Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Help With Removal Needed


  • This topic is locked This topic is locked
16 replies to this topic

#1 StandardsDT

StandardsDT

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 11:10 AM

Hello all! I'm currently working on fixing up a fellow coworkers computer. I work in an IT Department and every now and then we will fix some ones computer. At the moment I've hit a brick wall removing Virtumonde. Every time spybot finds it and tries to remove it, it throws up errors, says it's out of memory and crashes. I'm currently scanning the computer with Ad-aware to see if that will do anything. Till then here is my current HijackThis Log for that computer. Oh and no worries I have not put the computer on our corporate network, in no way will I jeopardize anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:28 AM, on 05/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\AOL\1102382480\ee\aolsoftware.exe
c:\program files\common files\aol\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...2Ubf9XYmCMfN3I=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ljJCsQif.dll
O2 - BHO: (no name) - {C88966A2-8462-D3B4-44E0-AB8F02532ECC} - C:\WINDOWS\system32\iembttl.dll (file missing)
O2 - BHO: {716d0f6c-d8cd-600a-1ae4-6cd4744a51de} - {ed15a447-4dc6-4ea1-a006-dc8dc6f0d617} - C:\WINDOWS\system32\xltywpnq.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102382480\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\CJOV6PKF\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [6051ae41] rundll32.exe "C:\WINDOWS\system32\alkqipin.dll",b
O4 - HKLM\..\Run: [BM63629ddd] Rundll32.exe "C:\WINDOWS\system32\ticryxsu.dll",s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA8484] command /c del "C:\WINDOWS\system32\byXoOhgd.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2099] cmd /c del "C:\WINDOWS\system32\byXoOhgd.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9103] command /c del "C:\WINDOWS\system32\cbXPhgDU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9347] cmd /c del "C:\WINDOWS\system32\cbXPhgDU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8486] command /c del "C:\WINDOWS\system32\efcBqnoM.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1701] cmd /c del "C:\WINDOWS\system32\efcBqnoM.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8196] command /c del "C:\WINDOWS\system32\efcDvTmj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2284] cmd /c del "C:\WINDOWS\system32\efcDvTmj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7981] command /c del "C:\WINDOWS\system32\geBqPFwU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC248] cmd /c del "C:\WINDOWS\system32\geBqPFwU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3195] command /c del "C:\WINDOWS\system32\hgGayyyx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5438] cmd /c del "C:\WINDOWS\system32\hgGayyyx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2516] command /c del "C:\WINDOWS\system32\jkkHWQJA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6061] cmd /c del "C:\WINDOWS\system32\jkkHWQJA.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [Taca] "C:\PROGRA~1\COMMON~1\SSTEM~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: High Stakes Poker by pogo - http://game3.pogo.com/v/8.1.9.1/applet/dra...poker-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game3.pogo.com/v/8.1.9.1/applet/fancy/fancy-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://aolcom.pogo.com/cdl/launcher/PogoWe...erInstaller.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: services.dll,avgrsstx.dll
O20 - Winlogon Notify: ljJCsQif - C:\WINDOWS\SYSTEM32\ljJCsQif.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9631 bytes



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 29 May 2008 - 11:26 AM

Hello,

Last time you were here you left the person helping you hanging. :thumbsup: Why should I help you now? http://www.bleepingcomputer.com/forums/t/106792/pop-ups-active-desktop-enabled-slow-pc/
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 11:34 AM

Hello,

Last time you were here you left the person helping you hanging. :thumbsup: Why should I help you now? http://www.bleepingcomputer.com/forums/t/106792/pop-ups-active-desktop-enabled-slow-pc/



The last time I had solved the problem on my own after posting that. It was an accident and I had completely forgotten about that. It wasn't intentional in any way and now I realize I should have just let the persons computer I fixed just fry with spyware/malware/adware after everything he put my best friend through in their relationship.

Having been a moderator and an admin of a web hosting company forum this is not acceptable behavior from some one who was chosen to help others. In fact anyone who treated a new member or even a contributing member would have been warned and then revoked of their position if they continued. People make mistakes, it's why were human. So instead of belittling some one for a mistake, why not insist on helping them and asking why they left the person hanging. You'll find in most cases it wasn't intentional.

