Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! IE6 and Firefox Hijacked


  • This topic is locked This topic is locked
9 replies to this topic

#1 Drexxy

Drexxy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 15 January 2009 - 06:38 PM

This is an ongoing problem for a few weeks now. I have Mcafee Total Protection 2009 and Spybot Search and Destroy. At first it was continuous messages of Vundo from Mcafee but I have never been able to totally destroy it it seems. Even after installing S&D I still get these messages and recently started getting up to 55 IE popups. I disabled IE using both internet options in IE and control panel..so far no more IE windows but now new windows are opening in Firefox and causing my system to shutdown Firefox after I attempt to close only 2 windows. I hope someone can help me because I am at my wits end and not very knowledgeable and am scared to really tackle it on my own.

DDS.txt
DDS (Ver_09-01-07.01) - NTFSx86
Run by Trish at 18:25:54.04 on Thu 01/15/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.396 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Trish\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061206
mDefault_Page_URL = hxxp://www.dell.com
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {1C9E090C-9BA6-404D-A232-C143E319E653} - No File
BHO: {2CE3E644-D239-4784-BE2C-75AD92A539E1} - No File
BHO: {4fa9b1c8-49dc-403a-a984-1704c3d76263} - c:\windows\system32\ljJAPJDW.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {894070BA-DB7D-4952-A409-57DED4870A0D} - No File
BHO: {98514361-E3F4-424E-8BFA-391E3974D09D} - No File
BHO: {aaff3103-48f3-4b18-ab6e-c7be6335a14a} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {C1DE144F-E4D7-4B95-8F66-64D3D0E30E6E} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Refresh Bar: {6f2db0ca-d4ca-455b-9f0b-db135c875345} - c:\program files\refresh bar\IERefresh.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [cogad] "c:\documents and settings\trish\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {F009BAD5-2FAF-4E10-B7AA-61A22524AC30} - {6F2DB0CA-D4CA-455B-9F0B-DB135C875345} - c:\program files\refresh bar\IERefresh.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: ssqPfFyX - ssqPfFyX.dll
AppInit_DLLs: c:\windows\system32\rurirovi.dll c:\windows\system32\savudude.dll c:\windows\system32\hahagoho.dll dovnav.dll axhvsl.dll sntfxg.dll uvlmyv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJAPJDW
LSA: Notification Packages = scecli c:\windows\system32\rurirovi.dll c:\windows\system32\savudude.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\trish\applic~1\mozilla\firefox\profiles\4wwox5e9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\trish\application data\mozilla\firefox\profiles\4wwox5e9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: XUL Cache: {1D8D85D0-C524-4461-80C2-0B4A0B9F8EF5} - c:\windows\system32\config\systemprofile\local settings\application data\{1d8d85d0-c524-4461-80c2-0b4a0b9f8ef5}\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-18 207656]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-18 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-18 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-18 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-18 40488]
R4 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-2 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-18 358736]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-18 144704]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-18 34152]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-01-15 18:03 1,674,436 a--sh--- c:\windows\system32\WDJPAJjl.ini2
2009-01-15 16:35 72,704 a------- c:\windows\system32\bmshxktt.dll
2009-01-15 16:32 129,024 a------- c:\windows\system32\uvlmyv.dll
2009-01-15 16:32 129,024 a------- c:\windows\system32\wmmwftlt.dll
2009-01-15 16:31 40,960 a------- c:\windows\system32\luvlxqgx.dll
2009-01-13 16:46 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-13 16:46 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-13 16:46 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-13 16:46 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-01-13 16:46 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-01-13 16:46 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-01-13 16:46 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-01-13 16:46 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-01-13 16:46 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-01-13 16:46 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-01-13 16:45 8,832 a------- c:\windows\system32\dllcache\wmiacpi.sys
