Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With System 32\boaxe.dll


  • This topic is locked This topic is locked
21 replies to this topic

#1 Mariannjackson

Mariannjackson

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 17 August 2008 - 04:43 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:58 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070420
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070420
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D2C2594-57B3-4464-9161-7B3764AEAA15} - C:\WINDOWS\system32\ccfgntm.dll
O2 - BHO: (no name) - {301BCB41-282C-4A3E-8255-3B7B311A2E91} - c:\windows\system32\drmclieni.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server1/connectcomputer/nshelp.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://playgames.comcast.net/online2/myste...mesLauncher.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} (AtlAsianataCtlAttrib Class) - http://playgames.comcast.net/online2/asianata/asianata.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\Software\..\Telephony: DomainName = summit1.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = summit1.local
O20 - Winlogon Notify: cdcemjuo - C:\WINDOWS\SYSTEM32\drmclieni.dll
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Windows\Act.Scheduler.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12819 bytes

BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 18 August 2008 - 06:23 PM

Hi

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Then do the same with extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post both txt files ...


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

THEN ..

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.


steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 20 August 2008 - 07:06 PM

Below are the results of the Kaspersky scan and the Malawarbytes scan.



KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 23:42:08
Records in database: 1116095
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
S:\

Scan statistics:
Files scanned: 78889
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:10:34


File name / Threat name / Threats count
C:\WINDOWS\system32\ccfgntm.dll//PE_Patch.UPX//UPX/C:\WINDOWS\system32\ccfgntm.dll//PE_Patch.UPX//UPX Infected: Rootkit.Win32.Podnuha.aks 1
C:\Documents and Settings\gregg jackson\Local Settings\Temporary Internet Files\Content.IE5\E4FNLO08\index[1].js Infected: Trojan-Downloader.JS.Agent.cln 1
C:\Documents and Settings\gregg jackson\Local Settings\Temporary Internet Files\Content.IE5\GZHPIXG6\index[1].js Infected: Trojan-Downloader.JS.Agent.cln 1
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b 1
C:\WINDOWS\system32\ccfgntm.dll Infected: Rootkit.Win32.Podnuha.aks 1

The selected area was scanned.






Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

7:02:06 PM 8/20/2008
mbam-log-08-20-2008 (19-02-06).txt

Scan type: Quick Scan
Objects scanned: 63569
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\rdomain (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\prodname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\compname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\gregg jackson\Application Data\AVSystemCare (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\gregg jackson\Application Data\AVSystemCare\Logs (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\filter.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\options.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\gregg jackson\Application Data\AVSystemCare\avtasks.dat (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\gregg jackson\Application Data\AVSystemCare\Logs\av.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\gregg jackson\Application Data\AVSystemCare\Logs\ga6Support.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.
C:\Documents and Settings\gregg jackson\Application Data\AVSystemCare\Logs\update.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 21 August 2008 - 07:13 PM

Hi

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 23 August 2008 - 03:52 PM

Below is the ComboFix log:

ComboFix 08-08-21.02 - Gregg J 2008-08-23 15:45:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1571 [GMT -5:00]
Running from: C:\Documents and Settings\gregg jackson\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

