Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Virtumonde


  • This topic is locked This topic is locked
8 replies to this topic

#1 ross2234

ross2234

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 June 2008 - 01:31 PM

Hello,

I have somehow picked up Virtumonde which Spybot S&D identifies and then states the problem is fixed, only to re-appear in the next scan. I have tried virtumondobegone, superantisypware, etc. to no avail.

I beleive I have correctly run the DSS, Kapersky would not finish.

Bear with me as I am new to this. The DSS log is as follows

Deckard's System Scanner v20071014.68
Run by Rocco Leone on 2008-06-18 14:09:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-06-18 18:09:31 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-06-17 18:37:23 UTC - RP2 - Installed Java™ 6 Update 6
1: 2008-06-17 17:57:16 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Rocco Leone.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:48 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Documents and Settings\Rocco Leone\Local Settings\Temporary Internet Files\Content.IE5\Q747DCBX\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rocco Leone.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {05E67429-C716-46A0-B49D-593C9BFF6312} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - (no file)
O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file)
O2 - BHO: (no name) - {466B9012-A6D1-4BCA-A955-A7C745C5400F} - C:\WINDOWS\system32\wvUljIbb.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {636A1244-FB82-4286-BD81-5E605DC06117} - C:\WINDOWS\system32\wvUkHAPG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: (no name) - {977734E7-A701-48DF-A0DA-FC46AC4D915F} - C:\WINDOWS\system32\opnklmKD.dll (file missing)
O2 - BHO: (no name) - {C86F1ABF-3087-45AF-9316-4384E4A42B76} - (no file)
O2 - BHO: (no name) - {C924F72C-A1BA-45A5-AEEE-0FCD58852C28} - C:\WINDOWS\system32\hgGywutU.dll (file missing)
O2 - BHO: (no name) - {CBEF68C7-3707-4A9B-9ADB-BD9302A930D2} - C:\WINDOWS\system32\vtUolIbA.dll (file missing)
O2 - BHO: {8ba57571-c48f-6d78-d2f4-a7366a37eaae} - {eaae73a6-637a-4f2d-87d6-f84c17575ab8} - C:\WINDOWS\system32\hnkjaqdl.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [9c192074] rundll32.exe "C:\WINDOWS\system32\umtyufst.dll",b
O4 - HKLM\..\Run: [BM9f2a13e8] Rundll32.exe "C:\WINDOWS\system32\jcsldhyp.dll",s
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6590] command /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7665] cmd /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7506] command /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DA28AB38-40B3-4743-8A51-B35568A906A1} (CSD.PRINT.PDF Class) - https://web.ampslink.com/alweb/activex/csdprintpdf.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbc-companies.webex.com/client/v_my...ort/ieatgpc.cab
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 9750 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DLPWD (Dell Printer Status Watcher) - c:\program files\dell printers\additional color laser software\status monitor\dlpwdnt.exe
R2 DLSDB (Dell Printer Status Database) - c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-15 01:24:12 352 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-01-14 12:48:32 344 --a------ C:\WINDOWS\Tasks\McQcTask.job
2005-02-18 14:27:37 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-17 14:29:27 0 d-------- C:\Program Files\Trend Micro
2008-06-17 11:55:14 0 d--hs---- C:\WINDOWS\CSC
2008-06-16 16:10:12 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-16 16:09:36 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 16:09:34 0 d-------- C:\Documents and Settings\Rocco Leone\Application Data\SUPERAntiSpyware.com
2008-06-16 15:52:44 89600 --a------ C:\WINDOWS\system32\hrxkdecb.dll
2008-06-16 15:50:47 683462 --ahs---- C:\WINDOWS\system32\bbIjlUvw.ini2
2008-06-16 15:22:53 0 d-------- C:\VundoFix Backups
2008-06-16 15:17:01 80896 --a------ C:\WINDOWS\system32\umtyufst.dll
2008-06-16 15:14:09 99328 --a------ C:\WINDOWS\system32\kbuxnmav.dll
2008-06-16 15:14:02 89600 --a------ C:\WINDOWS\system32\jcsldhyp.dll
2008-06-16 14:29:00 684924 --ahs---- C:\WINDOWS\system32\DKmlknpo.ini2
2008-06-16 08:46:07 99328 --a------ C:\WINDOWS\system32\kcmbvelx.dll
2008-06-16 08:39:59 89600 --a------ C:\WINDOWS\system32\scgyrjtb.dll
2008-06-16 08:39:13 687014 --ahs---- C:\WINDOWS\system32\GPAHkUvw.ini2
2008-06-12 17:41:26 1791 --ahs---- C:\WINDOWS\system32\AbIloUtv.ini2
2008-06-12 16:30:12 80896 --a------ C:\WINDOWS\system32\mtksqftp.dll
2008-06-12 16:29:05 1163 --ahs---- C:\WINDOWS\system32\UtuwyGgh.ini2
2008-06-04 14:53:05 0 d-------- C:\MUNIMA