2009-01-13 16:45 154,624 a------- c:\windows\system32\dllcache\wlluc48.sys
2009-01-13 16:45 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-01-13 16:45 771,581 a------- c:\windows\system32\dllcache\winacisa.sys
2009-01-13 16:43 604,253 a------- c:\windows\system32\dllcache\vmodem.sys
2009-01-13 16:42 94,720 a------- c:\windows\system32\dllcache\umaxud32.dll
2009-01-13 16:41 440,576 a------- c:\windows\system32\dllcache\tridkb.dll
2009-01-13 16:40 17,129 a------- c:\windows\system32\dllcache\tdkcd31.sys
2009-01-13 16:39 53,248 a------- c:\windows\system32\dllcache\stlncoin.dll
2009-01-13 16:38 7,040 a------- c:\windows\system32\dllcache\snyaitmc.sys
2009-01-13 16:37 94,698 a------- c:\windows\system32\dllcache\sk98xwin.sys
2009-01-13 16:36 386,560 a------- c:\windows\system32\dllcache\sgiul50.dll
2009-01-13 16:35 75,392 a------- c:\windows\system32\dllcache\s3savmxm.sys
2009-01-13 16:34 3,840 a------- c:\windows\system32\dllcache\rpfun.sys
2009-01-13 16:33 130,942 a------- c:\windows\system32\dllcache\ptserlv.sys
2009-01-13 16:32 105,984 a------- c:\windows\system32\dllcache\phdsext.ax
2009-01-13 16:31 28,032 a------- c:\windows\system32\dllcache\ovcd.sys
2009-01-13 16:30 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-01-13 16:28 19,968 a------- c:\windows\system32\dllcache\mxnic.sys
2009-01-13 16:28 19,968 a------- c:\windows\system32\dllcache\mxicfg.dll
2009-01-13 16:28 21,888 a------- c:\windows\system32\dllcache\mxcard.sys
2009-01-13 16:28 103,296 a------- c:\windows\system32\dllcache\mtxvideo.sys
2009-01-13 16:28 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-01-13 16:28 12,416 a------- c:\windows\system32\dllcache\msriffwv.sys
2009-01-13 16:28 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-01-13 16:28 22,016 a------- c:\windows\system32\dllcache\msircomm.sys
2009-01-13 16:28 35,200 a------- c:\windows\system32\dllcache\msgame.sys
2009-01-13 16:28 6,016 a------- c:\windows\system32\dllcache\msfsio.sys
2009-01-13 16:28 51,200 a------- c:\windows\system32\dllcache\msdv.sys
2009-01-13 16:28 15,232 a------- c:\windows\system32\dllcache\mpe.sys
2009-01-13 16:26 727,786 a------- c:\windows\system32\dllcache\ltck000c.sys
2009-01-13 16:25 18,432 a------- c:\windows\system32\dllcache\jupiw.dll
2009-01-13 16:24 61,952 a------- c:\windows\system32\dllcache\icam4ext.dll
2009-01-13 16:23 542,879 a------- c:\windows\system32\dllcache\hsf_msft.sys
2009-01-13 16:22 126,976 a------- c:\windows\system32\dllcache\hpgt34tk.dll
2009-01-13 16:21 7,680 a------- c:\windows\system32\dllcache\ftpctrs2.dll
2009-01-13 16:20 347,550 a------- c:\windows\system32\dllcache\es56tpi.sys
2009-01-13 16:19 24,653 a------- c:\windows\system32\dllcache\el574nd4.sys
2009-01-13 16:18 102,484 a------- c:\windows\system32\dllcache\digiinf.dll
2009-01-13 16:17 42,112 a------- c:\windows\system32\dllcache\crtaud.sys
2009-01-13 16:16 66,082 a------- c:\windows\system32\dllcache\c_20273.nls
2009-01-13 16:15 10,240 a------- c:\windows\system32\dllcache\atipcxxx.sys
2009-01-13 16:13 7,168 a------- c:\windows\system32\dllcache\wamregps.dll
2009-01-13 16:13 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-01-13 16:13 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-01-13 16:13 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-01-13 16:13 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-01-13 16:13 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-01-13 16:13 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-01-13 16:13 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-13 16:13 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-01-13 15:39 116,736 a------- c:\windows\system32\eobrkshs.dll
2009-01-13 15:39 129,024 a------- c:\windows\system32\sntfxg.dll
2009-01-13 15:39 129,024 a------- c:\windows\system32\hywlmakv.dll
2009-01-13 15:36 1,674,486 a--sh--- c:\windows\system32\WDJPAJjl.ini
2009-01-13 15:25 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-13 15:11 143 a------- c:\windows\system32\mcrh.tmp