2008-08-20 18:45 . 2008-08-20 18:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-20 18:45 . 2008-08-20 18:45 <DIR> d-------- C:\Documents and Settings\gregg jackson\Application Data\Malwarebytes
2008-08-20 18:45 . 2008-08-20 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-20 18:45 . 2008-08-17 15:01 38,472 --------- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 18:45 . 2008-08-17 15:01 17,144 --------- C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 23:12 . 2008-08-18 23:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-18 23:12 . 2008-08-18 23:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-18 23:12 . 2008-08-18 23:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-18 23:10 . 2008-08-18 23:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-16 23:24 . 2008-08-16 23:23 102,664 --------- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-16 23:23 . 2008-08-16 23:31 <DIR> d-------- C:\Documents and Settings\gregg jackson\.housecall6.6
2008-08-16 22:57 . 2008-08-16 22:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-16 21:29 . 2008-08-16 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 20:43 . 2008-04-13 19:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-16 20:42 . 2008-04-13 19:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-08-16 20:41 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-16 20:40 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-14 13:22 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 13:21 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 19:34 . 2008-08-12 19:37 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-12 19:18 . 2008-08-12 19:21 <DIR> d-------- C:\89528ce51dc741734e6e
2008-08-12 18:50 . 2008-08-12 18:50 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-08-10 21:24 . 2008-08-10 21:24 <DIR> d-------- C:\Program Files\Sun
2008-08-10 21:24 . 2008-06-10 02:32 73,728 --------- C:\WINDOWS\system32\javacpl.cpl
2008-08-10 21:15 . 2008-08-10 21:15 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-10 19:54 . 2008-08-10 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-08-10 19:52 . 2008-08-10 19:52 61,224 --------- C:\Documents and Settings\gregg jackson\GoToAssistDownloadHelper.exe
2008-08-10 19:45 . 2008-08-10 19:45 <DIR> d-------- C:\Documents and Settings\gregg jackson\Application Data\McAfee
2008-08-10 17:24 . 2008-08-23 15:40 8,701 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-10 17:23 . 2006-03-03 08:07 143,360 --------- C:\WINDOWS\system32\dunzip32.dll
2008-08-10 17:21 . 2007-11-22 06:44 201,320 --------- C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-10 17:21 . 2007-07-13 06:20 113,952 --------- C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-10 17:21 . 2007-11-22 06:44 79,304 --------- C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-10 17:21 . 2007-12-02 12:51 40,488 --------- C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-10 17:21 . 2007-11-22 06:44 35,240 --------- C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-10 17:21 . 2007-11-22 06:44 33,832 --------- C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-10 17:20 . 2008-08-10 17:20 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-10 17:20 . 2008-08-11 11:56 <DIR> d-------- C:\Program Files\McAfee
2008-08-10 17:20 . 2008-08-10 17:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-31 15:09 . 2008-07-31 15:10 <DIR> d-------- C:\Program Files\TI Education
2008-07-31 15:09 . 2008-07-31 15:10 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-07-31 15:06 . 2008-08-17 16:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-30 20:08 . 2004-02-04 10:27 49,536 --------- C:\WINDOWS\system32\drivers\tiehdusb.sys
2008-07-30 20:08 . 2004-01-28 15:03 21,456 --------- C:\WINDOWS\system32\drivers\SilvrLnk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 19:15 7,362 --sh--w C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-17 21:36 --------- d-----w C:\Program Files\Trend Micro
2008-08-17 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-11 02:24 --------- d-----w C:\Program Files\Java
2008-08-11 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-10 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-31 19:04 --------- d-----w C:\Documents and Settings\gregg jackson\Application Data\Corel
2008-07-20 01:35 --------- d-----w C:\Program Files\Apple Software Update
2008-07-15 15:13 101,632 ----a-w C:\WINDOWS\system32\ccfgntm.dll
2008-07-10 17:02 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2007-04-25 15:27 88 --sh--r C:\WINDOWS\system32\4C6021487D.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-23_15.23.48.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-22 19:17:13 82,728 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-23 20:33:12 82,728 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-22 19:17:13 457,850 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 20:33:12 457,850 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 20:28:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D2C2594-57B3-4464-9161-7B3764AEAA15}]
2008-07-15 10:13 101632 --a------ C:\WINDOWS\system32\ccfgntm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{301BCB41-282C-4A3E-8255-3B7B311A2E91}]
2004-08-04 05:00 104448 --a------ c:\windows\system32\drmclieni.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 13:48 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 06:03 7557120]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 17:35 1392640]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-05 12:11 185632]
"NVHotkey"="nvHotkey.dll" [2006-03-21 06:03 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-04-20 02:35:44 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdcemjuo]
2004-08-04 05:00 104448 C:\WINDOWS\system32\drmclieni.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

