Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware Alert.exe Virus Round #2


  • This topic is locked This topic is locked
34 replies to this topic

#1 Geezer Gamer

Geezer Gamer

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 04 August 2008 - 11:02 PM

I apologize, posted previously right before family went on vacation, so the topic got closed before I could fully respond to the assigned person....Sorry Simon V, my bad!

Here is the new System Scan....as before I had to run the clone, couldn't get past java requirement on the live scan.



Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-04 20:52:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 19.87 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 20:53:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
C:\Program Files\Logitech\Profiler\LWEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Tom\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-inc/en/s...html?channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: {bbfd4f4d-47f7-53f9-f434-c1060ea37721} - {12773ae0-601c-434f-9f35-7f74d4f4dfbb} - C:\WINDOWS\system32\wqicka.dll
O2 - BHO: (no name) - {3E6595A7-A945-48AC-A3EF-3BD5A29ED769} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60F7E02B-2DE0-43C7-BDEB-01960D20B68D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198} - (no file)
O2 - BHO: (no name) - {ED71602F-B2F6-470F-943F-0DA300E034D8} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} () - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} () - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: byXQighg - C:\WINDOWS\system32\byXQighg.dll (file missing)
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe


--
End of file - 14249 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-07-21 20:06:38 0 dr-h----- C:\Documents and Settings\Tom\Recent
2008-07-19 10:55:21 0 d-------- C:\Program Files\PENDULO Studios
2008-07-17 20:43:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 21:03:19 102400 --a------ C:\WINDOWS\system32\wqicka.dll
2008-07-16 21:03:14 102400 --a------ C:\WINDOWS\system32\ipgfufrr.dll
2008-07-16 20:19:35 0 d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-07-16 20:19:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 20:19:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 14:05:14 345 --ahs---- C:\WINDOWS\system32\vvybHRqr.ini2
2008-07-13 12:18:07 716228 --ahs---- C:\WINDOWS\system32\uCfLonnn.ini2
2008-07-12 22:26:25 2107 --ahs---- C:\WINDOWS\system32\kRtvwyay.ini2
2008-07-10 16:58:35 0 d-------- C:\Documents and Settings\Megan\Application Data\DivX
2008-07-09 20:07:13 0 d-------- C:\WINDOWS\Logs
2008-07-04 07:23:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Comcast


-- Find3M Report ---------------------------------------------------------------

2008-08-04 19:55:13 0 d-------- C:\Program Files\TrueSwitchEsaya
2008-08-03 20:02:11 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-21 19:34:43 0 d-------- C:\Program Files\Ubisoft
2008-07-20 18:59:27 0 d-------- C:\Program Files\Battle of Britain II
2008-07-19 13:50:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-18 06:16:24 0 d-------- C:\Program Files\Java
2008-06-30 20:33:21 0 d-------- C:\Program Files\LucasArts
2008-06-30 14:27:00 54 ---h----- C:\WINDOWS\popcreg.dat
2008-06-30 14:27:00 36 --a------ C:\WINDOWS\popcinfot.dat
2008-06-28 20:41:48 0 d-------- C:\Documents and Settings\Tom\Application Data\Bioshock
2008-06-22 15:42:43 0 d-------- C:\Documents and Settings\Tom\Application Data\SiteAdvisor
2008-06-08 11:18:56 0 d-------- C:\Program Files\Pinball
2008-06-06 16:00:47 0 d-------- C:\Program Files\eGames
2008-05-10 21:24:09 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-10 21:24:08 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12773ae0-601c-434f-9f35-7f74d4f4dfbb}]
07/16/2008 09:03 PM 102400 --a------ C:\WINDOWS\system32\wqicka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E6595A7-A945-48AC-A3EF-3BD5A29ED769}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60F7E02B-2DE0-43C7-BDEB-01960D20B68D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED71602F-B2F6-470F-943F-0DA300E034D8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [06/16/2005 05:25 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/24/2007 02:57 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [07/11/2005 10:34 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [07/20/2004 12:03 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/16/2006 09:41 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [07/20/2004 12:03 PM]
"nwiz"="nwiz.exe" [10/09/2007 05:36 AM C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 09:44 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 09:44 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/20/2006 06:33 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 01:01 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 02:12 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2005 05:30 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/18/2003 12:00 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 08:05 PM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/21/2008 08:17 PM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [04/18/2005 12:16 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [10/17/2006 7:58:35 PM]
TrueAssistant.lnk - C:\Program Files\TrueSwitchEsaya\TrueWizard.exe [9/18/2007 12:54:20 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [7/11/2007 5:25:20 PM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/16/2006 9:40:47 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/16/2006 9:36:42 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/21/2008 8:17:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQighg]
byXQighg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-08-04 20:53:46 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 08 August 2008 - 11:50 PM