2009-01-12 18:36 1,266,872 ---sh--- c:\windows\system32\kqriccmc.ini
2009-01-12 15:46 1,266,872 ---sh--- c:\windows\system32\xsscvtss.ini
2009-01-12 15:44 302,592 a------- c:\windows\system32\ljJAPJDW.dll
2009-01-10 19:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-10 19:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-10 03:11 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-10 03:10 <DIR> --d----- c:\docume~1\trish\applic~1\HouseCall 6.6
2009-01-09 20:24 <DIR> --d----- c:\docume~1\trish\applic~1\Twain
2009-01-09 20:06 <DIR> --d----- c:\docume~1\trish\applic~1\Malwarebytes
2009-01-09 20:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-08 19:26 <DIR> --d----- c:\docume~1\trish\applic~1\cogad
2009-01-08 19:26 1,257,552 ---sh--- c:\windows\system32\sxgiugbi.ini
2009-01-03 18:07 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-03 18:07 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-03 17:56 <DIR> --d----- c:\windows\system32\scripting
2009-01-03 17:56 <DIR> --d----- c:\windows\l2schemas
2009-01-03 17:56 <DIR> --d----- c:\windows\system32\en
2009-01-03 17:52 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-02 22:37 139,536 a------- c:\windows\system32\javaee.dll
2009-01-01 20:51 <DIR> --d----- c:\docume~1\trish\applic~1\iWin
2008-12-29 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2008-12-29 19:25 1,262,893 ---sh--- c:\windows\system32\iyuyezep.ini
2008-12-29 18:31 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-28 20:38 <DIR> --d----- c:\program files\Windows Installer Clean Up
2008-12-28 20:37 <DIR> --d----- c:\program files\MSECACHE
2008-12-28 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCDr
2008-12-28 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC-Doctor
2008-12-28 19:10 <DIR> --d----- c:\program files\Dell Support Center
2008-12-28 19:10 <DIR> --d----- c:\program files\common files\supportsoft
2008-12-28 18:17 <DIR> --d----- c:\documents and settings\trish\.SunDownloadManager
2008-12-28 17:59 <DIR> --d----- C:\VundoFix Backups
2008-12-28 17:59 <DIR> --d----- c:\program files\Veoh Networks
2008-12-28 17:46 <DIR> --d----- c:\docume~1\trish\applic~1\Flock
2008-12-28 17:42 <DIR> --d----- c:\program files\Flock
2008-12-28 16:43 46,352 a------- c:\windows\setdebug.exe
2008-12-28 16:43 171,280 a------- c:\windows\system32\jit.dll
2008-12-28 16:43 7,315 a------- c:\windows\system32\javasup.vxd
2008-12-28 16:43 313,856 a------- c:\windows\system32\dx3j.dll
2008-12-28 16:43 6,550 a------- c:\windows\jautoexp.dat
2008-12-28 15:02 <DIR> --d----- c:\documents and settings\trish\.housecall6.6
2008-12-28 13:45 1,262,893 ---sh--- c:\windows\system32\afumazab.ini
2008-12-28 01:33 45 a------- c:\windows\system32\RPVersion.ini
2008-12-28 01:30 86,016 -------- c:\windows\unvise32.exe
2008-12-28 01:25 583 a------- c:\windows\RegGenie.ini
2008-12-28 01:23 158,720 a------- c:\windows\RegGenieOnUninstall.exe
2008-12-27 23:55 <DIR> --d----- c:\windows\pss
2008-12-27 18:44 164 a------- C:\install.dat
2008-12-26 19:01 18,944 -------- c:\windows\system32\SET395.tmp
2008-12-26 19:01 8,192 -------- c:\windows\system32\SET397.tmp
2008-12-26 19:01 8,192 -------- c:\windows\system32\dllcache\SET39E.tmp
2008-12-26 19:01 7,168 -------- c:\windows\system32\SET396.tmp
2008-12-26 19:01 7,168 -------- c:\windows\system32\dllcache\SET39D.tmp
2008-12-26 18:50 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2008-12-26 18:33 1 a------- c:\windows\system32\tb.dr
2008-12-26 18:27 1 a------- c:\windows\system32\za.dat
2008-12-26 16:39 1,254,052 ---sh--- c:\windows\system32\egazekoh.ini
2008-12-26 15:27 <DIR> --d----- c:\docume~1\trish\applic~1\ByteCrusher
2008-12-26 14:51 1,299,082 ---sh--- c:\windows\system32\rsleupms.ini
2008-12-25 13:35 <DIR> --d----- c:\windows\Profiles
2008-12-25 13:35 <DIR> --d----- c:\program files\Learn2.com
2008-12-25 10:44 <DIR> --d----- c:\docume~1\trish\applic~1\CameraWindowDC
2008-12-25 10:44 <DIR> --d----- c:\docume~1\trish\applic~1\CANON INC
2008-12-25 10:40 <DIR> --d----- c:\docume~1\trish\applic~1\ZoomBrowser EX
2008-12-25 10:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2008-12-25 10:28 <DIR> --d----- c:\program files\Canon
2008-12-25 10:27 <DIR> --d----- c:\program files\common files\Canon

