-26 21:30 . 2007-10-10 18:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-26 21:30 . 2007-10-10 18:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-26 21:30 . 2007-10-10 05:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-26 21:24 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-26 18:27 . 2007-11-29 06:53 1,060,609 ---hs---- C:\WINDOWS\system32\spwoufds.ini
2007-11-25 08:46 . 2007-11-26 18:26 1,011,044 ---hs---- C:\WINDOWS\system32\anfpqmjf.ini
2007-11-25 00:42 . 2007-11-25 00:42 <DIR> d-------- C:\Documents and Settings\dean\Application Data\PC Tools
2007-11-25 00:24 . 2007-11-25 00:24 <DIR> d-------- C:\Documents and Settings\visitor\Application Data\PC Tools
2007-11-25 00:06 . 2007-11-25 00:06 <DIR> d-------- C:\Documents and Settings\lyle\Application Data\PC Tools
2007-11-24 08:35 . 2007-11-25 08:46 1,006,385 ---hs---- C:\WINDOWS\system32\lcpkiofc.ini
2007-11-23 07:46 . 2007-11-24 08:34 776,012 ---hs---- C:\WINDOWS\system32\kigojvpc.ini
2007-11-23 07:45 . 2007-11-23 07:45 <DIR> d-------- C:\Documents and Settings\kathy\Application Data\PC Tools
2007-11-23 07:45 . 2007-12-16 14:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 14:02 . 2007-11-22 10:55 611 --a------ C:\WINDOWS\win.tmp
2007-11-22 14:02 . 2007-11-22 10:55 227 --a------ C:\WINDOWS\system.tmp
2007-11-22 13:46 . 2007-12-15 21:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-22 13:46 . 2007-11-22 13:46 <DIR> d-------- C:\Documents and Settings\michael\Application Data\PC Tools
2007-11-22 13:46 . 2007-11-22 13:47 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-11-22 13:46 . 2006-07-10 16:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-11-22 10:49 . 2007-11-22 10:49 <DIR> d-------- C:\Documents and Settings\michael\Application Data\Uniblue
2007-11-22 00:57 . 2007-11-25 01:02 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-21 23:51 . 2007-11-22 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 19:17 . 2007-12-01 08:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-19 21:30 . 2007-11-19 21:30 <DIR> d-------- C:\Documents and Settings\kathy\Application Data\McAfee
2007-11-18 10:10 . 2007-12-15 20:49 528,848 --ahs---- C:\WINDOWS\system32\ilnmp.ini2
2007-11-18 10:10 . 2007-12-15 20:50 528,848 --ahs---- C:\WINDOWS\system32\ilnmp.ini
2007-11-18 10:05 . 2007-12-16 14:52 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 19:54 --------- d-----w C:\Program Files\McAfee
2007-12-16 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-15 13:40 --------- d-----w C:\Program Files\DIGStream
2007-12-12 23:17 2,330 ----a-w C:\Documents and Settings\kathy\Application Data\wklnhst.dat
2007-12-12 00:30 2,118 ----a-w C:\Documents and Settings\michael\Application Data\wklnhst.dat
2007-12-03 23:09 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-20 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-16 11:54 --------- d-----w C:\Documents and Settings\michael\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 23:34 --------- d-----w C:\Documents and Settings\kathy\Application Data\SiteAdvisor
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-09 21:41 560 ----a-w C:\Documents and Settings\visitor\Application Data\wklnhst.dat
2007-01-18 00:14 0 ----a-w C:\Documents and Settings\dean\Application Data\wklnhst.dat
2006-11-28 22:48 0 ----a-w C:\Documents and Settings\lyle\Application Data\wklnhst.dat
2005-05-12 04:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2007-07-22 00:47 56 --sh--r C:\WINDOWS\system32\7906B1B3BF.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-22 13:47]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 02:12]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-11-18 07:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-22 13:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-17 16:19:31]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 23:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

S3 kbeepm;kbeepm;\??\C:\DOCUME~1\michael\LOCALS~1\Temp\kbeepm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 12:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-15 05:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-07-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 14:56:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 14:57:32 - machine was rebooted
.
2007-12-12 02:14:32 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:07 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 9079 bytes


Thanks

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 16 December 2007 - 06:30 PM

Hello harper :thumbsup:

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

----------------------------

Hold Down The Windows Key + E to Open Windows Explorer

Select: Tools >> Folder Options >> View
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option. <-- important
Click Yes to confirm the changes, Click OK.