Hello Geezer Gamer,

Please download Malwarebytes' Anti-Malware from Here or Here

Disable Spybot Teatimer and Adware Alert as they will prevent MalwareBytes from working.



To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts



Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 08 August 2008 - 11:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Geezer Gamer

Geezer Gamer
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 August 2008 - 08:29 AM

Here are the two logs. Only other comment, I disabled the Spybot Tea Timer as described. The Ad Aware is what showed up after the maleware got to me. When I run Spybot it can't remove the .exe file. I can't find it to disable it, so was unable to disable it when I ran the MBAM

Thanks for the help!

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

6:13:44 AM 8/9/2008
mbam-log-8-9-2008 (06-13-44).txt

Scan type: Quick Scan
Objects scanned: 75077
Time elapsed: 15 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wqicka.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12773ae0-601c-434f-9f35-7f74d4f4dfbb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{12773ae0-601c-434f-9f35-7f74d4f4dfbb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wqicka.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ipgfufrr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-09 06:19:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 19.38 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 06:20:05
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\LWEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Tom\Desktop\dss.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-inc/en/s...html?channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {3E6595A7-A945-48AC-A3EF-3BD5A29ED769} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60F7E02B-2DE0-43C7-BDEB-01960D20B68D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198} - (no file)
O2 - BHO: (no name) - {ED71602F-B2F6-470F-943F-0DA300E034D8} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} () - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} () - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: byXQighg - C:\WINDOWS\system32\byXQighg.dll (file missing)
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe


--
End of file - 14114 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-06 23:52:17 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-21 20:06:38 0 dr-h----- C:\Documents and Settings\Tom\Recent
2008-07-19 10:55:21 0 d-------- C:\Program Files\PENDULO Studios
2008-07-17 20:43:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 20:19:35 0 d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-07-16 20:19:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 20:19:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 14:05:14 345 --ahs---- C:\WINDOWS\system32\vvybHRqr.ini2
2008-07-13 12:18:07 716228 --ahs---- C:\WINDOWS\system32\uCfLonnn.ini2
2008-07-12 22:26:25 2107 --ahs---- C:\WINDOWS\system32\kRtvwyay.ini2
2008-07-10 16:58:35 0 d-------- C:\Documents and Settings\Megan\Application Data\DivX
2008-07-09 20:07:13 0 d-------- C:\WINDOWS\Logs


-- Find3M Report ---------------------------------------------------------------

2008-08-09 06:18:43 0 d-------- C:\Program Files\TrueSwitchEsaya
2008-08-09 03:05:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-06 23:52:58 0 d-------- C:\Program Files\Google
2008-07-21 19:34:43 0 d-------- C:\Program Files\Ubisoft
2008-07-20 18:59:27 0 d-------- C:\Program Files\Battle of Britain II
2008-07-19 13:50:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-18 06:16:24 0 d-------- C:\Program Files\Java
2008-06-30 20:33:21 0 d-------- C:\Program Files\LucasArts
2008-06-30 14:27:00 54 ---h----- C:\WINDOWS\popcreg.dat
2008-06-30 14:27:00 36 --a------ C:\WINDOWS\popcinfot.dat
2008-06-28 20:41:48 0 d-------- C:\Documents and Settings\Tom\Application Data\Bioshock
2008-06-22 15:42:43 0 d-------- C:\Documents and Settings\Tom\Application Data\SiteAdvisor
2008-05-10 21:24:09 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-10 21:24:08 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E6595A7-A945-48AC-A3EF-3BD5A29ED769}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60F7E02B-2DE0-43C7-BDEB-01960D20B68D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED71602F-B2F6-470F-943F-0DA300E034D8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [06/16/2005 05:25 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/24/2007 02:57 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [07/11/2005 10:34 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [07/20/2004 12:03 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/16/2006 09:41 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [07/20/2004 12:03 PM]
"nwiz"="nwiz.exe" [10/09/2007 05:36 AM C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 09:44 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 09:44 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/20/2006 06:33 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 01:01 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 02:12 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2005 05:30 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/18/2003 12:00 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 08:05 PM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/21/2008 08:17 PM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [04/18/2005 12:16 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [10/17/2006 7:58:35 PM]
TrueAssistant.lnk - C:\Program Files\TrueSwitchEsaya\TrueWizard.exe [9/18/2007 12:54:20 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
Amazon Unbox.lnk - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [7/11/2007 5:25:20 PM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/16/2006 9:40:47 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/16/2006 9:36:42 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/21/2008 8:17:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQighg]
byXQighg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-08-09 06:20:56 ------------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 09 August 2008 - 11:05 AM