Edited by StandardsDT, 29 May 2008 - 11:37 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 29 May 2008 - 11:40 AM

Please feel free to contact and admin here then. :thumbsup: Our time is valuable, and our help is free. We cannot be wasting it on people that have a record of not replying. I had every right to ask what I did. :) Do you want my help or not?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 11:42 AM

Please feel free to contact and admin here then. :thumbsup: Our time is valuable, and our help is free. We cannot be wasting it on people that have a record of not replying. I had every right to ask what I did. :) Do you want my help or not?

Regards,
tea


I understand your time is valuable and the help you provide is free. The support I provided was free as well for the hosting company I was with. I don't see how I have a record with just one post. Being a college student it's easy to forget what sites you've posted to during the semester. Yes I would like your help and you could have been a bit nicer about this matter.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 29 May 2008 - 11:54 AM

Hello,

I'd like to confirm that you're using McAfee's Firewall only and not the AV?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ljJCsQif.dll
O2 - BHO: (no name) - {C88966A2-8462-D3B4-44E0-AB8F02532ECC} - C:\WINDOWS\system32\iembttl.dll (file missing)
O2 - BHO: {716d0f6c-d8cd-600a-1ae4-6cd4744a51de} - {ed15a447-4dc6-4ea1-a006-dc8dc6f0d617} - C:\WINDOWS\system32\xltywpnq.dll
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\CJOV6PKF\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [6051ae41] rundll32.exe "C:\WINDOWS\system32\alkqipin.dll",b
O4 - HKLM\..\Run: [BM63629ddd] Rundll32.exe "C:\WINDOWS\system32\ticryxsu.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA8484] command /c del "C:\WINDOWS\system32\byXoOhgd.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2099] cmd /c del "C:\WINDOWS\system32\byXoOhgd.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9103] command /c del "C:\WINDOWS\system32\cbXPhgDU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9347] cmd /c del "C:\WINDOWS\system32\cbXPhgDU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8486] command /c del "C:\WINDOWS\system32\efcBqnoM.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1701] cmd /c del "C:\WINDOWS\system32\efcBqnoM.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8196] command /c del "C:\WINDOWS\system32\efcDvTmj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2284] cmd /c del "C:\WINDOWS\system32\efcDvTmj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7981] command /c del "C:\WINDOWS\system32\geBqPFwU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC248] cmd /c del "C:\WINDOWS\system32\geBqPFwU.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3195] command /c del "C:\WINDOWS\system32\hgGayyyx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5438] cmd /c del "C:\WINDOWS\system32\hgGayyyx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2516] command /c del "C:\WINDOWS\system32\jkkHWQJA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6061] cmd /c del "C:\WINDOWS\system32\jkkHWQJA.dll_old"
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - HKCU\..\Run: [Taca] "C:\PROGRA~1\COMMON~1\SSTEM~1\javaw.exe" -vt yazb
O20 - Winlogon Notify: ljJCsQif - C:\WINDOWS\SYSTEM32\ljJCsQif.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 11:58 AM

Will do please give me about 20 minutes or so as I do not have a KVM Switch and must reconnect the keyboard, mouse, and monitor.

As for the firewall. I'm assuming this is what is being used as this is not my personal computer. I will check and get back to you on this.

Edited by StandardsDT, 29 May 2008 - 11:59 AM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 29 May 2008 - 12:01 PM

Not a problem. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 12:57 PM

Ok here is the info you are looking for. I checked for Mcafee in Program Files and in Add or Remove. It appears that it is not installed. I also double checked under the Security Manager and it says that Windows Firewall is being used.

Here are the log files.

