Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Jumps/redirects To Random Pages From Google Search Results


  • This topic is locked This topic is locked
16 replies to this topic

#1 Nesan

Nesan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 01 August 2008 - 07:26 PM

Hi,
When I click on links from Google search results, it takes me to random web pages. In the back button history, I noticed there is a Redirect page and a Jump page.

Have tried various things that have been mentioned here after doing a search for Jump and Redirect but it has nothing (so far) has successfully fixed the problem. So I decided to follow your instructions and post a request for help.

So, thanks in advance for any help you can offer. Here are the outputs from dss.exe and Kaspersky.

Regards
Nesan


Here is main.txt output from dss.exe:

Deckard's System Scanner v20071014.68
Run by Nesan on 2008-08-01 20:14:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-08-02 00:14:46 UTC - RP367 - Deckard's System Scanner Restore Point
5: 2008-08-01 20:41:57 UTC - RP366 - Installed SUPERAntiSpyware Free Edition
4: 2008-07-31 23:30:44 UTC - RP365 - System Checkpoint
3: 2008-07-29 20:03:15 UTC - RP364 - System Checkpoint
2: 2008-07-28 19:14:47 UTC - RP363 - 080728


-- First Restore Point --
1: 2008-07-28 15:36:02 UTC - RP362 - Last good restore point


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Nesan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:56 PM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\taskmgr.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Nesan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nesan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [lphcp1kj0ep6e] C:\WINDOWS\system32\lphcp1kj0ep6e.exe
O4 - HKLM\..\Run: [SMrhct1kj0ep6e] C:\Program Files\rhct1kj0ep6e\rhct1kj0ep6e.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MonDsc] C:\WINDOWS\system32\xsbsnuzo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm678YYUS
O8 - Extra context menu item: &Subscribe with ArchosLink - file://C:\Program Files\Archos\ArchosLink\\script.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O21 - SSODL: procsmartmsg - {726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A} - C:\Program Files\lnzcuwd\procsmartmsg.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

--
End of file - 8882 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 10>
R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>

S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 Jukebox3 - c:\windows\system32\drivers\ctpdusb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 DPFUSMgr (Windows XP FUS Manager) - c:\program files\digitalpersona\bin\dpfusmgr.exe <Not Verified; DigitalPersona, Inc.; DPFUSMgr Module>
R2 DpHost (Biometric Authentication Service) - c:\program files\digitalpersona\bin\dphost.exe <Not Verified; DigitalPersona, Inc.; DPHOST Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-01 01:00:01 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-07-23 15:44:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-23 15:38:44 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 20:16:36 0 d-------- C:\Program Files\Trend Micro
2008-08-01 16:42:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 16:41:58 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 16:41:58 0 d-------- C:\Documents and Settings\Nesan\Application Data\SUPERAntiSpyware.com
2008-08-01 16:38:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 15:58:20 0 d-------- C:\Documents and Settings\Nesan\.housecall6.6
2008-07-28 12:20:22 0 d--h----- C:\WINDOWS\PIF
2008-07-28 10:14:46 0 d-------- C:\Program Files\lnzcuwd
2008-07-23 15:38:28 0 d-------- C:\Program Files\McAfee.com
2008-07-23 15:38:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-23 15:38:13 0 d-------- C:\Program Files\McAfee
2008-07-23 15:26:26 4 --a------ C:\Documents and Settings\Liz\Application Data\4101F9
2008-07-22 11:18:18 0 d-------- C:\Program Files\Rhapsody
2008-07-21 17:37:41 0 d-------- C:\Program Files\Common Files\Real
2008-07-17 14:30:10 4 --a------ C:\Documents and Settings\Nesan\Application Data\4101F9


-- Find3M Report ---------------------------------------------------------------

2008-08-01 17:49:14 0 d-------- C:\Documents and Settings\Nesan\Application Data\.purple
2008-08-01 15:11:58 870128 --a------ C:\Documents and Settings\Nesan\Application Data\mcs.rma
2008-07-23 15:38:22 0 d-------- C:\Program Files\Common Files
2008-07-23 14:58:17 0 d-------- C:\Documents and Settings\Nesan\Application Data\McAfee
2008-07-22 11:19:46 0 d-------- C:\Documents and Settings\Nesan\Application Data\Real
2008-07-22 11:19:18 0 d-------- C:\Program Files\Real
2008-07-21 22:19:17 0 d-------- C:\Program Files\Yahoo!
2008-07-21 17:32:10 41848 --a------ C:\Documents and Settings\Nesan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-21 08:15:25 0 d-------- C:\Program Files\Java
2008-07-20 12:11:27 0 d-------- C:\Program Files\Apple Software Update
2008-07-16 19:58:01 0 d-------- C:\Documents and Settings\Nesan\Application Data\Comcast
2008-07-16 15:30:54 0 d-------- C:\Documents and Settings\Nesan\Application Data\Canon
2008-06-08 11:09:13 0 d-------- C:\Program Files\DeductionPro 2007
2008-05-31 17:30:45 67 ---h----- C:\WINDOWS\popcreg.dat
2008-05-31 17:30:45 39 --a------ C:\WINDOWS\popcinfot.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 03:42 PM]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [05/08/2003 01:00 PM]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/19/2005 07:09 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/19/2005 07:10 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/19/2005 07:06 PM]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [10/13/2004 07:24 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/13/2008 08:12 PM C:\WINDOWS\system32\bthprops.cpl]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [09/28/2007 04:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"lphcp1kj0ep6e"="C:\WINDOWS\system32\lphcp1kj0ep6e.exe" []
"SMrhct1kj0ep6e"="C:\Program Files\rhct1kj0ep6e\rhct1kj0ep6e.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [05/09/2005 07:16 PM]
"gStart"="C:\Garmin\gStart.exe" [01/20/2005 05:45 PM]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [06/03/2008 04:28 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"MonDsc"="C:\WINDOWS\system32\xsbsnuzo.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
BTTray.lnk - C:\Program Files\DLink\Bluetooth Software\BTTray.exe [10/29/2003 6:41:58 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
Pidgin.lnk - C:\Program Files\Pidgin\pidgin.exe [2/29/2008 11:19:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procsmartmsg"= {726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A} - C:\Program Files\lnzcuwd\procsmartmsg.dll [07/28/2008 10:14 AM 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 10/13/2004 07:29 PM 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-01 20:17:49 ------------