==================== Find3M ====================

2009-01-03 18:02 88,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 22:38 2,678 a------- c:\windows\java\packages\data\DB5B1JVP.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\KV13HZBX.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\E5JD7D3L.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\KW25B31J.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\79BJ7FHF.DAT
2008-12-29 18:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-28 16:43 155,995 a------- c:\windows\java\packages\4V5ZJNZD.ZIP
2008-12-28 16:43 2,232 a------- c:\windows\java\packages\data\FXVTZZ5B.DAT
2008-12-25 10:45 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-12 12:01 3,067,904 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\dllcache\gdi32.dll
2007-06-13 18:32 25,990,392 ac------ c:\program files\FLV PlayerRCSetup.exe

============= FINISH: 18:27:41.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 16 January 2009 - 07:17 AM

Hello Drexxy and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Drexxy

Drexxy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 16 January 2009 - 06:10 PM

Thank you so much for helping me Thunderbird..I really really appreciate it:)

GooredLog

GooredFix v1.83 by jpshortstuff
Log created at 17:06 on 16/01/2009 running Option #2 (Trish)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1D8D85D0-C524-4461-80C2-0B4A0B9F8EF5}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{1D8D85D0-C524-4461-80C2-0B4A0B9F8EF5}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{1D8D85D0-C524-4461-80C2-0B4A0B9F8EF5}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