R0 baqamoxi;baqamoxi;C:\WINDOWS\system32\drivers\baqamoxi.sys [2004-08-04 05:00]
R2 MSSQL$ACT7;SQL Server (ACT7);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
R2 wrqckblf;Terminal Server Device Redirector Monitor;C:\WINDOWS\System32\svchost.exe [2008-04-13 19:12]
S2 ACT! Scheduler;ACT! Scheduler;C:\Program Files\ACT\ACT for Windows\Act.Scheduler.exe [2007-04-25 10:16]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-18 08:44]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-18 22:17]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wrqckblf
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-10 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-10 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 15:48:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 15:49:47
ComboFix-quarantined-files.txt 2008-08-23 20:49:35
ComboFix2.txt 2008-08-23 20:24:48

Pre-Run: 75,515,121,664 bytes free
Post-Run: 75,465,814,016 bytes free

186 --- E O F --- 2008-08-22 19:38:34

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 24 August 2008 - 02:59 PM

Hi

Please Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Sophos Anti-Rootkit,and save it on your desktop.

http://www.sophos.com/products/free-tools/...ti-rootkit.html

1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\Program Files\Sophos\Sophos Anti-Rootkit and double-click sargui.exe to start the program.
3. Make sure the following are checked:

- Running processes
- Windows Registry
- Local Hard Drives

4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-

%temp%\sarscan.log

then press Enter.

7. This should open the log from the rootkit scan.

Post the log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 24 August 2008 - 05:51 PM

The following is the Sophos Anti-Rootkit log:



Sophos Anti-Rootkit Version 1.3.1 (data 1.08) © 2006 Sophos Plc
Started logging on 2008-08-24 at 17:38
Stopped logging on 2008-08-24 at 17:44



_______________________________________________

I got a porn pop-up right after I ran the Super AntiSyware scan.

Mariann

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 25 August 2008 - 03:46 PM

HI Mariann

I notice you ran Combofix twice & posted the second log ...

Would you please post the log from the first run .. you'll find it here :- C:\ComboFix\ComboFix2.txt

Would you please also post the SUPERAntiSpyware Scan Log...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 25 August 2008 - 06:01 PM

Sorry, I forgot to post the SuperAntiSyware log last time. I could not find another ComboFix log. Why do you say that I ran 2 logs?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2008 at 04:59 PM

Application Version : 4.20.1046

Core Rules Database Version : 3545
Trace Rules Database Version: 1534

Scan type : Complete Scan
Total Scan Time : 00:27:56

Memory items scanned : 612
Memory threats detected : 0
Registry items scanned : 6180
Registry threats detected : 0
File items scanned : 23417
File threats detected : 159