Here is extra.txt from dss.exe:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 1014.08 MiB / 621.75 MiB
Pagefile Memory (total/avail): 2441.24 MiB / 2093.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.96 MiB

C: is Fixed (NTFS) - 74.5 GiB total, 52.86 GiB free.
D: is Fixed (NTFS) - 149.05 GiB total, 91.19 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - ST3160811AS - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD800JD-75MSA3 - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nesan\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ODDJOB
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nesan
LOGONSERVER=\\ODDJOB
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\DPDrv;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Nesan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Nesan\LOCALS~1\Temp
USERDOMAIN=ODDJOB
USERNAME=Nesan
USERPROFILE=C:\Documents and Settings\Nesan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Nesan (admin)
Liz (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1&1 EasyLogin --> C:\Program Files\1&1\1&1 EasyLogin\Uninstall.exe
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Amazon Unbox Video --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{54A4839E-87F8-4BD1-9682-A349E9943F0A}
AntivirXP08 --> "C:\Program Files\rhct1kj0ep6e\uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArchosLink --> C:\Program Files\Archos\ArchosLink\uninstall.exe
ArchosLink --> MsiExec.exe /I{7569DFCA-B80D-4287-9A03-65338887D9CC}
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bejeweled Deluxe 1.87 --> C:\Program Files\PopCap Games\Bejeweled Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled Deluxe\Install.log"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Canon CanoScan Toolbox 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{143FB15C-0C48-41E3-9C30-F56FB69BF3D7}\setup.exe" -l0x9 anything
City Select North America NT v7 for c320 --> MsiExec.exe /X{E6DF5CF4-E9F0-4FD1-A307-08147EEAFF96}
Comcast PhotoShow Deluxe 4 --> "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\Uninstall.exe"
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
D-Link Bluetooth Software --> MsiExec.exe /X{FE90E9E7-A158-4687-8853-DF677A939A61}
DeductionPro 2005-06 --> C:\PROGRA~1\DEDUCT~1\UNWISE.EXE C:\PROGRA~1\DEDUCT~1\INSTALL.LOG
DeductionPro 2006 --> C:\Program Files\DeductionPro 2006\RemoveDPro.EXE C:\PROGRA~1\DEDUCT~2\INSTALL.LOG
DeductionPro 2007 --> "C:\Program Files\InstallShield Installation Information\{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}\setup.exe" -runfromtemp -l0x0009 -removeonly
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
DigitalPersona Password Manager 1.0.1 --> MsiExec.exe /I{C6C136D9-B41E-46ED-A8ED-A84D18B7CA31}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Drive Manager --> "C:\Program Files\InstallShield Installation Information\{B90E85EB-B7C9-44F7-8CAA-935BC628F6ED}\setup.exe" -runfromtemp -l0x0409 -removeonly
Drive Manager --> MsiExec.exe /I{B90E85EB-B7C9-44F7-8CAA-935BC628F6ED}
DVD-WMV --> MsiExec.exe /I{19934FC9-A54C-4DEF-ADAD-D3D361C2A595}
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
exPressit S.E. 2.2 --> "C:\Program Files\exPressit S.E. 2.2\UninstallerData\Uninstall exPressit S.E. 2.2.exe"
Garmin City Navigator North America NT 2008 --> MsiExec.exe /X{819F1E9F-38C9-4313-AF28-C7BC9A03933A}
Garmin MapSource --> MsiExec.exe /X{F11B623B-1485-415B-8818-C128AB9B6923}
Garmin StreetPilot c320 North America --> MsiExec.exe /X{3C713087-3114-420E-9250-238348411040}
Garmin WebUpdater --> MsiExec.exe /X{7D25A304-C82D-41C3-85A8-3BEF84E04887}
Garmin WebUpdater --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FD94FBC-07AE-475C-B522-BFE899B9048E}\setup.exe" -l0x9
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GTK+ Runtime 2.12.8 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iriverter 0.16 --> C:\Program Files\iriverter\uninst.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Keynote Connector --> C:\WINDOWS\DOWNLO~1\CONNEC~1.EXE /Uninstall
Manual CanoScan LiDE 35 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6AA4C799-BF98-4573-9C83-0C8E4EA46D14}\setup.exe" -l0x9
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Messenger Service --> "C:\Program Files\Video ActiveX Access\imsunst.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Motorola Driver Installation --> MsiExec.exe /I{3324A5DC-C7F6-430A-ACC8-F251CD8F4FC7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Nesan\Application Data\Move Networks\ie_bin\Uninst.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
OverDrive Media Console --> MsiExec.exe /I{16D9439B-DF3D-43D1-A727-4B335300D07A}
Pdf995 (installed by TaxCut) --> C:\Program Files\pdf995\setup.exe uninstall
PdfEdit995 (installed by TaxCut) --> C:\Program Files\pdf995\res\utilities\thinsetup.exe - uninstall
Photo Viewer --> MsiExec.exe /I{67183F00-3DDC-497B-A090-4E2B79EAF1CD}
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PSP Video Express(remove only) --> "C:\Program Files\PQDVD\PSPVideoExpress\bt-uninst.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Samsung ML-1740 Series --> C:\WINDOWS\Samsung\ML-1740\SETUP.EXE
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TaxCut Massachusetts 2007 --> MsiExec.exe /X{4CC91A65-EC7C-4F74-86EB-08D176F889F3}
TaxCut Premium + State + Efile 2007 --> MsiExec.exe /X{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}
TaxCut Premium 2006 --> C:\PROGRA~1\TaxCut06\Program\removetc.exe
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInstXP.exe /u C:\WINDOWS\system32\DRVSTORE\mr7910_1FFEF370F39864F3AAA62219D434AE06B02B70AB\mr7910.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type8187 / Error
Event Submitted/Written: 08/01/2008 04:38:51 PM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type8186 / Error
Event Submitted/Written: 08/01/2008 04:38:29 PM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type8137 / Error
Event Submitted/Written: 07/28/2008 10:16:33 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rhct1kj0ep6e.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8135 / Error
Event Submitted/Written: 07/25/2008 11:44:29 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type8083 / Warning
Event Submitted/Written: 07/23/2008 02:58:15 PM
Event ID/Source: 0 / COM+ SOAP Services
Event Description:
Removal of an assembly from the global assembly cache failed: C:\Program Files\McAfee\MBK\Arbus.Interfacing.Library.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24384 / Warning
Event Submitted/Written: 08/01/2008 05:58:42 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\JINX on the network \Device\NetBT_Tcpip_{9BE4474C-9181-488C-BF37-A2D7F8440246}.
The data is the error code.