ComboFix Txt

ComboFix 09-01-16.02 - Trish 2009-01-16 17:11:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.413 [GMT -5:00]
Running from: c:\documents and settings\Trish\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Trish\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Trish\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Trish\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\_000047_.tmp.dll
c:\windows\system32\afumazab.ini
c:\windows\system32\bmshxktt.dll
c:\windows\system32\egazekoh.ini
c:\windows\system32\eobrkshs.dll
c:\windows\system32\hywlmakv.dll
c:\windows\system32\iyuyezep.ini
c:\windows\system32\kqriccmc.ini
c:\windows\system32\ljJAPJDW.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\rsleupms.ini
c:\windows\system32\sntfxg.dll
c:\windows\system32\sxgiugbi.ini
c:\windows\system32\tb.dr
c:\windows\system32\uvlmyv.dll
c:\windows\system32\WDJPAJjl.ini
c:\windows\system32\WDJPAJjl.ini2
c:\windows\system32\wmmwftlt.dll
c:\windows\system32\xsscvtss.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-15 16:31 . 2009-01-15 16:31 40,960 --a------ c:\windows\system32\luvlxqgx.dll
2009-01-13 16:46 . 2008-04-13 19:12 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-13 16:46 . 2001-08-17 22:37 99,865 --a------ c:\windows\system32\dllcache\xlog.exe
2009-01-13 16:46 . 2001-08-17 22:37 27,648 --a------ c:\windows\system32\dllcache\xrxftplt.exe
2009-01-13 16:46 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-13 16:46 . 2004-08-03 21:29 19,455 --a------ c:\windows\system32\dllcache\wvchntxx.sys
2009-01-13 16:46 . 2008-04-13 19:12 18,944 --a------ c:\windows\system32\dllcache\xrxscnui.dll
2009-01-13 16:46 . 2001-08-17 12:11 16,970 --a------ c:\windows\system32\dllcache\xem336n5.sys
2009-01-13 16:46 . 2004-08-03 21:29 12,063 --a------ c:\windows\system32\dllcache\wsiintxx.sys
2009-01-13 16:46 . 2008-04-13 19:12 8,192 --a------ c:\windows\system32\dllcache\wshirda.dll
2009-01-13 16:46 . 2001-08-17 22:37 4,608 --a------ c:\windows\system32\dllcache\xrxflnch.exe
2009-01-13 16:45 . 2001-08-17 13:28 771,581 --a------ c:\windows\system32\dllcache\winacisa.sys
2009-01-13 16:45 . 2004-08-03 21:31 154,624 --a------ c:\windows\system32\dllcache\wlluc48.sys
2009-01-13 16:45 . 2001-08-17 12:12 34,890 --a------ c:\windows\system32\dllcache\wlandrv2.sys
2009-01-13 16:45 . 2008-04-13 13:36 8,832 --a------ c:\windows\system32\dllcache\wmiacpi.sys
2009-01-13 16:43 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys
2009-01-13 16:42 . 2001-08-17 22:36 525,568 --a------ c:\windows\system32\dllcache\tridxp.dll
2009-01-13 16:41 . 2001-08-17 14:56 440,576 --a------ c:\windows\system32\dllcache\tridkb.dll
2009-01-13 16:40 . 2001-08-17 14:56 172,768 --a------ c:\windows\system32\dllcache\t2r4disp.dll
2009-01-13 16:39 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys
2009-01-13 16:38 . 2001-08-17 14:56 147,200 --a------ c:\windows\system32\dllcache\smidispb.dll
2009-01-13 16:37 . 2004-08-10 05:00 2,178,131 --a------ c:\windows\system32\dllcache\shvlres.dll
2009-01-13 16:36 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll
2009-01-13 16:35 . 2004-08-10 05:00 753,236 --a------ c:\windows\system32\dllcache\rvseres.dll
2009-01-13 16:34 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-01-13 16:33 . 2001-08-17 14:04 173,696 --a------ c:\windows\system32\dllcache\philcam2.sys
2009-01-13 16:32 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys
2009-01-13 16:31 . 2001-08-17 12:50 198,144 --a------ c:\windows\system32\dllcache\nv3.sys
2009-01-13 16:30 . 2001-08-17 12:20 87,040 --a------ c:\windows\system32\dllcache\nm6wdm.sys
2009-01-13 16:28 . 2001-08-17 12:50 103,296 --a------ c:\windows\system32\dllcache\mtxvideo.sys
2009-01-13 16:28 . 2008-04-13 13:46 51,200 --a------ c:\windows\system32\dllcache\msdv.sys
2009-01-13 16:28 . 2008-04-13 13:46 49,024 --a------ c:\windows\system32\dllcache\mstape.sys
2009-01-13 16:28 . 2001-08-17 14:02 35,200 --a------ c:\windows\system32\dllcache\msgame.sys
2009-01-13 16:28 . 2008-04-13 13:54 22,016 --a------ c:\windows\system32\dllcache\msircomm.sys
2009-01-13 16:28 . 2001-08-17 13:50 21,888 --a------ c:\windows\system32\dllcache\mxcard.sys
2009-01-13 16:28 . 2001-08-17 13:49 19,968 --a------ c:\windows\system32\dllcache\mxnic.sys
2009-01-13 16:28 . 2001-08-17 22:36 19,968 --a------ c:\windows\system32\dllcache\mxicfg.dll
2009-01-13 16:28 . 2008-04-13 13:46 15,232 --a------ c:\windows\system32\dllcache\mpe.sys