Adware.Tracking Cookie
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@www.shopica[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@trafficmp[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@tacoda[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@bridge.admarketplace[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@doubleclick[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ad2.doublepimp[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@secure.advancedcleaner[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@serving-sys[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@findwhat[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@advertising[4].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@freestylelite[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@discountdance[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@bs.serving-sys[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@media.adrevolver[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@revsci[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adrevolver[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@tribalfusion[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@gomyron[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@zedo[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@mediaplex[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.pointroll[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@counter.hitslink[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@statse.webtrendslive[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@questionmarket[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@apmebf[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@privacy.pcprivacytool[4].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@www.discountdance[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@gomyhit[4].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@specificclick[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ad.yieldmanager[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@gomyron[5].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@atdmt[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@phg.hitbox[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@rotator.dex.adjuggler[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@virusremover2008[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@microsoftwindows.112.2o7[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.bleepingcomputer[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@hitbox[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@privacy.pcprivacytool[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@msnportal.112.2o7[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@shopica[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adnetserver[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@gomyhit[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@click.cashengines[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ehg-seagate.hitbox[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@sitebrand.discountdance[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@server.iad.liveperson[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@msnbc.112.2o7[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@2o7[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@enhance[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@pcprivacycleaner[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@imrworldwide[3].txt
.toplist.cz [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.tour.pornstarslikeitbig.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.tour.pornstarslikeitbig.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.tour.sexproadventures.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.tour.sexproadventures.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.track.bestbuy.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.tracking.foxnews.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.tracking.foxnews.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.windowsmedia.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.www.femalefirst.co.uk [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.www.hornyoyster.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.www.mediabom.be [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.www.sexyzarah.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.www.sexyzarah.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.www.sexyzarah.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
.zbox.zanox.com [ C:\Documents and Settings\gregg jackson\Application Data\Mozilla\Firefox\Profiles\yar6nhy5.default\cookies.txt ]
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@fastclick[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@insightexpressai[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@overture[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@microsoftwlmessengermkt.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@kontera[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@serving-sys[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@cartoonnetworknewmedia.122.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@qnsr[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@tribalfusion[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@realmedia[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.cartoonnetwork[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@partner2profit[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adecn[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@statse.webtrendslive[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@media6degrees[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adopt.euroclick[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@atdmt[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@media.mtvnservices[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@oasc09.247realmedia[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@media.adrevolver[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@mediaplex[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@goldiesparxxx.rare-courtesan[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@stopzilla[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@richmedia.yahoo[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adopt.specificclick[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@collective-media[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@microsoftwlmailmkt.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adnetserver[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@doubleclick[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@interclick[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@pornhub[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adinterax[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.pointroll[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@virusremover2008[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@www.questionsforcouples[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@stats2.reliablestats[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.bridgetrack[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@enhance[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@zedo[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@chitika[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@imrworldwide[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@tremor.adbureau[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@questionmarket[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@revsci[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@yourprivacyguard[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@www.googleadservices[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@www.googleadservices[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@tacoda[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adbrite[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ad.yieldmanager[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ehg-mgmmirageoperations.hitbox[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.adbrite[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@adrevolver[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@blethenmaine.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@shop.yourprivacyguard[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@msnbc.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@specificclick[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.revsci[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@burstnet[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@tracking.dsmmadvantage[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@247realmedia[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@toseeka[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@www.toseeka[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@advertising[3].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@trafficmp[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@advertising[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@apmebf[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@reduxads.valuead[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@login.tracking101[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@dreamsinc.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@ads.cnn[2].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@cms.trafficmp[1].txt
C:\Documents and Settings\gregg jackson\Cookies\gregg_j@msnportal.112.2o7[1].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@specificclick[2].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@ehg-seagate.hitbox[2].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@ehg-channelwave.hitbox[2].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@hitbox[2].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@atdmt[1].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@doubleclick[2].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@2o7[1].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@tacoda[2].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@trafficmp[1].txt
C:\Documents and Settings\gregg jackson\Local Settings\Temp\Cookies\gregg_j@msnportal.112.2o7[1].txt
C:\QooBox\Quarantine\C\Documents and Settings\gregg jackson\Cookies\gregg_j@ehg-seagate.hitbox[1].txt.vir

________________________________________________________________________________________

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 26 August 2008 - 06:45 PM

Hi

I could not find another ComboFix log. Why do you say that I ran 2 logs?


ComboFix 08-08-21.02 - Gregg J 2008-08-23 15:45:15.2 - NTFSx86 < 2 denotes 2nd run
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1571 [GMT -5:00]

Completion time: 2008-08-23 15:49:47
ComboFix-quarantined-files.txt 2008-08-23 20:49:35
ComboFix2.txt 2008-08-23 20:24:48 < you would not have this unless Combofix had been run twice.