Event Record #/Type24353 / Error
Event Submitted/Written: 08/01/2008 05:22:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MCSTRM service failed to start due to the following error:
%%2

Event Record #/Type24326 / Error
Event Submitted/Written: 08/01/2008 05:06:08 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MCSTRM service failed to start due to the following error:
%%2

Event Record #/Type24322 / Error
Event Submitted/Written: 08/01/2008 05:05:09 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type24321 / Error
Event Submitted/Written: 08/01/2008 05:05:09 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service DPFUSMgr with arguments ""
in order to run the server:
{A5F087F1-543B-11D5-87D4-00010242D7FF}



-- End of Deckard's System Scanner: finished at 2008-08-01 20:17:49 ------------

And here is the output from the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 1, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 01, 2008 22:59:24
Records in database: 1042421
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 103593
Threat name: 5
Infected objects: 4
Suspicious objects: 4
Duration of the scan: 01:51:22


File name / Threat name / Threats count
C:\Documents and Settings\Liz\My Documents\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Identities\{72793C50-671F-450A-AED2-23849237E7C1}\Microsoft\Outlook Express\eBay.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Identities\{72793C50-671F-450A-AED2-23849237E7C1}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\archive.pst Infected: Email-Worm.VBS.KakWorm 2
C:\Documents and Settings\Nesan\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Nesan\My Documents\temp\FU-Setup_LE.exe Infected: not-a-virus:AdWare.Win32.Rabio.ap 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


m

#2 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 07 August 2008 - 10:20 AM

Bump.

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:02 AM

Posted 10 August 2008 - 10:37 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#4 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 11 August 2008 - 10:17 AM

Hi,
Thanks very much for your help.

I ran Dss.exe today but it only created the main.txt. It did not create the extra.txt this time. Here is the main.txt:

Deckard's System Scanner v20071014.68
Run by Nesan on 2008-08-11 08:20:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Nesan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:52 AM, on 8/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Garmin\gStart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\Documents and Settings\Nesan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nesan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [lphcp1kj0ep6e] C:\WINDOWS\system32\lphcp1kj0ep6e.exe
O4 - HKLM\..\Run: [SMrhct1kj0ep6e] C:\Program Files\rhct1kj0ep6e\rhct1kj0ep6e.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MonDsc] C:\WINDOWS\system32\xsbsnuzo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O21 - SSODL: procsmartmsg - {726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A} - C:\Program Files\lnzcuwd\procsmartmsg.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