Please go to: http://virusscan.jotti.org/
At the top select the Browse button then navigate to this File and Submit it to be scanned.
C:\WINDOWS\system32\7906B1B3BF.sys
any results please Copy & Paste them in your next reply



Please Open notepad - don't use any other text editor

I would like you to now Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\lgayppwy.ini
C:\WINDOWS\system32\ymfkwgmo.ini
C:\WINDOWS\system32\amnbiqds.ini
C:\WINDOWS\system32\dsrefncr.ini
C:\WINDOWS\system32\fahhcipj.ini
C:\WINDOWS\system32\jecdisgx.ini
C:\WINDOWS\system32\bbvaaowq.ini
C:\WINDOWS\system32\kjbdwuuj.ini
C:\WINDOWS\system32\bkicpjrw.ini
C:\WINDOWS\system32\ondivhvn.ini
C:\WINDOWS\system32\owwyojpp.ini
C:\WINDOWS\system32\ajcvlhqq.ini
C:\WINDOWS\system32\ktmxwjol.ini
C:\WINDOWS\system32\bnioqjaj.ini
C:\WINDOWS\system32\yknaljlj.ini
C:\WINDOWS\system32\dkqvqspo.ini
C:\WINDOWS\system32\acjldpqx.ini
C:\WINDOWS\system32\eyvxidwd.ini
C:\WINDOWS\system32\gbiboael.ini
C:\WINDOWS\system32\gdfilkam.ini
C:\WINDOWS\system32\iyijuwrw.ini
C:\WINDOWS\system32\lysattxy.ini
C:\WINDOWS\system32\rrlwsrlm.ini
C:\WINDOWS\system32\spwoufds.ini
C:\WINDOWS\system32\anfpqmjf.ini
C:\WINDOWS\system32\lcpkiofc.ini
C:\WINDOWS\system32\kigojvpc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.ini
C:\DOCUME~1\michael\LOCALS~1\Temp\kbeepm.sys

Driver::
kbeepm


Name the file CFScript and Save it to your Desktop

Posted Image
Refering to the picture above, drag CFScript.txt into ComboFix.exe

Run ComboFix again and post the resultant log and the Jotti result's

Thank you

#7 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 December 2007 - 07:46 PM

Here's the Jotti result:

Scan taken on 17 Dec 2007 00:17:06 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

New Combofix scan:

ComboFix 07-12-16.3 - michael 2007-12-16 19:24:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT -5:00]
Running from: C:\Documents and Settings\michael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\michael\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-15 20:50 . 2007-12-15 20:50 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-15 20:40 . 2007-12-15 20:40 970,314 ---hs---- C:\WINDOWS\system32\lgayppwy.ini
2007-12-15 20:30 . 2007-12-15 20:30 <DIR> d-------- C:\VundoFix Backups
2007-12-15 19:36 . 2007-12-15 20:11 970,530 ---hs---- C:\WINDOWS\system32\ymfkwgmo.ini
2007-12-15 18:36 . 2007-12-15 18:36 970,434 ---hs---- C:\WINDOWS\system32\amnbiqds.ini
2007-12-15 18:33 . 2007-12-15 18:34 970,374 ---hs---- C:\WINDOWS\system32\mbjhwwvw.ini
2007-12-15 17:33 . 2007-12-15 17:34 970,314 ---hs---- C:\WINDOWS\system32\dsrefncr.ini
2007-12-15 16:31 . 2007-12-15 16:31 970,974 ---hs---- C:\WINDOWS\system32\fahhcipj.ini
2007-12-15 14:34 . 2007-12-15 14:34 970,854 ---hs---- C:\WINDOWS\system32\jecdisgx.ini
2007-12-15 13:28 . 2007-12-15 13:28 970,794 ---hs---- C:\WINDOWS\system32\bbvaaowq.ini
2007-12-15 13:25 . 2007-12-15 13:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-15 12:28 . 2007-12-15 13:06 970,752 ---hs---- C:\WINDOWS\system32\kjbdwuuj.ini
2007-12-15 11:28 . 2007-12-15 11:28 966,047 ---hs---- C:\WINDOWS\system32\bkicpjrw.ini
2007-12-15 10:25 . 2007-12-15 10:25 958,087 ---hs---- C:\WINDOWS\system32\ondivhvn.ini
2007-12-15 09:28 . 2007-12-15 09:28 956,876 ---hs---- C:\WINDOWS\system32\owwyojpp.ini
2007-12-15 09:22 . 2007-12-15 09:22 956,816 ---hs---- C:\WINDOWS\system32\ajcvlhqq.ini
2007-12-15 08:22 . 2007-12-15 08:23 956,756 ---hs---- C:\WINDOWS\system32\ktmxwjol.ini
2007-12-13 21:04 . 2007-12-14 18:11 952,323 ---hs---- C:\WINDOWS\system32\bnioqjaj.ini
2007-12-12 22:05 . 2007-12-12 22:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-12 18:12 . 2007-12-12 18:12 916,893 ---hs---- C:\WINDOWS\system32\yknaljlj.ini
2007-12-11 17:53 . 2007-12-11 17:53 912,962 ---hs---- C:\WINDOWS\system32\dkqvqspo.ini
2007-12-10 17:10 . 2007-12-10 21:37 858,936 ---hs---- C:\WINDOWS\system32\acjldpqx.ini
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-12-06 20:48 . 2007-12-06 20:48 831,417 ---hs---- C:\WINDOWS\system32\eyvxidwd.ini
2007-12-04 18:16 . 2007-12-04 18:16 805,321 ---hs---- C:\WINDOWS\system32\gbiboael.ini
2007-12-03 17:40 . 2007-12-03 18:05 794,418 ---hs---- C:\WINDOWS\system32\gdfilkam.ini
2007-12-02 08:13 . 2007-12-03 17:40 794,340 ---hs---- C:\WINDOWS\system32\iyijuwrw.ini
2007-12-01 07:27 . 2007-12-02 08:13 793,844 ---hs---- C:\WINDOWS\system32\lysattxy.ini
2007-11-30 18:21 . 2007-11-30 19:00 793,664 ---hs---- C:\WINDOWS\system32\rrlwsrlm.ini
2007-11-26 21:30 . 2007-10-10 18:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-26 21:30 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-26 21:30 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-26 21:30 . 2007-10-10 18:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-26 21:30 . 2007-10-10 18:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-26 21:30 . 2007-10-10 18:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-26 21:30 . 2007-10-10 18:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-26 21:30 . 2007-10-10 18:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-26 21:30 . 2007-10-10 05:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-26 21:24 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-26 18:27 . 2007-11-29 06:53 1,060,609 ---hs---- C:\WINDOWS\system32\spwoufds.ini