Hi Geezer Gamer,

Only other comment, I disabled the Spybot Tea Timer as described. The Ad Aware is what showed up after the maleware got to me.



When I run Spybot it can't remove the .exe file. I can't find it to disable it, so was unable to disable it when I ran the MBAM


You lost me. :) What exe file are you talking about? I did not ask you to disable any files.



Please uninstall Ad Aware, as that will also get rid of Ad Watch. AdWatch and Teatimer will stop MalwareBytes from working. :thumbsup:

You can reinstall AdAware (and AdWatch) after we have your computer clean.

Now run MalwareBytes again and post its report, then run DSS Main.txt log.

Edited by SifuMike, 09 August 2008 - 11:07 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Geezer Gamer

Geezer Gamer
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 August 2008 - 06:39 PM

"Disable Spybot Teatimer and Adware Alert as they will prevent MalwareBytes from working.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts"



The quote above was from your first e-mail...it gave me instructions to disable Spybots Teatimer before I ran Malwarebytes Anti Malwere. I followed instructions above and was able to do that


My comment on Adware Alert may have been confusing...in the past everytime I ran Spybots it ran into a file that it could not remove called "Adware Alert.exe" .....this may be unuseful information because now when I run Spybot it comes up clean. None of this has anything to do with your current instructions

best of my knowledge I don't have a program called "Adware Alter" installed, I can't see it under may "Add or Remove" programs in the control panel.

I do have Mcaffee SecurityCenter installed, should I be removing that?

Here is my current scan. It is looking cleaner and I am not seeing as much "hijacking" going on when I am on the internet. Maybe we are having success?

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

4:25:05 PM 8/9/2008
mbam-log-8-9-2008 (16-25-05).txt

Scan type: Quick Scan
Objects scanned: 74992
Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-09 16:26:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 16:26:21
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Logitech\Profiler\LWEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Tom\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-inc/en/s...html?channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {3E6595A7-A945-48AC-A3EF-3BD5A29ED769} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60F7E02B-2DE0-43C7-BDEB-01960D20B68D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198} - (no file)
O2 - BHO: (no name) - {ED71602F-B2F6-470F-943F-0DA300E034D8} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} () - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} () - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: byXQighg - C:\WINDOWS\system32\byXQighg.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe


--
End of file - 13747 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 06:36:33 0 dr-h----- C:\Documents and Settings\Tom\Recent
2008-08-06 23:52:17 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-19 10:55:21 0 d-------- C:\Program Files\PENDULO Studios
2008-07-17 20:43:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 20:19:35 0 d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-07-16 20:19:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 20:19:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 14:05:14 345 --ahs---- C:\WINDOWS\system32\vvybHRqr.ini2
2008-07-13 12:18:07 716228 --ahs---- C:\WINDOWS\system32\uCfLonnn.ini2
2008-07-12 22:26:25 2107 --ahs---- C:\WINDOWS\system32\kRtvwyay.ini2
2008-07-10 16:58:35 0 d-------- C:\Documents and Settings\Megan\Application Data\DivX
2008-07-09 20:07:13 0 d-------- C:\WINDOWS\Logs