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:42 PM, on 05/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1102382480\ee\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\1102382480\ee\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102382480\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: High Stakes Poker by pogo - http://game3.pogo.com/v/8.1.9.1/applet/dra...poker-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game3.pogo.com/v/8.1.9.1/applet/fancy/fancy-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://aolcom.pogo.com/cdl/launcher/PogoWe...erInstaller.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: services.dll,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7506 bytes


ComboFix Log

ComboFix 08-05-29.1 - USER 2008-05-29 13:12:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.16 [GMT -4:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\USER\Application Data\APPATC~1
C:\Documents and Settings\USER\Application Data\CURITY~1
C:\Documents and Settings\USER\Application Data\DOBE~1
C:\Documents and Settings\USER\Application Data\DriveCleaner Freeware
C:\Documents and Settings\USER\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\USER\Application Data\ECURIT~1
C:\Documents and Settings\USER\Application Data\FNTS~1
C:\Documents and Settings\USER\Application Data\PPPATC~1
C:\Documents and Settings\USER\Application Data\SMBOLS~1
C:\Documents and Settings\USER\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\USER\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\USER\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\asembl~1
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\sstem~1\javaw.exe
C:\Program Files\curity~1
C:\Program Files\dobe~1
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mbols~1
C:\Program Files\mcroso~1
C:\Program Files\oemji
C:\Program Files\oemji\OemjiSearchPlus\Unreg.bat
C:\Program Files\oemji\Uninstall.exe
C:\Program Files\oemji\UNWISE.EXE
C:\Program Files\oemji\watermark.bmp
C:\Program Files\outerinfo
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule16.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dictys.gz
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\trgtys.gz
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml.backup
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\screensavers.com\Installer\temp\dm450.tmp
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\stem~1
C:\Program Files\stem32~1
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Temporary
C:\Program Files\winantivirus pro 2007
C:\Program Files\winantivirus pro 2007\Activate.dat
C:\Program Files\winantivirus pro 2007\ASupdater.dat
C:\Program Files\winantivirus pro 2007\bnlink.dat
C:\Program Files\winantivirus pro 2007\bpupdater.dat
C:\Program Files\winantivirus pro 2007\forum.dat
C:\Program Files\winantivirus pro 2007\kb.url
C:\Program Files\winantivirus pro 2007\Online.url
C:\Program Files\winantivirus pro 2007\PGupdater.dat
C:\Program Files\winantivirus pro 2007\pv.dat
C:\Program Files\winantivirus pro 2007\Support.url
C:\Program Files\winantivirus pro 2007\UBUpdater.dat
C:\Program Files\winantivirus pro 2007\up.dat
C:\Program Files\winantivirus pro 2007\updater.dat
C:\Program Files\ystem~1