2007-11-25 08:46 . 2007-11-26 18:26 1,011,044 ---hs---- C:\WINDOWS\system32\anfpqmjf.ini
2007-11-25 00:42 . 2007-11-25 00:42 <DIR> d-------- C:\Documents and Settings\dean\Application Data\PC Tools
2007-11-25 00:24 . 2007-11-25 00:24 <DIR> d-------- C:\Documents and Settings\visitor\Application Data\PC Tools
2007-11-25 00:06 . 2007-11-25 00:06 <DIR> d-------- C:\Documents and Settings\lyle\Application Data\PC Tools
2007-11-24 08:35 . 2007-11-25 08:46 1,006,385 ---hs---- C:\WINDOWS\system32\lcpkiofc.ini
2007-11-23 07:46 . 2007-11-24 08:34 776,012 ---hs---- C:\WINDOWS\system32\kigojvpc.ini
2007-11-23 07:45 . 2007-11-23 07:45 <DIR> d-------- C:\Documents and Settings\kathy\Application Data\PC Tools
2007-11-23 07:45 . 2007-12-16 19:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 14:02 . 2007-11-22 10:55 611 --a------ C:\WINDOWS\win.tmp
2007-11-22 14:02 . 2007-12-16 14:55 227 --a------ C:\WINDOWS\system.tmp
2007-11-22 13:46 . 2007-12-15 21:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-22 13:46 . 2007-11-22 13:46 <DIR> d-------- C:\Documents and Settings\michael\Application Data\PC Tools
2007-11-22 13:46 . 2007-11-22 13:47 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-11-22 13:46 . 2006-07-10 16:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-11-22 10:49 . 2007-11-22 10:49 <DIR> d-------- C:\Documents and Settings\michael\Application Data\Uniblue
2007-11-22 00:57 . 2007-11-25 01:02 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-21 23:51 . 2007-11-22 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 19:17 . 2007-12-01 08:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-19 21:30 . 2007-11-19 21:30 <DIR> d-------- C:\Documents and Settings\kathy\Application Data\McAfee
2007-11-18 10:10 . 2007-12-15 20:49 528,848 --ahs---- C:\WINDOWS\system32\ilnmp.ini2
2007-11-18 10:10 . 2007-12-15 20:50 528,848 --ahs---- C:\WINDOWS\system32\ilnmp.ini
2007-11-18 10:05 . 2007-12-16 14:52 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 23:34 2,276 ----a-w C:\Documents and Settings\michael\Application Data\wklnhst.dat
2007-12-16 19:54 --------- d-----w C:\Program Files\McAfee
2007-12-16 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-15 13:40 --------- d-----w C:\Program Files\DIGStream
2007-12-12 23:17 2,330 ----a-w C:\Documents and Settings\kathy\Application Data\wklnhst.dat
2007-11-20 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-16 11:54 --------- d-----w C:\Documents and Settings\michael\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 23:34 --------- d-----w C:\Documents and Settings\kathy\Application Data\SiteAdvisor
2007-10-09 21:41 560 ----a-w C:\Documents and Settings\visitor\Application Data\wklnhst.dat
2007-01-18 00:14 0 ----a-w C:\Documents and Settings\dean\Application Data\wklnhst.dat
2006-11-28 22:48 0 ----a-w C:\Documents and Settings\lyle\Application Data\wklnhst.dat
2007-07-22 00:47 56 --sh--r C:\WINDOWS\system32\7906B1B3BF.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-22 13:47]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 02:12]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-11-18 07:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-10 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-22 13:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-17 16:19:31]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 23:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot


.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 12:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-15 05:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-07-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 19:35:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 19:36:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-16 14:57
.
2007-12-12 02:14:32 --- E O F ---

Thanks

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 17 December 2007 - 12:55 PM

Hello harper

Please Open notepad

I would like you to now Copy/paste the text in the quotebox below into notepad:

KillAll::
File::
C:\WINDOWS\system32\lgayppwy.ini
C:\WINDOWS\system32\ymfkwgmo.ini
C:\WINDOWS\system32\amnbiqds.ini
C:\WINDOWS\system32\dsrefncr.ini
C:\WINDOWS\system32\fahhcipj.ini
C:\WINDOWS\system32\jecdisgx.ini
C:\WINDOWS\system32\bbvaaowq.ini
C:\WINDOWS\system32\kjbdwuuj.ini
C:\WINDOWS\system32\bkicpjrw.ini
C:\WINDOWS\system32\ondivhvn.ini
C:\WINDOWS\system32\owwyojpp.ini
C:\WINDOWS\system32\ajcvlhqq.ini
C:\WINDOWS\system32\ktmxwjol.ini
C:\WINDOWS\system32\bnioqjaj.ini
C:\WINDOWS\system32\yknaljlj.ini
C:\WINDOWS\system32\dkqvqspo.ini
C:\WINDOWS\system32\acjldpqx.ini
C:\WINDOWS\system32\eyvxidwd.ini
C:\WINDOWS\system32\gbiboael.ini
C:\WINDOWS\system32\gdfilkam.ini
C:\WINDOWS\system32\iyijuwrw.ini
C:\WINDOWS\system32\lysattxy.ini
C:\WINDOWS\system32\rrlwsrlm.ini
C:\WINDOWS\system32\spwoufds.ini
C:\WINDOWS\system32\anfpqmjf.ini
C:\WINDOWS\system32\lcpkiofc.ini
C:\WINDOWS\system32\kigojvpc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.ini


Name the file CFScript and Save it to your Desktop

Posted Image
Refering to the picture above, drag CFScript.txt into ComboFix.exe

Run ComboFix again and post the resultant log.

Thank you

Attached Files


Edited by ourwilly, 17 December 2007 - 01:22 PM.


#9 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 17 December 2007 - 09:22 PM

Here's the latest combofix log:


ComboFix 07-12-16.3 - michael 2007-12-17 21:03:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -5:00]
Running from: C:\Documents and Settings\michael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\michael\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\acjldpqx.ini
C:\WINDOWS\system32\ajcvlhqq.ini
C:\WINDOWS\system32\amnbiqds.ini
C:\WINDOWS\system32\anfpqmjf.ini
C:\WINDOWS\system32\bbvaaowq.ini
C:\WINDOWS\system32\bkicpjrw.ini
C:\WINDOWS\system32\bnioqjaj.ini
C:\WINDOWS\system32\dkqvqspo.ini
C:\WINDOWS\system32\dsrefncr.ini
C:\WINDOWS\system32\eyvxidwd.ini
C:\WINDOWS\system32\fahhcipj.ini
C:\WINDOWS\system32\gbiboael.ini
C:\WINDOWS\system32\gdfilkam.ini
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\iyijuwrw.ini
C:\WINDOWS\system32\jecdisgx.ini
C:\WINDOWS\system32\kigojvpc.ini
C:\WINDOWS\system32\kjbdwuuj.ini
C:\WINDOWS\system32\ktmxwjol.ini
C:\WINDOWS\system32\lcpkiofc.ini
C:\WINDOWS\system32\lgayppwy.ini
C:\WINDOWS\system32\lysattxy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ondivhvn.ini
C:\WINDOWS\system32\owwyojpp.ini
C:\WINDOWS\system32\rrlwsrlm.ini
C:\WINDOWS\system32\spwoufds.ini
C:\WINDOWS\system32\yknaljlj.ini
C:\WINDOWS\system32\ymfkwgmo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\acjldpqx.ini
C:\WINDOWS\system32\ajcvlhqq.ini
C:\WINDOWS\system32\amnbiqds.ini
C:\WINDOWS\system32\anfpqmjf.ini
C:\WINDOWS\system32\bbvaaowq.ini
C:\WINDOWS\system32\bkicpjrw.ini
C:\WINDOWS\system32\bnioqjaj.ini
C:\WINDOWS\system32\dkqvqspo.ini
C:\WINDOWS\system32\dsrefncr.ini
C:\WINDOWS\system32\eyvxidwd.ini
C:\WINDOWS\system32\fahhcipj.ini
C:\WINDOWS\system32\gbiboael.ini
C:\WINDOWS\system32\gdfilkam.ini
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\iyijuwrw.ini
C:\WINDOWS\system32\jecdisgx.ini
C:\WINDOWS\system32\kigojvpc.ini
C:\WINDOWS\system32\kjbdwuuj.ini
C:\WINDOWS\system32\ktmxwjol.ini
C:\WINDOWS\system32\lcpkiofc.ini
C:\WINDOWS\system32\lgayppwy.ini
C:\WINDOWS\system32\lysattxy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ondivhvn.ini
C:\WINDOWS\system32\owwyojpp.ini
C:\WINDOWS\system32\rrlwsrlm.ini
C:\WINDOWS\system32\spwoufds.ini
C:\WINDOWS\system32\yknaljlj.ini
C:\WINDOWS\system32\ymfkwgmo.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-15 20:50 . 2007-12-15 20:50 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-15 20:30 . 2007-12-15 20:30 <DIR> d-------- C:\VundoFix Backups
2007-12-15 18:33 . 2007-12-15 18:34 970,374 ---hs---- C:\WINDOWS\system32\mbjhwwvw.ini
2007-12-15 13:25 . 2007-12-15 13:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:05 . 2007-12-12 22:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-09 15:30 . 2007-12-09 15:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-11-26 21:30 . 2007-10-10 18:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-26 21:30 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-26 21:30 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-26 21:30 . 2007-10-10 18:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-26 21:30 . 2007-10-10 18:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-26 21:30 . 2007-10-10 18:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-26 21:30 . 2007-10-10 18:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-26 21:30 . 2007-10-10 18:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-26 21:30 . 2007-10-10 05:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-26 21:24 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-25 00:42 . 2007-11-25 00:42 <DIR> d-------- C:\Documents and Settings\dean\Application Data\PC Tools
2007-11-25 00:24 . 2007-11-25 00:24 <DIR> d-------- C:\Documents and Settings\visitor\Application Data\PC Tools
2007-11-25 00:06 . 2007-11-25 00:06 <DIR> d-------- C:\Documents and Settings\lyle\Application Data\PC Tools
2007-11-23 07:45 . 2007-11-23 07:45 <DIR> d-------- C:\Documents and Settings\kathy\Application Data\PC Tools
2007-11-23 07:45 . 2007-12-17 21:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 14:02 . 2007-11-22 10:55 611 --a------ C:\WINDOWS\win.tmp
2007-11-22 14:02 . 2007-12-16 19:34 227 --a------ C:\WINDOWS\system.tmp
2007-11-22 13:46 . 2007-12-15 21:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-22 13:46 . 2007-11-22 13:46 <DIR> d-------- C:\Documents and Settings\michael\Application Data\PC Tools
2007-11-22 13:46 . 2007-11-22 13:47 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-11-22 13:46 . 2006-07-10 16:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-11-22 10:49 . 2007-11-22 10:49 <DIR> d-------- C:\Documents and Settings\michael\Application Data\Uniblue
2007-11-22 00:57 . 2007-11-25 01:02 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-21 23:51 . 2007-11-22 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 21:30 . 2007-11-19 21:30 <DIR> d-------- C:\Documents and Settings\kathy\Application Data\McAfee
2007-11-18 10:05 . 2007-12-16 14:52 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 12:30 --------- d-----w C:\Program Files\McAfee
2007-12-17 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-16 23:34 2,276 ----a-w C:\Documents and Settings\michael\Application Data\wklnhst.dat
2007-12-15 13:40 --------- d-----w C:\Program Files\DIGStream
2007-12-12 23:17 2,330 ----a-w C:\Documents and Settings\kathy\Application Data\wklnhst.dat
2007-11-20 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-16 11:54 --------- d-----w C:\Documents and Settings\michael\Application Data\SiteAdvisor
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 23:34 --------- d-----w C:\Documents and Settings\kathy\Application Data\SiteAdvisor
2007-10-09 21:41 560 ----a-w C:\Documents and Settings\visitor\Application Data\wklnhst.dat
2007-01-18 00:14 0 ----a-w C:\Documents and Settings\dean\Application Data\wklnhst.dat
2006-11-28 22:48 0 ----a-w C:\Documents and Settings\lyle\Application Data\wklnhst.dat
2007-07-22 00:47 56 --sh--r C:\WINDOWS\system32\7906B1B3BF.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-16_14.56.31.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-16 17:00:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-18 00:29:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-16 17:00:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-18 00:29:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-16 17:00:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-18 00:29:22 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-22 13:47]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 02:12]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-11-18 07:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-10 05:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-22 13:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-17 16:19:31]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 23:12 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot


.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 12:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-15 05:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-07-01 05:00:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 21:18:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 21:19:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-16 19:36
C:\ComboFix3.txt ... 2007-12-16 14:57
.
2007-12-12 02:14:32 --- E O F ---


Thanks

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 18 December 2007 - 01:08 AM

Hello harper :thumbsup:

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

"Right-click" on this Bold Entry and select Delete

C:\WINDOWS\system32\mbjhwwvw.ini

------------------------

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------

Please now use Internet Explorer and run this online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a new HijackThis log.

Thank you

#11 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 December 2007 - 09:10 PM

Hello ourwilly,

here is the kaspersky report and a copy of the new HJT


KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 18, 2007 9:05:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/12/2007
Kaspersky Anti-Virus database records: 486870
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 61541
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:53:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{630522DE-60AF-462B-9B79-33812CEA2AFC}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9E2AB071-E606-48F4-9173-A36A0DCA4BCA}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\michael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\michael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\History\History.IE5\MSHist012007121820071219\index.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temp\Perflib_Perfdata_41c.dat Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temp\sqlite_QNvBjDyVVSNjcBK Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temp\~DF35C1.tmp Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temp\~DF9D37.tmp Object is locked skipped
C:\Documents and Settings\michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\michael\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP20\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{653337BE-3695-49F8-89C0-DF20477EFD55}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_2TzvJWmsbt8clcG Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2n26YsAByWZcSIw Object is locked skipped
C:\WINDOWS\Temp\mcmsc_d6uadryLGzdBBtK Object is locked skipped
C:\WINDOWS\Temp\mcmsc_KoE0c1Ban2BtuOe Object is locked skipped
C:\WINDOWS\Temp\mcmsc_PeSba7KtRydd18I Object is locked skipped
C:\WINDOWS\Temp\sqlite_iVUdiN50U2pMq5v Object is locked skipped
C:\WINDOWS\Temp\sqlite_Q2JwsY4GVtQjHwO Object is locked skipped
C:\WINDOWS\Temp\sqlite_Yd1r6oH23qnJyuy Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:27 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 9186 bytes

Many thanks for all the help so far

#12 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 19 December 2007 - 10:56 AM

Hello harper :thumbsup:

Please Update your Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 3.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 3
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer
Once you have done this can you let me know how your system is running now.

Thank you.

#13 harper

harper
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 19 December 2007 - 07:35 PM

Hello ourwilly, :blink: :thumbsup:

Everything seems to be running OK. All the popups have stopped and no delays in surfing. Computer is running faster now also.

THANK YOU !!!!!

Should I delete the combofix and keep HJT (just in case)? Any other suggestions?

Again, thank you for all that you have done. This has been a very pleasant experience and will reccommend it to others. Didn't know where to turn and was about to use Geek Squad but didn't really have that extra $ during this holiday season.

Hope you have a wonderful holiday season and a happy new year!

#14 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 20 December 2007 - 05:30 AM

Hello harper

Glad everything is running a little better for you now. :thumbsup:

Please go to Start > Run > type ComboFix /u (case insensitive)

When shown the disclaimer, select '2'

When ComboFix receives such an instruction, it will do the following:
  • Deletes the following files/folders:
    • ComboFix.exe
    • %system%\swxcacls.exe
    • %system%\swsc.exe
    • %system%\VFind.exe
    • %system%\moveex.exe
    • %system%\swreg.exe
    • %systemroot%\catchme.exe
    • \ComboFix
    • \Qoobox
    • \VundoFix Backups
    • \Deckard
    • \_OTMoveIt
    • %systemroot%\erdnt\subs
  • Resets the clock settings.
  • Hides file extensions
  • Hides System/Hidden files
  • resets System Restore
-----------------------

#15 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 23 December 2007 - 04:33 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbsup:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users