--
End of file - 9163 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-01 20:16:36 0 d-------- C:\Program Files\Trend Micro
2008-08-01 16:42:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 16:41:58 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 16:41:58 0 d-------- C:\Documents and Settings\Nesan\Application Data\SUPERAntiSpyware.com
2008-08-01 16:38:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 15:58:20 0 d-------- C:\Documents and Settings\Nesan\.housecall6.6
2008-07-28 12:20:22 0 d--h----- C:\WINDOWS\PIF
2008-07-28 10:14:46 0 d-------- C:\Program Files\lnzcuwd
2008-07-23 15:38:28 0 d-------- C:\Program Files\McAfee.com
2008-07-23 15:38:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-23 15:38:13 0 d-------- C:\Program Files\McAfee
2008-07-23 15:26:26 4 --a------ C:\Documents and Settings\Liz\Application Data\4101F9
2008-07-22 11:18:18 0 d-------- C:\Program Files\Rhapsody
2008-07-21 17:37:41 0 d-------- C:\Program Files\Common Files\Real
2008-07-17 14:30:10 4 --a------ C:\Documents and Settings\Nesan\Application Data\4101F9


-- Find3M Report ---------------------------------------------------------------

2008-08-11 08:17:40 0 d-------- C:\Documents and Settings\Nesan\Application Data\.purple
2008-08-07 19:31:05 870128 --a------ C:\Documents and Settings\Nesan\Application Data\mcs.rma
2008-08-03 14:02:29 67 ---h----- C:\WINDOWS\popcreg.dat
2008-08-03 14:02:29 39 --a------ C:\WINDOWS\popcinfot.dat
2008-08-02 20:21:18 0 d-------- C:\Documents and Settings\Nesan\Application Data\Canon
2008-07-23 15:38:22 0 d-------- C:\Program Files\Common Files
2008-07-23 14:58:17 0 d-------- C:\Documents and Settings\Nesan\Application Data\McAfee
2008-07-22 11:19:46 0 d-------- C:\Documents and Settings\Nesan\Application Data\Real
2008-07-22 11:19:18 0 d-------- C:\Program Files\Real
2008-07-21 22:19:17 0 d-------- C:\Program Files\Yahoo!
2008-07-21 17:32:10 41848 --a------ C:\Documents and Settings\Nesan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-21 08:15:25 0 d-------- C:\Program Files\Java
2008-07-20 12:11:27 0 d-------- C:\Program Files\Apple Software Update
2008-07-16 19:58:01 0 d-------- C:\Documents and Settings\Nesan\Application Data\Comcast


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 03:42 PM]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [05/08/2003 01:00 PM]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/19/2005 07:09 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/19/2005 07:10 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/19/2005 07:06 PM]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [10/13/2004 07:24 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/13/2008 08:12 PM C:\WINDOWS\system32\bthprops.cpl]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [09/28/2007 04:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"lphcp1kj0ep6e"="C:\WINDOWS\system32\lphcp1kj0ep6e.exe" []
"SMrhct1kj0ep6e"="C:\Program Files\rhct1kj0ep6e\rhct1kj0ep6e.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [05/09/2005 07:16 PM]
"gStart"="C:\Garmin\gStart.exe" [01/20/2005 05:45 PM]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [06/03/2008 04:28 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"MonDsc"="C:\WINDOWS\system32\xsbsnuzo.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
BTTray.lnk - C:\Program Files\DLink\Bluetooth Software\BTTray.exe [10/29/2003 6:41:58 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
Pidgin.lnk - C:\Program Files\Pidgin\pidgin.exe [2/29/2008 11:19:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procsmartmsg"= {726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A} - C:\Program Files\lnzcuwd\procsmartmsg.dll [07/28/2008 10:14 AM 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 10/13/2004 07:29 PM 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-11 08:21:18 ------------



And here is the Kapersky report:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 14:41:41
Records in database: 1082298
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 110714
Threat name: 5
Infected objects: 4
Suspicious objects: 4
Duration of the scan: 01:53:26


File name / Threat name / Threats count
C:\Documents and Settings\Liz\My Documents\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Identities\{72793C50-671F-450A-AED2-23849237E7C1}\Microsoft\Outlook Express\eBay.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Identities\{72793C50-671F-450A-AED2-23849237E7C1}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\archive.pst Infected: Email-Worm.VBS.KakWorm 2
C:\Documents and Settings\Nesan\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Nesan\Local Settings\Application Data\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\Microsoft\Outlook\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Nesan\My Documents\temp\FU-Setup_LE.exe Infected: not-a-virus:AdWare.Win32.Rabio.ap 1

The selected area was scanned.


Thanks again

Nesan

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:02 PM

Posted 13 August 2008 - 10:21 PM

Hello, Nesan.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:02 PM

Posted 13 August 2008 - 10:53 PM

Hello, Nesan.

You may have a SmitFraud variant. I need to gather some more information. Please follow these instructions:
  • Please download SmitfraudFix, and save it to your desktop.
  • Double-click SmitfraudFix.exe, on your desktop.
  • Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Look here for more details.

In your next reply, please include the following:
  • SmitFraudFix's Rapport.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 14 August 2008 - 07:33 AM

Hi Bill,

Thanks so much for your help. Much appreciated.