C:\WINDOWS\BM63629ddd.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\fnts~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\aifvjhpo.dll
C:\WINDOWS\system32\AJQWHkkj.ini
C:\WINDOWS\system32\AJQWHkkj.ini2
C:\WINDOWS\system32\alkqipin.dll
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\biybqwac.exe
C:\WINDOWS\system32\cfrulxnv.dll
C:\WINDOWS\system32\cndywhro.dll
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\cwccnmhm.ini
C:\WINDOWS\system32\dghOoXyb.ini
C:\WINDOWS\system32\dghOoXyb.ini2
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\ducuygbe.dll
C:\WINDOWS\system32\dyggkwmb.dll
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\eOopqtwa.ini
C:\WINDOWS\system32\eOopqtwa.ini2
C:\WINDOWS\system32\fakpppki.exe
C:\WINDOWS\system32\fcxqgicm.dll
C:\WINDOWS\system32\fhfwwimf.dll
C:\WINDOWS\system32\fnpuxlry.dll
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fvaesavg.dll
C:\WINDOWS\system32\gruyjwgx.dll
C:\WINDOWS\system32\gumgfgkb.exe
C:\WINDOWS\system32\gxhfppgf.ini
C:\WINDOWS\system32\hfsxisau.dll
C:\WINDOWS\system32\hkctsdgh.ini
C:\WINDOWS\system32\hpceabrm.dll
C:\WINDOWS\system32\hPYIQtwa.ini
C:\WINDOWS\system32\hPYIQtwa.ini2
C:\WINDOWS\system32\hsissvjy.dll
C:\WINDOWS\system32\hvgdserh.dll
C:\WINDOWS\system32\iffudhly.dll
C:\WINDOWS\system32\iltdsyfv.dll
C:\WINDOWS\system32\ivhgxyrj.dll
C:\WINDOWS\system32\jfixwsce.ini
C:\WINDOWS\system32\jmTvDcfe.ini
C:\WINDOWS\system32\jmTvDcfe.ini2
C:\WINDOWS\system32\jpssmgvu.exe
C:\WINDOWS\system32\jrdadjbv.dll
C:\WINDOWS\system32\kcrqppop.dll
C:\WINDOWS\system32\kddargdj.dll
C:\WINDOWS\system32\ldchjmja.ini
C:\WINDOWS\system32\ljJCsQif.dll
C:\WINDOWS\system32\lpssyvjr.ini
C:\WINDOWS\system32\ltjyojmo.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfxvqneb.dll
C:\WINDOWS\system32\mlructcn.ini
C:\WINDOWS\system32\MpVuDfhk.ini
C:\WINDOWS\system32\MpVuDfhk.ini2
C:\WINDOWS\system32\neiblshw.dll
C:\WINDOWS\system32\nipiqkla.ini
C:\WINDOWS\system32\poppqrck.ini
C:\WINDOWS\system32\preejjtx.exe
C:\WINDOWS\system32\ptlrarjl.exe
C:\WINDOWS\system32\qtpmmydh.dll
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\rnrwwdar.exe
C:\WINDOWS\system32\rrqywglb.ini
C:\WINDOWS\system32\rrrrqixx.ini
C:\WINDOWS\system32\rssrdgvd.exe
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\ticryxsu.dll
C:\WINDOWS\system32\tsdkaiyc.dll
C:\WINDOWS\system32\ttvFNqru.ini
C:\WINDOWS\system32\ttvFNqru.ini2
C:\WINDOWS\system32\uasixsfh.ini
C:\WINDOWS\system32\ucereujc.exe
C:\WINDOWS\system32\UDghPXbc.ini
C:\WINDOWS\system32\UDghPXbc.ini2
C:\WINDOWS\system32\unbfkdkv.exe
C:\WINDOWS\system32\UwFPqBeg.ini
C:\WINDOWS\system32\UwFPqBeg.ini2
C:\WINDOWS\system32\vvqvcofk.dll
C:\WINDOWS\system32\WDgiPqss.ini
C:\WINDOWS\system32\WDgiPqss.ini2
C:\WINDOWS\system32\wigiujub.ini
C:\WINDOWS\system32\wjoqptsf.dll
C:\WINDOWS\system32\wnsapicc.exe
C:\WINDOWS\system32\wytqdkln.exe
C:\WINDOWS\system32\xgfmlkiu.exe
C:\WINDOWS\system32\xgpngiid.dll
C:\WINDOWS\system32\xltywpnq.dll
C:\WINDOWS\system32\xpdhlkqk.dll
C:\WINDOWS\system32\xyyyaGgh.ini
C:\WINDOWS\system32\xyyyaGgh.ini2
C:\WINDOWS\system32\yaGjQqss.ini
C:\WINDOWS\system32\yaGjQqss.ini2
C:\WINDOWS\system32\ycyaklxe.dll
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymibpymn.dll
C:\WINDOWS\system32\yntycpyc.dll
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ystem~1
C:\WINDOWS\ystem3~1