But not to worry, if you can't find it please post the contents of the ComboFix-quarantined-files.txt

THEN ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\ccfgntm.dll
c:\windows\system32\drmclieni.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D2C2594-57B3-4464-9161-7B3764AEAA15}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{301BCB41-282C-4A3E-8255-3B7B311A2E91}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdcemjuo]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 26 August 2008 - 09:14 PM

Hi,

Below are the files and logs you requested:

2008-01-30 21:26:05 139 C:\Qoobox\Quarantine\C\Documents and Settings\gregg jackson\Application Data\Macromedia\Flash Player\#SharedObjects\F3JZL7YC\interclick.com\ud.sol.vir
2008-01-30 21:26:05 84 C:\Qoobox\Quarantine\C\Documents and Settings\gregg jackson\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.vir
2008-08-22 19:46:51 2,315 C:\Qoobox\Quarantine\C\Documents and Settings\gregg jackson\Cookies\gregg_j@ehg-seagate.hitbox[1].txt.vir
2008-08-23 20:23:49 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-08-23 20:23:49 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-08-23 20:23:49 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-08-23 20:23:51 99 C:\Qoobox\Quarantine\Registry_backups\Toolbar-ID.reg.dat
2008-08-23 20:48:03 108 C:\Qoobox\Quarantine\catchme.log
2008-08-23 20:49:17 320 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-Rank.reg.dat
2008-08-23 20:49:17 398 C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-HookURL.reg.dat


ComboFix 08-08-26.02 - Gregg J 2008-08-26 20:54:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1419 [GMT -5:00]
Running from: C:\Documents and Settings\gregg jackson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gregg jackson\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ccfgntm.dll
c:\windows\system32\drmclieni.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\gregg jackson\Application Data\macromedia\Flash Player\#SharedObjects\F3JZL7YC\bin.clearspring.com
C:\Documents and Settings\gregg jackson\Application Data\macromedia\Flash Player\#SharedObjects\F3JZL7YC\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\gregg jackson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\gregg jackson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\WINDOWS\system32\ccfgntm.dll . . . . failed to delete
c:\windows\system32\drmclieni.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_wrqckblf
-------\Service_wrqckblf