Here is the rapport.txt:

SmitFraudFix v2.336

Scan done at 8:31:31.34, Thu 08/14/2008
Run from C:\Documents and Settings\Nesan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe
C:\Garmin\gStart.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\Nesan\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nesan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nesan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nesan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242
DNS Server Search Order: 68.87.64.146

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BE4474C-9181-488C-BF37-A2D7F8440246}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BE4474C-9181-488C-BF37-A2D7F8440246}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9BE4474C-9181-488C-BF37-A2D7F8440246}: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242 68.87.64.146


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Nesan

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:02 PM

Posted 14 August 2008 - 09:25 AM

Hello, Nesan.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 14 August 2008 - 11:36 AM

Hi Bill,

I have installed the Recovery console from my Windows XP CD. It got a 'successfull install' message but it didn't ask me to click Yes to start the malware search. After installing, I rebooted and the Recovery Console is an option at bootup.

After rebooting, I manually ran ComboFix. Here is the report:

ComboFix 08-08-13.05 - Nesan 2008-08-14 12:18:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.626 [GMT -4:00]
Running from: C:\Documents and Settings\Nesan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\#SharedObjects\HF6DPX3M\interclick.com
C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\#SharedObjects\HF6DPX3M\interclick.com\ud.sol
C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Nesan\Cookies.\nesan@2o7[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@a.directv[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@a.independent.co[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@ad.yieldmanager[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@adopt.euroclick[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@ads.pointroll[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@ads.revsci[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@amazon[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@circuitcity[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@directv[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@hits.gureport.co[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@indexstats[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@paypal[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@priceline[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@revsci[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@specificclick[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@yelp[1].txt
C:\Documents and Settings\Nesan\Favorites\.url
C:\WINDOWS\base64.tmp
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-01 20:16 . 2008-08-01 20:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 20:14 . 2008-08-01 20:14 <DIR> d-------- C:\Deckard
2008-08-01 17:20 . 2008-08-01 17:27 <DIR> d-------- C:\fixwareout
2008-08-01 16:42 . 2008-08-01 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 16:41 . 2008-08-01 16:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 16:41 . 2008-08-01 16:41 <DIR> d-------- C:\Documents and Settings\Nesan\Application Data\SUPERAntiSpyware.com
2008-08-01 16:38 . 2008-08-01 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 17:27 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-28 15:58 . 2008-07-28 17:38 <DIR> d-------- C:\Documents and Settings\Nesan\.housecall6.6
2008-07-28 12:20 . 2008-07-28 12:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-28 10:14 . 2008-07-28 10:14 <DIR> d-------- C:\Program Files\lnzcuwd
2008-07-23 17:09 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-23 17:09 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-23 17:09 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-23 17:09 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-23 17:09 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-23 17:09 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-23 17:09 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-23 17:09 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-23 17:09 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 15:39 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-23 15:39 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-23 15:39 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-23 15:39 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-23 15:39 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-23 15:39 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-23 15:38 . 2008-07-23 15:38 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-23 15:38 . 2008-07-23 16:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-23 15:38 . 2008-07-23 15:39 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-22 11:18 . 2008-07-22 11:20 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-21 17:37 . 2008-07-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 16:16 --------- d-----w C:\Documents and Settings\Nesan\Application Data\.purple
2008-08-13 20:41 --------- d-----w C:\Documents and Settings\Nesan\Application Data\Canon
2008-08-13 16:36 --------- d-----w C:\Documents and Settings\Liz\Application Data\Canon
2008-08-13 16:35 --------- d-----w C:\Documents and Settings\Liz\Application Data\.purple
2008-07-23 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 18:58 --------- d-----w C:\Documents and Settings\Nesan\Application Data\McAfee
2008-07-22 15:19 --------- d-----w C:\Program Files\Real
2008-07-22 02:19 --------- d-----w C:\Program Files\Yahoo!
2008-07-21 21:32 41,848 ----a-w C:\Documents and Settings\Nesan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-21 12:15 --------- d-----w C:\Program Files\Java
2008-07-20 16:11 --------- d-----w C:\Program Files\Apple Software Update
2008-07-16 23:58 --------- d-----w C:\Documents and Settings\Nesan\Application Data\Comcast
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-12-22 22:18 41,072 ----a-w C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 02:01 24,192 ----a-w C:\Documents and Settings\Nesan\usbsermptxp.sys
2007-11-07 02:01 22,768 ----a-w C:\Documents and Settings\Nesan\usbsermpt.sys
2006-11-27 20:24 92,064 ----a-w C:\Documents and Settings\Nesan\mqdmmdm.sys
2006-11-27 20:24 9,232 ----a-w C:\Documents and Settings\Nesan\mqdmmdfl.sys
2006-11-27 20:24 79,328 ----a-w C:\Documents and Settings\Nesan\mqdmserd.sys
2006-11-27 20:24 66,656 ----a-w C:\Documents and Settings\Nesan\mqdmbus.sys
2006-11-27 20:24 6,208 ----a-w C:\Documents and Settings\Nesan\mqdmcmnt.sys
2006-11-27 20:24 5,936 ----a-w C:\Documents and Settings\Nesan\mqdmwhnt.sys
2006-11-27 20:24 4,048 ----a-w C:\Documents and Settings\Nesan\mqdmcr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [2005-05-09 19:16 192512]
"gStart"="C:\Garmin\gStart.exe" [2005-01-20 17:45 1896448]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [2008-06-03 04:28 1540608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 19:24 913408]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-09-28 16:32 169328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 20:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
BTTray.lnk - C:\Program Files\DLink\Bluetooth Software\BTTray.exe [2003-10-29 18:41:58 503875]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Pidgin.lnk - C:\Program Files\Pidgin\pidgin.exe [2008-02-29 11:19:00 44658]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procsmartmsg"= {726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A} - C:\Program Files\lnzcuwd\procsmartmsg.dll [2008-07-28 10:14 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2004-10-13 19:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-09-28 16:32]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 17:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 17:59]
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-23 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MonDsc - C:\WINDOWS\system32\xsbsnuzo.exe
HKLM-Run-lphcp1kj0ep6e - C:\WINDOWS\system32\lphcp1kj0ep6e.exe
HKLM-Run-SMrhct1kj0ep6e - C:\Program Files\rhct1kj0ep6e\rhct1kj0ep6e.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local