-- Find3M Report ---------------------------------------------------------------

2008-06-17 15:22:33 0 d-------- C:\Documents and Settings\Rocco Leone\Application Data\SiteAdvisor
2008-06-17 14:42:47 0 d-------- C:\Program Files\Java
2008-06-16 16:08:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 11:33:37 0 d-------- C:\Program Files\McAfee
2008-06-12 16:31:23 0 d-------- C:\Program Files\IrfanView
2008-05-28 18:49:54 0 d-------- C:\Program Files\SiteAdvisor
2008-05-12 08:38:56 2546 --a------ C:\WINDOWS\unins000.dat
2008-05-12 08:34:54 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-05 09:32:33 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05E67429-C716-46A0-B49D-593C9BFF6312}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13F20E4F-F379-41EA-8F80-CCAAE787362A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{466B9012-A6D1-4BCA-A955-A7C745C5400F}]
C:\WINDOWS\system32\wvUljIbb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636A1244-FB82-4286-BD81-5E605DC06117}]
C:\WINDOWS\system32\wvUkHAPG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{977734E7-A701-48DF-A0DA-FC46AC4D915F}]
C:\WINDOWS\system32\opnklmKD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86F1ABF-3087-45AF-9316-4384E4A42B76}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C924F72C-A1BA-45A5-AEEE-0FCD58852C28}]
C:\WINDOWS\system32\hgGywutU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBEF68C7-3707-4A9B-9ADB-BD9302A930D2}]
C:\WINDOWS\system32\vtUolIbA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaae73a6-637a-4f2d-87d6-f84c17575ab8}]
C:\WINDOWS\system32\hnkjaqdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [10/31/2004 07:21 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [09/14/2004 10:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/25/2005 09:51 PM]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [07/13/2004 02:00 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 02:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 02:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 02:50 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" []
"9c192074"="C:\WINDOWS\system32\umtyufst.dll" [06/16/2008 03:17 PM]
"BM9f2a13e8"="C:\WINDOWS\system32\jcsldhyp.dll" [06/16/2008 03:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OSCD_Creator"=C:\Dell\PreODM.EXE /2
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA6590"=command /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
"SpybotDeletingC7665"=cmd /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
"SpybotDeletingA7506"=command /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
"SpybotDeletingC4116"=cmd /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"

C:\Documents and Settings\Rocco Leone\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 7:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/24/2005 2:05:26 AM]
DESKTOP.INI [8/11/2004 7:15:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 3:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUljIbb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8745 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-18 14:11:36 ------------

Thank You in advance for your help.

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 18 June 2008 - 03:49 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 ross2234

ross2234
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 June 2008 - 04:56 PM

Hi Charles,

Thank you for your help. Following are the logs.