((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-24 19:53 . 2008-08-24 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-24 17:37 . 2008-08-24 17:37 <DIR> d-------- C:\Program Files\Sophos
2008-08-24 16:29 . 2008-08-24 16:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 16:29 . 2008-08-24 16:29 <DIR> d-------- C:\Documents and Settings\gregg jackson\Application Data\SUPERAntiSpyware.com
2008-08-24 16:29 . 2008-08-24 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-23 17:09 . 2008-08-24 19:06 <DIR> d-------- C:\Retrospect Restore Points
2008-08-23 17:01 . 2008-08-23 17:01 <DIR> d-------- C:\Program Files\Retrospect
2008-08-23 16:26 . 2008-08-24 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2008-08-23 16:12 . 2008-08-23 16:12 <DIR> d-------- C:\Program Files\Maxtor
2008-08-20 18:45 . 2008-08-20 18:45 <DIR> d-------- C:\Documents and Settings\gregg jackson\Application Data\Malwarebytes
2008-08-20 18:45 . 2008-08-20 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 23:12 . 2008-08-18 23:12 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-18 23:12 . 2008-08-18 23:12 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-18 23:12 . 2008-08-18 23:12 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-18 23:10 . 2008-08-18 23:10 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-16 23:24 . 2008-08-16 23:23 102,664 --------- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-16 23:23 . 2008-08-16 23:31 <DIR> d-------- C:\Documents and Settings\gregg jackson\.housecall6.6
2008-08-16 22:57 . 2008-08-23 16:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-16 21:29 . 2008-08-16 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 20:43 . 2008-04-13 19:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-16 20:42 . 2008-04-13 19:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-08-16 20:41 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-16 20:40 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-14 13:22 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 13:21 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 19:34 . 2008-08-12 19:37 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-08-12 19:18 . 2008-08-12 19:21 <DIR> d-------- C:\89528ce51dc741734e6e
2008-08-12 18:50 . 2008-08-12 18:50 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-08-10 21:24 . 2008-08-10 21:24 <DIR> d-------- C:\Program Files\Sun
2008-08-10 21:24 . 2008-06-10 02:32 73,728 --------- C:\WINDOWS\system32\javacpl.cpl
2008-08-10 21:15 . 2008-08-10 21:15 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-10 19:54 . 2008-08-10 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-08-10 19:52 . 2008-08-10 19:52 61,224 --------- C:\Documents and Settings\gregg jackson\GoToAssistDownloadHelper.exe
2008-08-10 19:45 . 2008-08-10 19:45 <DIR> d-------- C:\Documents and Settings\gregg jackson\Application Data\McAfee
2008-08-10 17:24 . 2008-08-26 21:00 10,369 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-10 17:23 . 2006-03-03 08:07 143,360 --------- C:\WINDOWS\system32\dunzip32.dll
2008-08-10 17:21 . 2007-11-22 06:44 201,320 --------- C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-10 17:21 . 2007-07-13 06:20 113,952 --------- C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-10 17:21 . 2007-11-22 06:44 79,304 --------- C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-10 17:21 . 2007-12-02 12:51 40,488 --------- C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-10 17:21 . 2007-11-22 06:44 35,240 --------- C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-10 17:21 . 2007-11-22 06:44 33,832 --------- C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-10 17:20 . 2008-08-10 17:20 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-10 17:20 . 2008-08-11 11:56 <DIR> d-------- C:\Program Files\McAfee
2008-08-10 17:20 . 2008-08-10 17:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-31 15:09 . 2008-07-31 15:10 <DIR> d-------- C:\Program Files\TI Education
2008-07-31 15:09 . 2008-07-31 15:10 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2008-07-31 15:06 . 2008-08-24 16:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-30 20:08 . 2004-02-04 10:27 49,536 --------- C:\WINDOWS\system32\drivers\tiehdusb.sys
2008-07-30 20:08 . 2004-01-28 15:03 21,456 --------- C:\WINDOWS\system32\drivers\SilvrLnk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 21:12 94,208 ----a-w C:\WINDOWS\MXOALDR.EXE
2008-08-23 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 21:36 --------- d-----w C:\Program Files\Trend Micro
2008-08-11 02:24 --------- d-----w C:\Program Files\Java
2008-08-11 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-10 22:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-31 19:04 --------- d-----w C:\Documents and Settings\gregg jackson\Application Data\Corel
2008-07-20 01:35 --------- d-----w C:\Program Files\Apple Software Update
2008-07-10 17:02 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-04-25 15:27 88 --sh--r C:\WINDOWS\system32\4C6021487D.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-23_15.23.48.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-08-23 21:21:55 49,152 ----a-r C:\WINDOWS\Installer\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\NewShortcut1_3EC91FDFFE9A43D596C48A9C24372500.exe
+ 2008-08-23 21:21:55 49,152 ----a-r C:\WINDOWS\Installer\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\NewShortcut4_3EC91FDFFE9A43D596C48A9C24372500.exe
+ 2008-08-23 21:21:55 49,152 ----a-r C:\WINDOWS\Installer\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\NewShortcut5_3EC91FDFFE9A43D596C48A9C24372500.exe
+ 2008-08-23 21:21:55 49,152 ----a-r C:\WINDOWS\Installer\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\NewShortcut6_3EC91FDFFE9A43D596C48A9C24372500.exe
+ 2008-08-23 22:01:52 5,222 ----a-r C:\WINDOWS\Installer\{A4952AA3-FCBF-4D28-9DC4-A3935FDC5805}\ARPPRODUCTICON.exe
+ 2008-08-23 22:01:52 61,440 ----a-r C:\WINDOWS\Installer\{A4952AA3-FCBF-4D28-9DC4-A3935FDC5805}\NewShortcut1_1E88F516C8AA4D179A548AB0768F34C1.exe
+ 2008-08-24 21:29:17 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-08-24 21:29:17 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2003-10-10 09:23:48 266,240 ----a-w C:\WINDOWS\MXONTTRY.EXE
- 2008-08-23 20:00:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-27 01:43:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-23 20:00:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-27 01:43:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-10-10 09:23:48 32,640 ----a-w C:\WINDOWS\system32\drivers\MXOFX.SYS
+ 2004-10-07 15:21:22 15,360 ----a-w C:\WINDOWS\system32\drivers\mxopswd.sys
+ 2003-04-01 18:02:46 3,072 ----a-w C:\WINDOWS\system32\MXOCOINS.dll
+ 2003-10-10 09:23:48 12,382 ----a-w C:\WINDOWS\system32\MXOUI32.DLL
+ 2003-01-17 09:50:06 98,394 ----a-w C:\WINDOWS\system32\MXOUN.EXE
+ 2008-02-04 23:23:10 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
- 2008-08-22 19:17:13 82,728 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-27 01:58:10 82,728 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-22 19:17:13 457,850 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-27 01:58:10 457,850 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-23 21:12:14 94,208 ----a-w C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\MXOALDR.EXE
+ 2003-04-01 18:02:46 3,072 ----a-w C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\MXOCOINS.dll
+ 2003-10-10 09:23:48 32,640 ----a-w C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\MXOFX.SYS
+ 2003-10-10 09:23:48 266,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\MXONTTRY.EXE
+ 2003-10-10 09:23:48 12,382 ----a-w C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\MXOUI32.DLL
+ 2003-01-17 09:50:06 98,394 ----a-w C:\WINDOWS\system32\ReinstallBackups\0019\DriverFiles\MXOUN.EXE
+ 2004-10-07 15:21:22 15,360 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\mxopswd.sys
+ 2008-08-27 01:59:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_270.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D2C2594-57B3-4464-9161-7B3764AEAA15}]
2008-07-15 10:13 101632 --a------ C:\WINDOWS\system32\ccfgntm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{301BCB41-282C-4A3E-8255-3B7B311A2E91}]
2004-08-04 05:00 104448 --a------ c:\windows\system32\drmclieni.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 13:48 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 06:03 7557120]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 17:35 1392640]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-05 12:11 185632]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21 823296]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe" [2006-02-06 08:22 18583552]
"NVHotkey"="nvHotkey.dll" [2006-03-21 06:03 73728 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-04-20 02:35:44 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdcemjuo]
2004-08-04 05:00 104448 C:\WINDOWS\system32\drmclieni.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