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 11:45 . 2008-05-29 11:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 11:45 . 2008-05-29 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 11:44 . 2008-05-29 11:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 11:41 . 2008-05-29 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 14:54 . 2008-05-27 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-05-27 14:25 . 2008-05-29 03:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-27 14:21 . 2008-05-27 14:21 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-27 14:21 . 2008-05-27 14:21 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-27 14:20 . 2008-05-27 14:20 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-27 14:20 . 2008-05-27 14:20 <DIR> d-------- C:\Program Files\AVG
2008-05-27 14:20 . 2008-05-27 14:20 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-27 14:19 . 2008-05-27 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-27 12:51 . 2008-05-28 11:48 979 --a------ C:\WINDOWS\wininit.ini
2008-05-27 12:02 . 2008-05-27 12:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 12:02 . 2008-05-27 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 11:11 . 2008-05-27 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.clamwin
2008-05-27 11:10 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-27 11:10 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-27 11:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-05-24 17:10 . 2008-05-24 17:10 315,120 --a------ C:\WINDOWS\system32\khfDuVpM.dll_old
2008-05-24 16:58 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-05-24 16:58 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-24 06:28 . 2008-05-27 14:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 16:32 . 2008-05-23 16:32 166,156 --a------ C:\WINDOWS\system32\awtuutqp.dll
2008-05-22 15:16 . 2008-05-22 15:16 314,480 --a------ C:\WINDOWS\system32\ssqQjGay.dll_old
2008-05-21 18:03 . 2008-05-28 09:24 <DIR> d-------- C:\Program Files\USS
2008-05-20 15:19 . 2008-05-20 15:19 314,464 --a------ C:\WINDOWS\system32\ssqPigDW.dll_old
2008-05-19 08:16 . 2008-05-27 15:17 <DIR> d--hs---- C:\WINDOWS\QkFSVENaQUs
2008-05-19 08:09 . 2008-05-19 08:09 314,432 --a------ C:\WINDOWS\system32\urqNFvtt.dll_old
2008-05-19 06:54 . 2008-05-19 06:54 <DIR> d-------- C:\Documents and Settings\USER\Application Data\WinAnonymous
2008-05-18 10:46 . 2008-05-18 10:46 <DIR> d-------- C:\Program Files\Common Files\WinAnonymous
2008-05-18 10:46 . 2008-05-18 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinAnonymous
2008-05-18 10:46 . 2008-05-18 10:46 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-17 11:19 . 2008-05-17 11:19 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-17 11:05 . 2008-05-21 16:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 11:05 . 2008-05-17 11:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 20:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-24 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-20 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-12 10:14 --------- d-----w C:\Program Files\Java
2008-04-08 20:14 --------- d-----w C:\Program Files\Common Files\Java
2008-04-06 02:17 --------- d-----w C:\Program Files\QuickTime
2008-04-03 22:19 3,099,259 ----a-w C:\WINDOWS\java\Packages\DZX3RPNN.ZIP
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-02-03 13:57 917,376 ----a-w C:\Program Files\Feb2006_MDX1_x86.cab
2006-02-03 13:57 41,892 ----a-w C:\Program Files\dxdllreg_x86.cab
2006-02-03 13:57 3,918,624 ----a-w C:\Program Files\Feb2006_MDX1_x86_Archive.cab
2006-02-03 13:57 179,247 ----a-w C:\Program Files\Feb2006_xact_x64.cab
2006-02-03 13:57 133,297 ----a-w C:\Program Files\Feb2006_xact_x86.cab
2006-02-03 13:57 1,363,684 ----a-w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2006-02-03 13:57 1,085,608 ----a-w C:\Program Files\Feb2006_d3dx9_29_x86.cab
2005-07-29 20:24 472 --sha-r C:\WINDOWS\QkFSVENaQUs\k4ImpHhukoP.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 03:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 03:07 114688]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-20 18:21 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-20 18:21 98304]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54 99480]
"HostManager"="C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-10-23 10:37 962560]
"sscRun"="C:\Program Files\Common Files\AOL\1102382480\ee\SSCRun.exe" [2006-11-20 16:42 153168]
"OASClnt"="C:\Program Files\mcafee.com\antivirus\oasclnt.exe" [2005-08-18 16:57 116272]
"EmailScan"="C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" [2005-10-19 12:13 460336]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [2006-03-07 16:05 992808]
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe" [2006-11-20 16:42 8784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-27 14:20 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=services.dll,avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1102382480\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\AOL\\1102382480\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-27 14:20]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-27 14:20]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-27 14:20]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-27 14:21]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 13:39:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102382480\EE\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\McShield.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\oasclnt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1102382480\EE\SSCEvtHdlr.exe
.
**************************************************************************
.
Completion time: 2008-05-29 13:47:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 17:47:11