ComboFix 08-06-16.5 - Rocco Leone 2008-06-18 17:41:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.226 [GMT -4:00]
Running from: C:\Documents and Settings\Rocco Leone\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9f2a13e8.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\AbIloUtv.ini
C:\WINDOWS\SYSTEM32\AbIloUtv.ini2
C:\WINDOWS\system32\axvicuss.ini
C:\WINDOWS\SYSTEM32\bbIjlUvw.ini
C:\WINDOWS\SYSTEM32\bbIjlUvw.ini2
C:\WINDOWS\system32\DKmlknpo.ini
C:\WINDOWS\SYSTEM32\DKmlknpo.ini2
C:\WINDOWS\SYSTEM32\GPAHkUvw.ini
C:\WINDOWS\SYSTEM32\GPAHkUvw.ini2
C:\WINDOWS\system32\hrxkdecb.dll
C:\WINDOWS\system32\jcsldhyp.dll
C:\WINDOWS\system32\kbuxnmav.dll
C:\WINDOWS\system32\kcmbvelx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mtksqftp.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ptfqsktm.ini
C:\WINDOWS\system32\scgyrjtb.dll
C:\WINDOWS\system32\tsfuytmu.ini
C:\WINDOWS\system32\umtyufst.dll
C:\WINDOWS\SYSTEM32\UtuwyGgh.ini
C:\WINDOWS\SYSTEM32\UtuwyGgh.ini2
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wnsxs~1\W?nSxS\

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-18 14:09 . 2008-06-18 14:09 <DIR> d-------- C:\Deckard
2008-06-17 14:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-17 14:29 . 2008-06-17 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 16:10 . 2008-06-16 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-16 16:09 . 2008-06-16 16:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 16:09 . 2008-06-16 16:09 <DIR> d-------- C:\Documents and Settings\Rocco Leone\Application Data\SUPERAntiSpyware.com
2008-06-12 17:33 . 2008-06-16 15:10 385 --a------ C:\WINDOWS\wininit.ini
2008-06-12 08:34 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-12 08:34 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-04 14:53 . 2008-06-04 14:53 <DIR> d-------- C:\MUNIMA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 21:38 --------- d-----w C:\Documents and Settings\Rocco Leone\Application Data\SiteAdvisor
2008-06-18 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-17 18:42 --------- d-----w C:\Program Files\Java
2008-06-17 15:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 20:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 15:33 --------- d-----w C:\Program Files\McAfee
2008-06-12 20:31 --------- d-----w C:\Program Files\IrfanView
2008-05-28 22:49 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-13 12:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 12:34 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\SET4D.tmp
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2007-12-11 16:04 92,320 ----a-w C:\Documents and Settings\Rocco Leone\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05E67429-C716-46A0-B49D-593C9BFF6312}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13F20E4F-F379-41EA-8F80-CCAAE787362A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{466B9012-A6D1-4BCA-A955-A7C745C5400F}]
C:\WINDOWS\system32\wvUljIbb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636A1244-FB82-4286-BD81-5E605DC06117}]
C:\WINDOWS\system32\wvUkHAPG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{977734E7-A701-48DF-A0DA-FC46AC4D915F}]
C:\WINDOWS\system32\opnklmKD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86F1ABF-3087-45AF-9316-4384E4A42B76}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C924F72C-A1BA-45A5-AEEE-0FCD58852C28}]
C:\WINDOWS\system32\hgGywutU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBEF68C7-3707-4A9B-9ADB-BD9302A930D2}]
C:\WINDOWS\system32\vtUolIbA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaae73a6-637a-4f2d-87d6-f84c17575ab8}]
C:\WINDOWS\system32\hnkjaqdl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [2004-10-31 07:21 408576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 10:50 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-25 21:51 98304]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2004-07-13 02:00 126976]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OSCD_Creator"="C:\Dell\PreODM.exe" [2004-10-31 07:21 408576]
"SpybotDeletingA6590"="command /c del C:\WINDOWS\SYSTEM32\opnklmKD.dll_old" [ ]
"SpybotDeletingC7665"="cmd /c del C:\WINDOWS\SYSTEM32\opnklmKD.dll_old" [ ]
"SpybotDeletingA7506"="command /c del C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old" [ ]
"SpybotDeletingC4116"="cmd /c del C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-01-25 21:51 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"6667:UDP"= 6667:UDP:winspector
"7000:TCP"= 7000:TCP:winspector
"7000:UDP"= 7000:UDP:winspector
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= *
"Enabled"= 1 (0x1)