-- Find3M Report ---------------------------------------------------------------

2008-08-09 15:30:56 0 d-------- C:\Program Files\TrueSwitchEsaya
2008-08-09 10:06:15 0 d-------- C:\Program Files\Ubisoft
2008-08-09 10:05:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-09 10:04:44 0 d-------- C:\Documents and Settings\Tom\Application Data\Lionhead Studios
2008-08-09 10:02:19 0 d-------- C:\Program Files\LucasArts
2008-08-09 10:00:47 0 d-------- C:\Program Files\GemMaster
2008-08-09 09:58:55 0 d-------- C:\Program Files\Activision
2008-08-09 03:05:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-06 23:52:58 0 d-------- C:\Program Files\Google
2008-07-20 18:59:27 0 d-------- C:\Program Files\Battle of Britain II
2008-07-18 06:16:24 0 d-------- C:\Program Files\Java
2008-06-30 14:27:00 54 ---h----- C:\WINDOWS\popcreg.dat
2008-06-30 14:27:00 36 --a------ C:\WINDOWS\popcinfot.dat
2008-06-28 20:41:48 0 d-------- C:\Documents and Settings\Tom\Application Data\Bioshock
2008-06-22 15:42:43 0 d-------- C:\Documents and Settings\Tom\Application Data\SiteAdvisor
2008-05-10 21:24:09 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-10 21:24:08 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E6595A7-A945-48AC-A3EF-3BD5A29ED769}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60F7E02B-2DE0-43C7-BDEB-01960D20B68D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED71602F-B2F6-470F-943F-0DA300E034D8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [06/16/2005 05:25 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/24/2007 02:57 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [07/11/2005 10:34 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [07/20/2004 12:03 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/16/2006 09:41 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [07/20/2004 12:03 PM]
"nwiz"="nwiz.exe" [10/09/2007 05:36 AM C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 09:44 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 09:44 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/20/2006 06:33 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 01:01 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 02:12 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2005 05:30 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/18/2003 12:00 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 08:05 PM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/21/2008 08:17 PM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [04/18/2005 12:16 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [10/17/2006 7:58:35 PM]
TrueAssistant.lnk - C:\Program Files\TrueSwitchEsaya\TrueWizard.exe [9/18/2007 12:54:20 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/16/2006 9:40:47 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/16/2006 9:36:42 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/21/2008 8:17:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQighg]
byXQighg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - MBAMSWISSARMY



-- End of Deckard's System Scanner: finished at 2008-08-09 16:26:54 ------------

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 09 August 2008 - 07:04 PM

best of my knowledge I don't have a program called "Adware Alter" installed, I can't see it under may "Add or Remove" programs in the control panel.


Yes, you have Adware Alert.
I see it here:

O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot



If you have Adaware Plus then it automatically installs Adware Alert.

See if this works:
Disable Ad-Aware Ad-Watch or it will interfere.
1. Right click on the Ad-Watch icon in the system tray.
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
3. Uncheck both of those boxes.


I do have Mcaffee SecurityCenter installed, should I be removing that?



No.


Now run MalwareBytes again and post its report, then run DSS Main.txt log.

Edited by SifuMike, 15 August 2008 - 12:31 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Geezer Gamer

Geezer Gamer
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 10 August 2008 - 10:10 AM

Here are the updated logs

AdwareAlert.exe is now gone from O4-HKLM

I am no longer experiencing the hijacking during internet use

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

8:03:12 AM 8/10/2008
mbam-log-8-10-2008 (08-03-12).txt

Scan type: Quick Scan
Objects scanned: 77169
Time elapsed: 18 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-10 08:03:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-10 08:03:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Profiler\LWEMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tom\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-inc/en/s...html?channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {3E6595A7-A945-48AC-A3EF-3BD5A29ED769} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60F7E02B-2DE0-43C7-BDEB-01960D20B68D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198} - (no file)
O2 - BHO: (no name) - {ED71602F-B2F6-470F-943F-0DA300E034D8} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchEsaya\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://a2asimulations.com (HKCU)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} () - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} () - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: byXQighg - C:\WINDOWS\system32\byXQighg.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe


--
End of file - 14136 bytes

-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-09 06:36:33 0 dr-h----- C:\Documents and Settings\Tom\Recent
2008-08-06 23:52:17 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-19 10:55:21 0 d-------- C:\Program Files\PENDULO Studios
2008-07-17 20:43:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 20:19:35 0 d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-07-16 20:19:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 20:19:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 14:05:14 345 --ahs---- C:\WINDOWS\system32\vvybHRqr.ini2
2008-07-13 12:18:07 716228 --ahs---- C:\WINDOWS\system32\uCfLonnn.ini2
2008-07-12 22:26:25 2107 --ahs---- C:\WINDOWS\system32\kRtvwyay.ini2
2008-07-10 16:58:35 0 d-------- C:\Documents and Settings\Megan\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2008-08-10 05:39:32 0 d-------- C:\Program Files\TrueSwitchEsaya
2008-08-09 10:06:15 0 d-------- C:\Program Files\Ubisoft
2008-08-09 10:05:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-09 10:04:44 0 d-------- C:\Documents and Settings\Tom\Application Data\Lionhead Studios
2008-08-09 10:02:19 0 d-------- C:\Program Files\LucasArts
2008-08-09 10:00:47 0 d-------- C:\Program Files\GemMaster
2008-08-09 09:58:55 0 d-------- C:\Program Files\Activision
2008-08-09 03:05:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-06 23:52:58 0 d-------- C:\Program Files\Google
2008-07-20 18:59:27 0 d-------- C:\Program Files\Battle of Britain II
2008-07-18 06:16:24 0 d-------- C:\Program Files\Java
2008-06-30 14:27:00 54 ---h----- C:\WINDOWS\popcreg.dat
2008-06-30 14:27:00 36 --a------ C:\WINDOWS\popcinfot.dat
2008-06-28 20:41:48 0 d-------- C:\Documents and Settings\Tom\Application Data\Bioshock
2008-06-22 15:42:43 0 d-------- C:\Documents and Settings\Tom\Application Data\SiteAdvisor
2008-05-10 21:24:09 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-10 21:24:08 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E6595A7-A945-48AC-A3EF-3BD5A29ED769}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60F7E02B-2DE0-43C7-BDEB-01960D20B68D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED71602F-B2F6-470F-943F-0DA300E034D8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [06/16/2005 05:25 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/24/2007 02:57 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [07/11/2005 10:34 AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [07/20/2004 12:03 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/16/2006 09:41 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [07/20/2004 12:03 PM]
"nwiz"="nwiz.exe" [10/09/2007 05:36 AM C:\WINDOWS\system32\nwiz.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 09:44 AM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 09:44 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/20/2006 06:33 PM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 01:01 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 02:12 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 04:20 AM]
"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2005 05:30 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/18/2003 12:00 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 08:05 PM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 04:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/21/2008 08:17 PM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [04/18/2005 12:16 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [10/17/2006 7:58:35 PM]
TrueAssistant.lnk - C:\Program Files\TrueSwitchEsaya\TrueWizard.exe [9/18/2007 12:54:20 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/16/2006 9:40:47 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/16/2006 9:36:42 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/21/2008 8:17:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQighg]
byXQighg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73c03fac-d280-11db-ba5b-806d6172696f}]
open\command- "C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow

*Newly Created Service* - MBAMSWISSARMY



-- End of Deckard's System Scanner: finished at 2008-08-10 08:04:29 ------------

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 10 August 2008 - 01:08 PM

Hi Geezer Gamer,

Sad to say you still have a Vundo infection. :thumbsup: Not to worry, we will soon remove it.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus, Ad-Aware Ad-Watch and Spybot Teatimer before running ComboFix, as they will prevent it from running.

Disable Ad-Aware Ad-Watch or it will interfere.
1. Right click on the Ad-Watch icon in the system tray.
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
3. Uncheck both of those boxes.