R0 baqamoxi;baqamoxi;C:\WINDOWS\system32\drivers\baqamoxi.sys [2004-08-04 05:00]
R2 MSSQL$ACT7;SQL Server (ACT7);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
S2 ACT! Scheduler;ACT! Scheduler;C:\Program Files\ACT\ACT for Windows\Act.Scheduler.exe [2007-04-25 10:16]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-18 08:44]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-18 22:17]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\1D.tmp []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wrqckblf
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-10 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-10 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKLM-Run-MXOBG - C:\Documents and Settings\gregg jackson\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 21:00:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\1D.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\Retrospect.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-26 21:05:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 02:04:57
ComboFix2.txt 2008-08-23 20:49:48
ComboFix3.txt 2008-08-23 20:24:48

Pre-Run: 409,186,304 bytes free
Post-Run: 376,762,368 bytes free

254 --- E O F --- 2008-08-22 19:38:34


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10, on 2008-08-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070420
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D2C2594-57B3-4464-9161-7B3764AEAA15} - C:\WINDOWS\system32\ccfgntm.dll
O2 - BHO: (no name) - {301BCB41-282C-4A3E-8255-3B7B311A2E91} - c:\windows\system32\drmclieni.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server1/connectcomputer/nshelp.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://playgames.comcast.net/online2/myste...mesLauncher.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} (AtlAsianataCtlAttrib Class) - http://playgames.comcast.net/online2/asianata/asianata.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\Software\..\Telephony: DomainName = summit1.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = summit1.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cdcemjuo - C:\WINDOWS\SYSTEM32\drmclieni.dll
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Windows\Act.Scheduler.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11166 bytes


Thanks for all your help!