O16 -: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
C:\WINDOWS\Downloaded Program Files\ConnectorLauncher.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 12:24:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\DigitalPersona\Bin\DpOFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DLink\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-14 12:33:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 16:33:18

Pre-Run: 56,111,411,200 bytes free
Post-Run: 56,216,764,416 bytes free

212 --- E O F --- 2008-07-09 12:43:22


Thanks

Nesan

#10 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 14 August 2008 - 11:38 AM

The log in previous reply is actually the file that opened when ComboFix ended. It is called log.txt. I notice you asked for ComboFix.txt which I found in my C:\ directory. Here it is:

ComboFix 08-08-13.05 - Nesan 2008-08-14 12:18:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.626 [GMT -4:00]
Running from: C:\Documents and Settings\Nesan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\#SharedObjects\HF6DPX3M\interclick.com
C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\#SharedObjects\HF6DPX3M\interclick.com\ud.sol
C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Nesan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Nesan\Cookies.\nesan@2o7[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@a.directv[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@a.independent.co[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@ad.yieldmanager[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@adopt.euroclick[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@ads.pointroll[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@ads.revsci[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@amazon[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@circuitcity[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@directv[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@hits.gureport.co[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@indexstats[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@paypal[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@priceline[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@revsci[2].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@specificclick[1].txt
C:\Documents and Settings\Nesan\Cookies.\nesan@yelp[1].txt
C:\Documents and Settings\Nesan\Favorites\.url
C:\WINDOWS\base64.tmp
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-01 20:16 . 2008-08-01 20:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 20:14 . 2008-08-01 20:14 <DIR> d-------- C:\Deckard
2008-08-01 17:20 . 2008-08-01 17:27 <DIR> d-------- C:\fixwareout
2008-08-01 16:42 . 2008-08-01 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 16:41 . 2008-08-01 16:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 16:41 . 2008-08-01 16:41 <DIR> d-------- C:\Documents and Settings\Nesan\Application Data\SUPERAntiSpyware.com
2008-08-01 16:38 . 2008-08-01 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 17:27 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-28 15:58 . 2008-07-28 17:38 <DIR> d-------- C:\Documents and Settings\Nesan\.housecall6.6
2008-07-28 12:20 . 2008-07-28 12:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-28 10:14 . 2008-07-28 10:14 <DIR> d-------- C:\Program Files\lnzcuwd
2008-07-23 17:09 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-23 17:09 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-23 17:09 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-23 17:09 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-23 17:09 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-23 17:09 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-23 17:09 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-23 17:09 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-23 17:09 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 15:39 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-23 15:39 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-23 15:39 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-23 15:39 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-23 15:39 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-23 15:39 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-23 15:38 . 2008-07-23 15:38 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-23 15:38 . 2008-07-23 16:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-23 15:38 . 2008-07-23 15:39 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-22 11:18 . 2008-07-22 11:20 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-21 17:37 . 2008-07-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 16:16 --------- d-----w C:\Documents and Settings\Nesan\Application Data\.purple
2008-08-13 20:41 --------- d-----w C:\Documents and Settings\Nesan\Application Data\Canon
2008-08-13 16:36 --------- d-----w C:\Documents and Settings\Liz\Application Data\Canon
2008-08-13 16:35 --------- d-----w C:\Documents and Settings\Liz\Application Data\.purple
2008-07-23 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 18:58 --------- d-----w C:\Documents and Settings\Nesan\Application Data\McAfee
2008-07-22 15:19 --------- d-----w C:\Program Files\Real
2008-07-22 02:19 --------- d-----w C:\Program Files\Yahoo!
2008-07-21 21:32 41,848 ----a-w C:\Documents and Settings\Nesan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-21 12:15 --------- d-----w C:\Program Files\Java
2008-07-20 16:11 --------- d-----w C:\Program Files\Apple Software Update
2008-07-16 23:58 --------- d-----w C:\Documents and Settings\Nesan\Application Data\Comcast
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-12-22 22:18 41,072 ----a-w C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 02:01 24,192 ----a-w C:\Documents and Settings\Nesan\usbsermptxp.sys
2007-11-07 02:01 22,768 ----a-w C:\Documents and Settings\Nesan\usbsermpt.sys
2006-11-27 20:24 92,064 ----a-w C:\Documents and Settings\Nesan\mqdmmdm.sys
2006-11-27 20:24 9,232 ----a-w C:\Documents and Settings\Nesan\mqdmmdfl.sys
2006-11-27 20:24 79,328 ----a-w C:\Documents and Settings\Nesan\mqdmserd.sys
2006-11-27 20:24 66,656 ----a-w C:\Documents and Settings\Nesan\mqdmbus.sys
2006-11-27 20:24 6,208 ----a-w C:\Documents and Settings\Nesan\mqdmcmnt.sys
2006-11-27 20:24 5,936 ----a-w C:\Documents and Settings\Nesan\mqdmwhnt.sys
2006-11-27 20:24 4,048 ----a-w C:\Documents and Settings\Nesan\mqdmcr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [2005-05-09 19:16 192512]
"gStart"="C:\Garmin\gStart.exe" [2005-01-20 17:45 1896448]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [2008-06-03 04:28 1540608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 19:24 913408]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-09-28 16:32 169328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 20:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
BTTray.lnk - C:\Program Files\DLink\Bluetooth Software\BTTray.exe [2003-10-29 18:41:58 503875]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Pidgin.lnk - C:\Program Files\Pidgin\pidgin.exe [2008-02-29 11:19:00 44658]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"procsmartmsg"= {726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A} - C:\Program Files\lnzcuwd\procsmartmsg.dll [2008-07-28 10:14 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2004-10-13 19:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-09-28 16:32]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 17:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 17:59]
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-23 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MonDsc - C:\WINDOWS\system32\xsbsnuzo.exe
HKLM-Run-lphcp1kj0ep6e - C:\WINDOWS\system32\lphcp1kj0ep6e.exe
HKLM-Run-SMrhct1kj0ep6e - C:\Program Files\rhct1kj0ep6e\rhct1kj0ep6e.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local