Pre-Run: 32,960,667,648 bytes free
Post-Run: 33,722,818,560 bytes free

341 --- E O F --- 2008-05-15 23:14:10



#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 29 May 2008 - 01:28 PM

Hello,

Then let's get rid of the clutter McAfee left behind :


Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Otherwise looking better. :thumbsup: How is it running?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
C:\Documents and Settings\USER\Application Data\WinAnonymous
C:\Program Files\Common Files\WinAnonymous
C:\Documents and Settings\All Users\Application Data\WinAnonymous
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\WINDOWS\QkFSVENaQUs

File::
C:\WINDOWS\system32\urqNFvtt.dll_old
C:\WINDOWS\system32\ssqPigDW.dll_old
C:\WINDOWS\system32\khfDuVpM.dll_old


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 01:47 PM

Did all of the following except for McAfee. I did some more searching and it appears that they have AOL Anti-virus and Security Center installed. I looked into it further and found out that AOL uses McAfee for it's Anti-virus and just re brand's it. I however got rid of the AOL Anti-virus as it let some nasty stuff through and allowed AVG 8 to take over.

The computer is running 10x faster now and no longer are there prompts to open IE when it's plugged into a network or anything. I will report back with the log file shortly.

Edited by StandardsDT, 29 May 2008 - 01:48 PM.


#12 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 01:55 PM

Here is the log file from HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:25 PM, on 05/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\AOL\1102382480\ee\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\program files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102382480\ee\SSCRun.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: High Stakes Poker by pogo - http://game3.pogo.com/v/8.1.9.1/applet/dra...poker-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game3.pogo.com/v/8.1.9.1/applet/fancy/fancy-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://aolcom.pogo.com/cdl/launcher/PogoWe...erInstaller.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: services.dll,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6543 bytes


Here is the log file from ComboFix

ComboFix 08-05-29.1 - USER 2008-05-29 14:42:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT -4:00]Running from: C:\Program Files\Trend Micro\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\khfDuVpM.dll_old
C:\WINDOWS\system32\ssqPigDW.dll_old
C:\WINDOWS\system32\urqNFvtt.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\USER\err.log
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\bestwiner.stt
C:\WINDOWS\system32\khfDuVpM.dll_old
C:\WINDOWS\system32\ssqPigDW.dll_old
C:\WINDOWS\system32\urqNFvtt.dll_old

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 14:38 . 2008-05-29 14:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-05-29 11:45 . 2008-05-29 11:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-29 11:45 . 2008-05-29 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-29 11:44 . 2008-05-29 11:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 11:41 . 2008-05-29 14:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 14:54 . 2008-05-27 14:54 <DIR> d-------- C:\Program Files\CCleaner
2008-05-27 14:25 . 2008-05-29 03:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-27 14:21 . 2008-05-27 14:21 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-27 14:21 . 2008-05-27 14:21 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-27 14:20 . 2008-05-29 14:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-27 14:20 . 2008-05-27 14:20 <DIR> d-------- C:\Program Files\AVG
2008-05-27 14:20 . 2008-05-27 14:20 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-27 14:19 . 2008-05-27 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-27 12:51 . 2008-05-28 11:48 979 --a------ C:\WINDOWS\wininit.ini
2008-05-27 12:02 . 2008-05-27 12:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-27 12:02 . 2008-05-27 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 11:11 . 2008-05-27 11:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.clamwin
2008-05-27 11:10 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-27 11:10 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-27 11:10 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-05-24 16:58 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-05-24 16:58 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-24 06:28 . 2008-05-27 14:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 16:32 . 2008-05-23 16:32 166,156 --a------ C:\WINDOWS\system32\awtuutqp.dll
2008-05-22 15:16 . 2008-05-22 15:16 314,480 --a------ C:\WINDOWS\system32\ssqQjGay.dll_old
2008-05-21 18:03 . 2008-05-28 09:24 <DIR> d-------- C:\Program Files\USS
2008-05-19 08:16 . 2008-05-27 15:17 <DIR> d--hs---- C:\WINDOWS\QkFSVENaQUs
2008-05-19 06:54 . 2008-05-19 06:54 <DIR> d-------- C:\Documents and Settings\USER\Application Data\WinAnonymous
2008-05-18 10:46 . 2008-05-18 10:46 <DIR> d-------- C:\Program Files\Common Files\WinAnonymous
2008-05-18 10:46 . 2008-05-18 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinAnonymous
2008-05-18 10:46 . 2008-05-18 10:46 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-17 11:19 . 2008-05-17 11:19 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-17 11:05 . 2008-05-21 16:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 11:05 . 2008-05-17 11:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 18:27 --------- d-----w C:\Program Files\mcafee.com
2008-05-29 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-29 18:22 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-24 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-20 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-12 10:14 --------- d-----w C:\Program Files\Java
2008-04-08 20:14 --------- d-----w C:\Program Files\Common Files\Java
2008-04-06 02:17 --------- d-----w C:\Program Files\QuickTime
2008-04-03 22:19 3,099,259 ----a-w C:\WINDOWS\java\Packages\DZX3RPNN.ZIP
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-02-03 13:57 917,376 ----a-w C:\Program Files\Feb2006_MDX1_x86.cab
2006-02-03 13:57 41,892 ----a-w C:\Program Files\dxdllreg_x86.cab
2006-02-03 13:57 3,918,624 ----a-w C:\Program Files\Feb2006_MDX1_x86_Archive.cab
2006-02-03 13:57 179,247 ----a-w C:\Program Files\Feb2006_xact_x64.cab
2006-02-03 13:57 133,297 ----a-w C:\Program Files\Feb2006_xact_x86.cab
2006-02-03 13:57 1,363,684 ----a-w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2006-02-03 13:57 1,085,608 ----a-w C:\Program Files\Feb2006_d3dx9_29_x86.cab
2005-07-29 20:24 472 --sha-r C:\WINDOWS\QkFSVENaQUs\k4ImpHhukoP.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_13.46.22.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 17:36:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 18:27:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 03:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 03:07 114688]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-20 18:21 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-20 18:21 98304]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 16:54 99480]
"HostManager"="C:\Program Files\Common Files\AOL\1102382480\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-10-23 10:37 962560]
"sscRun"="C:\Program Files\Common Files\AOL\1102382480\ee\SSCRun.exe" [2006-11-20 16:42 153168]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [2006-03-07 16:05 992808]
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1102382480\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe" [2006-11-20 16:42 8784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-27 14:20 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=services.dll,avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1102382480\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\AOL\\1102382480\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-27 14:20]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-27 14:20]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-27 14:20]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-27 14:21]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 14:45:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 14:48:52
ComboFix-quarantined-files.txt 2008-05-29 18:48:49
ComboFix2.txt 2008-05-29 17:47:40