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 10 August 2008 - 01:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Geezer Gamer

Geezer Gamer
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 11 August 2008 - 10:49 PM

I am being very cautious about this next step ( much bold text and warnings in your instructions)

I do not have recovery disks so I am following the instruction for Windows XP users without recover disks. I downloaded the Windows XP program for my operating system ( I am running Windows XP Media Center Edition Service Pack 2 ) I assume I use the "home" edition from the download page, there is no Media Center Edition there
The file on my desktop is called "WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe"

When I drag the Windows icon over ComboFix and let the mouse button go , I get the windows prompt asking me if I want to run Combo Fix .exe. I say yes and once the program is installed the small blue screen comes up and then the final prompt up asking me it I want to do the scan.

I get no prompt that tells me that the Windows Recovery System was installed. I did not run the scan yet but I did reboot and I don't see the screen with the option to use the Recovery Console

Maybe by not running the scan the Window Recovery System was not installed, but again I am being cautious and I see no evidence that it is installed.

Am I misreading the instruction?.... once I drag and drop the Windows file, should I authorize the Combo fix program to run, and proceed with the scan?

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 12 August 2008 - 12:45 AM

Hi,


It is always good to ask. :thumbsup:


Am I misreading the instruction?.... once I drag and drop the Windows file, should I authorize the Combo fix program to run, and proceed with the scan?


I assume I use the "home" edition from the download page, there is no Media Center Edition there



XP Media Center Edition is based on XP Pro. So, the one from Windows XP Professional SP2 would be the correct one.
That is the one you want to drag and drop, then authorize ComboFix to run and proceed with the scan.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Geezer Gamer

Geezer Gamer
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 12 August 2008 - 09:47 PM

Here it tis.......



ComboFix 08-08-12.01 - Tom 2008-08-12 19:19:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1519 [GMT -7:00]
Running from: C:\Documents and Settings\Tom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\#SharedObjects\UBBZQGVX\interclick.com
C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\#SharedObjects\UBBZQGVX\interclick.com\ud.sol
C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Rachel\Application Data\macromedia\Flash Player\#SharedObjects\XNXPF4ZP\interclick.com
C:\Documents and Settings\Rachel\Application Data\macromedia\Flash Player\#SharedObjects\XNXPF4ZP\interclick.com\ud.sol
C:\Documents and Settings\Rachel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Rachel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Robyn\Application Data\macromedia\Flash Player\#SharedObjects\Q8XHD7TU\interclick.com
C:\Documents and Settings\Robyn\Application Data\macromedia\Flash Player\#SharedObjects\Q8XHD7TU\interclick.com\ud.sol
C:\Documents and Settings\Robyn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Robyn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Tom\Application Data\macromedia\Flash Player\#SharedObjects\NF7T7QGQ\interclick.com
C:\Documents and Settings\Tom\Application Data\macromedia\Flash Player\#SharedObjects\NF7T7QGQ\interclick.com\ud.sol
C:\Documents and Settings\Tom\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Tom\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\kRtvwyay.ini2
C:\WINDOWS\system32\lujolqkj.ini
C:\WINDOWS\system32\lybdewsv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\moxpqycb.ini
C:\WINDOWS\system32\phqocnlw.ini
C:\WINDOWS\system32\uCfLonnn.ini2
C:\WINDOWS\system32\vvybHRqr.ini2
C:\WINDOWS\system32\xtvctamg.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-09 12:06 . 2008-08-12 19:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-09 12:06 . 2008-08-09 12:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-09 05:54 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-19 10:55 . 2008-08-09 10:04 <DIR> d-------- C:\Program Files\PENDULO Studios
2008-07-18 06:45 . 2008-07-18 06:45 <DIR> d-------- C:\Deckard
2008-07-18 06:16 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-17 20:43 . 2008-07-17 20:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-16 20:19 . 2008-08-09 05:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-16 20:19 . 2008-07-16 20:19 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-07-16 20:19 . 2008-07-16 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-16 20:19 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 17:33 . 2008-08-08 11:49 268 --ah----- C:\sqmdata03.sqm
2008-07-15 17:33 . 2008-08-08 11:49 244 --ah----- C:\sqmnoopt03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:37 --------- d-----w C:\Program Files\TrueSwitchEsaya
2008-08-12 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-11 03:01 --------- d-----w C:\Program Files\Battle of Britain II
2008-08-09 17:06 --------- d-----w C:\Program Files\Ubisoft
2008-08-09 17:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 17:04 --------- d-----w C:\Documents and Settings\Tom\Application Data\Lionhead Studios
2008-08-09 17:02 --------- d-----w C:\Program Files\LucasArts
2008-08-09 17:00 --------- d-----w C:\Program Files\GemMaster
2008-08-09 16:58 --------- d-----w C:\Program Files\Activision
2008-08-09 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-08-09 13:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 06:52 --------- d-----w C:\Program Files\Google
2008-08-05 19:31 --------- d-----w C:\Documents and Settings\Megan\Application Data\SiteAdvisor
2008-07-18 13:16 --------- d-----w C:\Program Files\Java
2008-07-15 05:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-10 23:58 --------- d-----w C:\Documents and Settings\Megan\Application Data\DivX
2008-07-04 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-06-29 03:41 --------- d-----w C:\Documents and Settings\Tom\Application Data\Bioshock
2008-06-22 22:42 --------- d-----w C:\Documents and Settings\Tom\Application Data\SiteAdvisor
2008-02-06 04:31 152 --sh--r C:\WINDOWS\system32\CBA3FF2C29.sys
2008-02-06 04:31 6,686 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-21 20:17 68856]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2005-04-18 12:16 73728]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 17:25 49152]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 14:57 36640]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 10:34 122880]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [2004-07-20 12:03 98304]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-16 09:41 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [2004-07-20 12:03 159744]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-20 18:33 169984]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 02:12 94208]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20 122940]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00 45056]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"nwiz"="nwiz.exe" [2007-10-09 05:36 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-08 05:30 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-10-17 19:58:35 256000]
TrueAssistant.lnk - C:\Program Files\TrueSwitchEsaya\TrueWizard.exe [2007-09-18 00:54:20 1028096]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-16 09:40:47 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-16 09:36:42 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-21 20:17:06 124400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"C:\\Program Files\\Ubi Soft\\IL-2 Sturmovik Forgotten Battles\\il2fb.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Tom\\Desktop\\dss.exe"=
"C:\\Deckard\\System Scanner\\20080718065239\\backup\\DOCUME~1\\Tom\\LOCALS~1\\Temp\\ICD1.tmp\\jinstall.exe"=