R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2004-03-12 02:00]

.
Contents of the 'Scheduled Tasks' folder
"2005-02-18 18:27:37 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
"2008-04-15 05:24:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-14 16:48:32 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 17:46:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = C:\Dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-18 17:51:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 21:51:03

Pre-Run: 21,705,555,968 bytes free
Post-Run: 21,835,943,936 bytes free

200 --- E O F --- 2008-06-17 07:01:38



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:36 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {466B9012-A6D1-4BCA-A955-A7C745C5400F} - C:\WINDOWS\system32\wvUljIbb.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {636A1244-FB82-4286-BD81-5E605DC06117} - C:\WINDOWS\system32\wvUkHAPG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {977734E7-A701-48DF-A0DA-FC46AC4D915F} - C:\WINDOWS\system32\opnklmKD.dll (file missing)
O2 - BHO: (no name) - {C924F72C-A1BA-45A5-AEEE-0FCD58852C28} - C:\WINDOWS\system32\hgGywutU.dll (file missing)
O2 - BHO: (no name) - {CBEF68C7-3707-4A9B-9ADB-BD9302A930D2} - C:\WINDOWS\system32\vtUolIbA.dll (file missing)
O2 - BHO: {8ba57571-c48f-6d78-d2f4-a7366a37eaae} - {eaae73a6-637a-4f2d-87d6-f84c17575ab8} - C:\WINDOWS\system32\hnkjaqdl.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKLM\..\RunOnce: [SpybotDeletingA6590] command /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7665] cmd /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7506] command /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DA28AB38-40B3-4743-8A51-B35568A906A1} (CSD.PRINT.PDF Class) - https://web.ampslink.com/alweb/activex/csdprintpdf.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbc-companies.webex.com/client/v_my...ort/ieatgpc.cab
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8490 bytes

Again, Thank You

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 19 June 2008 - 04:31 PM

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 ross2234

ross2234
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 24 June 2008 - 08:35 AM

Hi, Sorry for the delay, I was out of town for a few days. I had shut off my computer completely. I followed all instructions here are the logs.