O16 -: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
C:\WINDOWS\Downloaded Program Files\ConnectorLauncher.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 12:24:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\DigitalPersona\Bin\DpOFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DLink\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-14 12:33:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 16:33:18

Pre-Run: 56,111,411,200 bytes free
Post-Run: 56,216,764,416 bytes free

212 --- E O F --- 2008-07-09 12:43:22

Thanks
Nesan

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:02 PM

Posted 14 August 2008 - 04:07 PM

Hello, Nesan.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/160944/ie-jumpsredirects-to-random-pages-from-google-search-results/
    
    suspect::[54]
    C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys
    C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys
    
    file::
    C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
    C:\Documents and Settings\Nesan\usbsermptxp.sys
    C:\Documents and Settings\Nesan\usbsermpt.sys
    C:\Documents and Settings\Nesan\mqdmmdm.sys
    C:\Documents and Settings\Nesan\mqdmmdfl.sys
    C:\Documents and Settings\Nesan\mqdmserd.sys
    C:\Documents and Settings\Nesan\mqdmbus.sys
    C:\Documents and Settings\Nesan\mqdmcmnt.sys
    C:\Documents and Settings\Nesan\mqdmwhnt.sys
    C:\Documents and Settings\Nesan\mqdmcr.sys
    C:\Program Files\lnzcuwd\procsmartmsg.dll
    
    dirlook::
    C:\Program Files\lnzcuwd\
    
    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "procsmartmsg"=-
    
    [-HKEY_CLASSES_ROOT\CLSID\{726DBFD0-13F2-5AB9-CEC5-04E16C1AAF0A}]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 15 August 2008 - 08:36 AM

Hi Bill,

I stopped all firewalls and virus scanners. Closed all windows and then ran ComboFix by dragging the code file onto the ComboFix icon.

Below is the ComboFix.txt file. BTW, after creating the log file, ComboFix asked to upload a file to BleepingComputer. I did that and it said to tell you that the file was uploaded successfully.