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys [2007-08-17 10:34]
R0 ps7ah4nc;DiRT Synchronization Driver (ps7ah4nc);C:\WINDOWS\system32\drivers\ps7ah4nc.sys [2007-08-17 10:34]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2004-09-13 23:43]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2001-10-29 23:39]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2001-10-29 23:39]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-11-08 05:15]
R3 NPUSB;NPUSB;C:\WINDOWS\system32\DRIVERS\npusb.sys [2006-12-06 17:20]
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc []
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys [2004-08-16 06:36]
S3 SaiHFFB5;SaiHFFB5;C:\WINDOWS\system32\DRIVERS\SaiHFFB5.sys [2004-08-16 06:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-13 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-06-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3E6595A7-A945-48AC-A3EF-3BD5A29ED769} - (no file)
BHO-{60F7E02B-2DE0-43C7-BDEB-01960D20B68D} - (no file)
BHO-{E6EE3F9A-1DD3-401A-8EA8-A5F2C5366198} - (no file)
Notify-byXQighg - byXQighg.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 19:34:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-12 19:40:59 - machine was rebooted [Tom]
ComboFix-quarantined-files.txt 2008-08-13 02:40:54

Pre-Run: 35,739,504,640 bytes free
Post-Run: 37,367,009,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

233 --- E O F --- 2007-12-24 14:53:04

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 12 August 2008 - 10:02 PM

Hi,

Looks good so far. :thumbsup: Lets check deeper.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Geezer Gamer

Geezer Gamer
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 12 August 2008 - 10:47 PM

I have the same problem with this online scanner that I had with the Hijack This scan. It requires a version of 1.5 or better for Java and I have version 1.60, but scan won't run. The Accept button is not highlited

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 12 August 2008 - 10:55 PM

Hi,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:19 AM

Posted 12 August 2008 - 11:03 PM

Then Test Your ActiveX Installation at PCPitStop

http://www.pcpitstop.com/testax.asp
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users