ComboFix 08-06-16.5 - Rocco Leone 2008-06-24 9:27:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.209 [GMT -4:00]
Running from: C:\Documents and Settings\Rocco Leone\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-18 14:09 . 2008-06-18 14:09 <DIR> d-------- C:\Deckard
2008-06-17 14:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-17 14:29 . 2008-06-17 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 16:10 . 2008-06-16 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-16 16:09 . 2008-06-16 16:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 16:09 . 2008-06-16 16:09 <DIR> d-------- C:\Documents and Settings\Rocco Leone\Application Data\SUPERAntiSpyware.com
2008-06-12 17:33 . 2008-06-16 15:10 385 --a------ C:\WINDOWS\wininit.ini
2008-06-12 08:34 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-12 08:34 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-04 14:53 . 2008-06-04 14:53 <DIR> d-------- C:\MUNIMA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-19 15:12 --------- d-----w C:\Documents and Settings\Rocco Leone\Application Data\SiteAdvisor
2008-06-17 18:42 --------- d-----w C:\Program Files\Java
2008-06-17 15:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 20:08 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 15:33 --------- d-----w C:\Program Files\McAfee
2008-06-12 20:31 --------- d-----w C:\Program Files\IrfanView
2008-05-28 22:49 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-13 12:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-13 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 12:34 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\SET4D.tmp
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2007-12-11 16:04 92,320 ----a-w C:\Documents and Settings\Rocco Leone\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_17.50.43.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 21:46:04 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-24 13:08:27 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-06-18 21:44:10 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-06-24 13:13:50 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-06-18 21:44:10 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-24 13:13:50 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-18 21:44:10 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-24 13:13:50 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-24 13:08:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{466B9012-A6D1-4BCA-A955-A7C745C5400F}]
C:\WINDOWS\system32\wvUljIbb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636A1244-FB82-4286-BD81-5E605DC06117}]
C:\WINDOWS\system32\wvUkHAPG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{977734E7-A701-48DF-A0DA-FC46AC4D915F}]
C:\WINDOWS\system32\opnklmKD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C924F72C-A1BA-45A5-AEEE-0FCD58852C28}]
C:\WINDOWS\system32\hgGywutU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBEF68C7-3707-4A9B-9ADB-BD9302A930D2}]
C:\WINDOWS\system32\vtUolIbA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaae73a6-637a-4f2d-87d6-f84c17575ab8}]
C:\WINDOWS\system32\hnkjaqdl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OSCD_Creator"="c:\Dell\PreODM.EXE" [2004-10-31 07:21 408576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 10:50 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-25 21:51 98304]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2004-07-13 02:00 126976]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA6590"="command /c del C:\WINDOWS\SYSTEM32\opnklmKD.dll_old" [ ]
"SpybotDeletingC7665"="cmd /c del C:\WINDOWS\SYSTEM32\opnklmKD.dll_old" [ ]
"SpybotDeletingA7506"="command /c del C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old" [ ]
"SpybotDeletingC4116"="cmd /c del C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-01-25 21:51 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008
"6667:UDP"= 6667:UDP:winspector
"7000:TCP"= 7000:TCP:winspector
"7000:UDP"= 7000:UDP:winspector
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= *
"Enabled"= 1 (0x1)

R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2004-03-12 02:00]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2005-02-18 18:27:37 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
"2008-04-15 05:24:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-14 16:48:32 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 09:29:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-24 9:31:28
ComboFix-quarantined-files.txt 2008-06-24 13:31:22
ComboFix2.txt 2008-06-18 21:51:10

Pre-Run: 21,645,557,760 bytes free
Post-Run: 21,781,680,128 bytes free

158 --- E O F --- 2008-06-17 07:01:38

And Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:53 AM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {466B9012-A6D1-4BCA-A955-A7C745C5400F} - C:\WINDOWS\system32\wvUljIbb.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {636A1244-FB82-4286-BD81-5E605DC06117} - C:\WINDOWS\system32\wvUkHAPG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {977734E7-A701-48DF-A0DA-FC46AC4D915F} - C:\WINDOWS\system32\opnklmKD.dll (file missing)
O2 - BHO: (no name) - {C924F72C-A1BA-45A5-AEEE-0FCD58852C28} - C:\WINDOWS\system32\hgGywutU.dll (file missing)
O2 - BHO: (no name) - {CBEF68C7-3707-4A9B-9ADB-BD9302A930D2} - C:\WINDOWS\system32\vtUolIbA.dll (file missing)
O2 - BHO: {8ba57571-c48f-6d78-d2f4-a7366a37eaae} - {eaae73a6-637a-4f2d-87d6-f84c17575ab8} - C:\WINDOWS\system32\hnkjaqdl.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6590] command /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7665] cmd /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7506] command /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DA28AB38-40B3-4743-8A51-B35568A906A1} (CSD.PRINT.PDF Class) - https://web.ampslink.com/alweb/activex/csdprintpdf.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbc-companies.webex.com/client/v_my...ort/ieatgpc.cab
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8526 bytes