Mariann

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 27 August 2008 - 03:25 PM

HI

Could you please pop these 2 files into a folder... zip it & then upload it for me :thumbsup:

C:\WINDOWS\system32\ccfgntm.dll
c:\windows\system32\drmclieni.dll

Once you have the folder zipped ...

Please go here :-

http://www.thespykiller.co.uk/index.php?board=1.0

Start a new topic ...title files for steamwiz

put this in your post :-

for steamwiz ...

link :- http://www.bleepingcomputer.com/forums/t/163819/infected-with-system-32boaxedll/

O2 - BHO: (no name) - {2D2C2594-57B3-4464-9161-7B3764AEAA15} - C:\WINDOWS\system32\ccfgntm.dll
O2 - BHO: (no name) - {301BCB41-282C-4A3E-8255-3B7B311A2E91} - c:\windows\system32\drmclieni.dll

O20 - Winlogon Notify: cdcemjuo - C:\WINDOWS\SYSTEM32\drmclieni.dll


then please find & attach the zipped folder to the post...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 27 August 2008 - 09:41 PM

I posted the files you asked for at Spykiller.co.uk.

Thanks!

I posted the files you asked for at Spykiller.co.uk.

Thanks!

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 29 August 2008 - 03:02 PM

HI Mariann

Thanks for the files :thumbsup:

I've had the files scanned by multiple scanners, all of which find nothing wrong, however it's clear to me those files do not belong on your computer, I have disassembled them as far as I can and come across many anomalies but have not been able to decipher exactly what they are (this is not my field) so I am still consulting on the files ...

Are you still getting the porn pop-ups ?

Download avenger2 by swandog46 :-

http://swandog46.geekstogo.com/avenger2/download.php

1. Click the above link & save to your desktop ...

2. Right click on the Avenger.zip folder and select "Extract to Avenger...

You will now have an Avenger folder on your desktop.

3. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing Ctrl+C

Files to delete:
C:\WINDOWS\system32\ccfgntm.dll
c:\windows\system32\drmclieni.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


4. open the Avenger folder & doubleclick the Avenger.exe file (Right click/Run as Administrator if you have vista)

5. Right click on the window under Input script here:, and select Paste

6. make sure the Scan for rootkits is checked ...

& the Automatically disable any rootkits found is NOT checked ...

7. Click on Execute

8. Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
9. Please copy/paste the content of c:\avenger.txt into your reply

Also please post a new hijackthis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 Mariannjackson

Mariannjackson
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 29 August 2008 - 10:22 PM

I haven't gotten any porn popups in the past few days, and I was even able to turn my antivirus software back on and use the internet. :thumbsup: For a long time, if I turned on the antivirus software, I could not get the internet to open. Below are the logs you requested:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "C:\WINDOWS\system32\ccfgntm.dll"
Deletion of file "C:\WINDOWS\system32\ccfgntm.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "c:\windows\system32\drmclieni.dll"
Deletion of file "c:\windows\system32\drmclieni.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20, on 2008-08-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070420
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D2C2594-57B3-4464-9161-7B3764AEAA15} - C:\WINDOWS\system32\ccfgntm.dll
O2 - BHO: (no name) - {301BCB41-282C-4A3E-8255-3B7B311A2E91} - c:\windows\system32\drmclieni.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server1/connectcomputer/nshelp.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://playgames.comcast.net/online2/myste...mesLauncher.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} (AtlAsianataCtlAttrib Class) - http://playgames.comcast.net/online2/asianata/asianata.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/Gam...ronGameHost.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://playgames.comcast.net/online2/mahjo...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\Software\..\Telephony: DomainName = summit1.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = summit1.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = summit1.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cdcemjuo - C:\WINDOWS\SYSTEM32\drmclieni.dll
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Windows\Act.Scheduler.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\rthlpsvc.exe
thank\O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11064 bytes


Thank you! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users