ComboFix 08-08-13.05 - Nesan 2008-08-15 9:26:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.493 [GMT -4:00]
Running from: C:\Documents and Settings\Nesan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nesan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Nesan\mqdmbus.sys
C:\Documents and Settings\Nesan\mqdmcmnt.sys
C:\Documents and Settings\Nesan\mqdmcr.sys
C:\Documents and Settings\Nesan\mqdmmdfl.sys
C:\Documents and Settings\Nesan\mqdmmdm.sys
C:\Documents and Settings\Nesan\mqdmserd.sys
C:\Documents and Settings\Nesan\mqdmwhnt.sys
C:\Documents and Settings\Nesan\usbsermpt.sys
C:\Documents and Settings\Nesan\usbsermptxp.sys
C:\Program Files\lnzcuwd\procsmartmsg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Liz\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Nesan\Cookies.\nesan@edge.ru4[2].txt
C:\Documents and Settings\Nesan\mqdmbus.sys
C:\Documents and Settings\Nesan\mqdmcmnt.sys
C:\Documents and Settings\Nesan\mqdmcr.sys
C:\Documents and Settings\Nesan\mqdmmdfl.sys
C:\Documents and Settings\Nesan\mqdmmdm.sys
C:\Documents and Settings\Nesan\mqdmserd.sys
C:\Documents and Settings\Nesan\mqdmwhnt.sys
C:\Documents and Settings\Nesan\usbsermpt.sys
C:\Documents and Settings\Nesan\usbsermptxp.sys
C:\Program Files\lnzcuwd\procsmartmsg.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-01 20:16 . 2008-08-01 20:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 20:14 . 2008-08-01 20:14 <DIR> d-------- C:\Deckard
2008-08-01 17:20 . 2008-08-01 17:27 <DIR> d-------- C:\fixwareout
2008-08-01 16:42 . 2008-08-01 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 16:41 . 2008-08-01 16:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 16:41 . 2008-08-01 16:41 <DIR> d-------- C:\Documents and Settings\Nesan\Application Data\SUPERAntiSpyware.com
2008-08-01 16:38 . 2008-08-01 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 17:27 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-28 15:58 . 2008-07-28 17:38 <DIR> d-------- C:\Documents and Settings\Nesan\.housecall6.6
2008-07-28 12:20 . 2008-07-28 12:20 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-28 10:14 . 2008-08-15 09:26 <DIR> d-------- C:\Program Files\lnzcuwd
2008-07-23 17:09 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-23 17:09 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-23 17:09 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-23 17:09 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-23 17:09 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-23 17:09 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-23 17:09 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-23 17:09 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-23 17:09 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 15:39 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-23 15:39 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-23 15:39 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-23 15:39 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-23 15:39 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-23 15:39 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-23 15:38 . 2008-07-23 15:38 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-23 15:38 . 2008-07-23 16:01 <DIR> d-------- C:\Program Files\McAfee
2008-07-23 15:38 . 2008-07-23 15:39 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-22 11:18 . 2008-07-22 11:20 <DIR> d-------- C:\Program Files\Rhapsody
2008-07-21 17:37 . 2008-07-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 13:23 --------- d-----w C:\Documents and Settings\Nesan\Application Data\.purple
2008-08-15 12:57 --------- d-----w C:\Documents and Settings\Nesan\Application Data\Canon
2008-08-14 12:31 3,146 ----a-w C:\WINDOWS\system32\tmp.reg
2008-08-13 16:36 --------- d-----w C:\Documents and Settings\Liz\Application Data\Canon
2008-08-13 16:35 --------- d-----w C:\Documents and Settings\Liz\Application Data\.purple
2008-07-23 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 18:58 --------- d-----w C:\Documents and Settings\Nesan\Application Data\McAfee
2008-07-22 15:19 --------- d-----w C:\Program Files\Real
2008-07-22 02:19 --------- d-----w C:\Program Files\Yahoo!
2008-07-21 21:32 41,848 ----a-w C:\Documents and Settings\Nesan\Application Data\GDIPFONTCACHEV1.DAT
2008-07-21 12:15 --------- d-----w C:\Program Files\Java
2008-07-20 16:11 --------- d-----w C:\Program Files\Apple Software Update
2008-07-16 23:58 --------- d-----w C:\Documents and Settings\Nesan\Application Data\Comcast
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\lnzcuwd\ ----

2008-07-28 10:14 102400 --a------ C:\Program Files\lnzcuwd\\procsmartmsg.dll


((((((((((((((((((((((((((((( snapshot@2008-08-14_12.32.58.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-14 14:42:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-15 12:00:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-14 14:42:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-15 12:00:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-14 14:42:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-15 12:00:40 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\xtras\mssysmgr.exe" [2005-05-09 19:16 192512]
"gStart"="C:\Garmin\gStart.exe" [2005-01-20 17:45 1896448]
"1&1 EasyLogin"="C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe" [2008-06-03 04:28 1540608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42 1404928]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 13:00 49152]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 19:24 913408]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-09-28 16:32 169328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 20:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
BTTray.lnk - C:\Program Files\DLink\Bluetooth Software\BTTray.exe [2003-10-29 18:41:58 503875]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Pidgin.lnk - C:\Program Files\Pidgin\pidgin.exe [2008-02-29 11:19:00 44658]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2004-10-13 19:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-09-28 16:32]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 17:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 17:59]
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-23 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 09:29:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-15 9:31:03
ComboFix-quarantined-files.txt 2008-08-15 13:30:00
ComboFix2.txt 2008-08-14 16:33:37

Pre-Run: 56,231,264,256 bytes free
Post-Run: 56,246,685,696 bytes free

176 --- E O F --- 2008-07-09 12:43:22


Thank as always.

Nesan

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:02 PM

Posted 15 August 2008 - 10:14 PM

Hello, Nesan.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Nesan

Nesan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 17 August 2008 - 06:41 PM

Hi Bill,

Here is the ESET Online log file:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3362 (20080817)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=62b5f21c56fb3f42afa0ee9d407ed2f4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-17 10:52:23
# local_time=2008-08-17 06:52:23 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=366128
# found=4
# scan_time=5672
C:\Documents and Settings\Nesan\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-6ba89260 Win32/Adware.SpySheriff application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Nesan\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-6ba89260 »ZIP »OP.class Win32/Adware.SpySheriff application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Nesan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-4bdf56d9.zip Win32/Adware.SpySheriff application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Nesan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-4bdf56d9.zip »ZIP »OP.class Win32/Adware.SpySheriff application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000


Thanks

Nesan

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:02 PM

Posted 17 August 2008 - 07:04 PM

Hello, Nesan.
You now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "ZLOB Trojans"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :)
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :)
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users