Thank You again

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 24 June 2008 - 03:31 PM

Hello again ross2234,
You are running MyWebSearch (or MyBar). Although not technically malware, it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google Toolbar. My Web Search also known as the My Way Speedbar is the Internet Explorer toolbar part of the Fun Web Products suite of utilities such as Smiley Central, Cursor Mania, My Mail Stationary, My Mail Signature, PopSwatter, Popular Screensavers, and the My Way website portal. The toolbar allows easy access to search engine results and a 404 Error Redirector called My Total Search among other things to your browser. This is not to be confused with the IBIS Web Search toolbar. MyWay is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking. It reports your surfing activity anonymously to MyWay affiliates, helping them to serve targeted advertising to you. As a BHO, MyWay shares the memory that your browser uses, detects events, creates additional windows while you are surfing, and monitors your activity. When a new browser window is opened, MyWay will send a configuration request about 5k in size.
Although none of these products claim to be spyware, they do slow your computer down. All of the products use cookies to track usage, although they claim not to use cookies or anything else to track personally identifiable information. That being said, I would still recommend uninstalling the toolbar and other Fun Web Products if you feel your computer runs better without them. They are found by most spyware removal tools such as Spybot Search and Destroy, Lavasoft Ad-Aware.
If you want to get rid of this program, removal instructions can be found here.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {466B9012-A6D1-4BCA-A955-A7C745C5400F} - C:\WINDOWS\system32\wvUljIbb.dll (file missing)
O2 - BHO: (no name) - {636A1244-FB82-4286-BD81-5E605DC06117} - C:\WINDOWS\system32\wvUkHAPG.dll (file missing)
O2 - BHO: (no name) - {977734E7-A701-48DF-A0DA-FC46AC4D915F} - C:\WINDOWS\system32\opnklmKD.dll (file missing)
O2 - BHO: (no name) - {C924F72C-A1BA-45A5-AEEE-0FCD58852C28} - C:\WINDOWS\system32\hgGywutU.dll (file missing)
O2 - BHO: (no name) - {CBEF68C7-3707-4A9B-9ADB-BD9302A930D2} - C:\WINDOWS\system32\vtUolIbA.dll (file missing)
O2 - BHO: {8ba57571-c48f-6d78-d2f4-a7366a37eaae} - {eaae73a6-637a-4f2d-87d6-f84c17575ab8} - C:\WINDOWS\system32\hnkjaqdl.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer.

Please run a scan with Kaspersky Online Scanner.
You will be promted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Select a target to scan; click on My Computer.
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text.

In your reply I'd like a new HJT log and the Kaspersky log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 ross2234

ross2234
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 26 June 2008 - 11:07 AM

Charles,

Here are the logs you requested. Thank You


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 26, 2008 15:21:33
Records in database: 884850
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 67671
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:31:26


File name / Threat name / Threats count
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080626-100935-226.dll Infected: not-a-virus:AdWare.Win32.MyWay.v 1

The selected area was scanned.


And:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:26 PM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Rocco Leone\Local Settings\Temp\jkos-Rocco Leone\binaries\ScanningProcess.exe
C:\Documents and Settings\Rocco Leone\Local Settings\Temp\jkos-Rocco Leone\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLPSP] "c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKLM\..\RunOnce: [SpybotDeletingA6590] command /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7665] cmd /c del "C:\WINDOWS\SYSTEM32\opnklmKD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7506] command /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd /c del "C:\WINDOWS\SYSTEM32\wvUkHAPG.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DA28AB38-40B3-4743-8A51-B35568A906A1} (CSD.PRINT.PDF Class) - https://web.ampslink.com/alweb/activex/csdprintpdf.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cbc-companies.webex.com/client/v_my...ort/ieatgpc.cab
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 7839 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 26 June 2008 - 03:09 PM

One more entry to fix with HijackThis:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)


Then reboot and let me know how things are running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 16 July 2008 - 04:26 PM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users