Pre-Run: 33,700,917,248 bytes free
Post-Run: 33,693,585,408 bytes free

148 --- E O F --- 2008-05-15 23:14:10



#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 29 May 2008 - 04:46 PM

Hello,

These folders need to go. Please navigate to the following folders and delete them :

C:\Documents and Settings\USER\Application Data\WinAnonymous
C:\Program Files\Common Files\WinAnonymous
C:\Documents and Settings\All Users\Application Data\WinAnonymous
C:\Documents and Settings\All Users\Application Data\SalesMon

Reboot your computer.

The HijackThis log looks good, and as soon as those folders are gone I think things will be good to go. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Let me know how you come out. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 StandardsDT

StandardsDT
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 29 May 2008 - 10:44 PM

Hello,

These folders need to go. Please navigate to the following folders and delete them :

C:\Documents and Settings\USER\Application Data\WinAnonymous
C:\Program Files\Common Files\WinAnonymous
C:\Documents and Settings\All Users\Application Data\WinAnonymous
C:\Documents and Settings\All Users\Application Data\SalesMon

Reboot your computer.

The HijackThis log looks good, and as soon as those folders are gone I think things will be good to go. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Let me know how you come out. :thumbsup:

Thanks,
tea


My apologies for taking so long to get back to you. I was at work at the time with the machine and unfortunately no longer have access to the machine as my coworker has taken it home after I left. I assured him that it would be ready by the time I left work. I however ran CCleaner before finishing it up so hopefully this removed those folders you mentioned except for maybe the Qoobox folder. I also had it fix any broken registry entries, or delete any that were left behind. Thank you for your help and my apologies for starting off on the wrong foot :) .

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:06 AM

Posted 30 May 2008 - 12:21 AM

Thanks for letting me know. I hope those things don't become active and cause a lot of trouble. Will you see him again? Those folders really need to go. I'm hoping they're just orphans. Hoping, but not betting.

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users