2009-01-13 16:28 . 2001-08-17 13:48 12,416 --a------ c:\windows\system32\dllcache\msriffwv.sys
2009-01-13 16:28 . 2001-08-17 13:48 6,016 --a------ c:\windows\system32\dllcache\msfsio.sys
2009-01-13 16:28 . 2001-08-17 14:00 2,944 --a------ c:\windows\system32\dllcache\msmpu401.sys
2009-01-13 16:26 . 2001-08-17 13:28 727,786 --a------ c:\windows\system32\dllcache\ltck000c.sys
2009-01-13 16:25 . 2001-08-17 22:36 372,824 --a------ c:\windows\system32\dllcache\iconf32.dll
2009-01-13 16:24 . 2008-04-13 19:11 702,845 --a------ c:\windows\system32\dllcache\i81xdnt5.dll
2009-01-13 16:23 . 2004-08-10 05:00 1,175,635 --a------ c:\windows\system32\dllcache\hrtzres.dll
2009-01-13 16:22 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\system32\dllcache\g400d.dll
2009-01-13 16:21 . 2001-08-17 12:14 444,416 --a------ c:\windows\system32\dllcache\fpcibase.sys
2009-01-13 16:20 . 2001-08-17 13:28 634,134 --a------ c:\windows\system32\dllcache\el656ct5.sys
2009-01-13 16:19 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys
2009-01-13 16:18 . 2001-08-17 22:36 419,357 --a------ c:\windows\system32\dllcache\dgconfig.dll
2009-01-13 16:17 . 2001-08-17 12:13 980,034 --a------ c:\windows\system32\dllcache\cicap.sys
2009-01-13 16:16 . 2004-08-10 05:00 1,817,687 --a------ c:\windows\system32\dllcache\bckgres.dll
2009-01-13 16:15 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys
2009-01-13 16:13 . 2004-08-10 05:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2009-01-13 16:13 . 2004-08-10 05:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2009-01-13 16:13 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2009-01-13 16:13 . 2004-08-10 05:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2009-01-13 16:13 . 2004-08-10 05:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2009-01-13 16:13 . 2004-08-10 05:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-13 16:13 . 2004-08-10 05:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2009-01-13 16:13 . 2004-08-10 05:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-13 16:13 . 2004-08-10 05:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2009-01-13 15:25 . 2009-01-13 15:25 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-10 19:50 . 2009-01-10 20:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-10 19:50 . 2009-01-10 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 03:11 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-10 03:10 . 2009-01-10 07:03 <DIR> d-------- c:\documents and settings\Trish\Application Data\HouseCall 6.6
2009-01-09 20:24 . 2009-01-09 21:08 <DIR> d-------- c:\documents and settings\Trish\Application Data\Twain
2009-01-09 20:06 . 2009-01-09 20:06 <DIR> d-------- c:\documents and settings\Trish\Application Data\Malwarebytes
2009-01-09 20:06 . 2009-01-09 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 19:26 . 2009-01-10 20:21 <DIR> d-------- c:\documents and settings\Trish\Application Data\cogad
2009-01-03 18:07 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-03 18:07 . 2008-08-14 04:33 2,023,936 --a------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-03 17:56 . 2009-01-03 17:56 <DIR> d-------- c:\windows\system32\scripting
2009-01-03 17:56 . 2009-01-03 17:56 <DIR> d-------- c:\windows\system32\en
2009-01-03 17:56 . 2009-01-03 17:56 <DIR> d-------- c:\windows\l2schemas
2009-01-03 17:52 . 2009-01-03 17:57 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-02 22:37 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-01 20:51 . 2009-01-01 20:51 <DIR> d-------- c:\documents and settings\Trish\Application Data\iWin
2008-12-29 20:15 . 2008-12-29 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop
2008-12-29 18:31 . 2008-12-29 18:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 20:38 . 2008-12-28 20:38 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-28 20:37 . 2008-12-28 20:38 <DIR> d-------- c:\program files\MSECACHE
2008-12-28 20:24 . 2008-12-28 20:24 <DIR> d-------- c:\documents and settings\Ethan\Application Data\Flock
2008-12-28 19:15 . 2008-12-28 19:15 <DIR> d-------- c:\documents and settings\Ethan\Application Data\Talkback
2008-12-28 19:12 . 2008-12-28 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft
2008-12-28 19:11 . 2008-12-28 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCDr
2008-12-28 19:11 . 2008-12-28 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC-Doctor
2008-12-28 19:10 . 2008-12-28 19:11 <DIR> d-------- c:\program files\Dell Support Center
2008-12-28 19:10 . 2008-12-28 19:10 <DIR> d-------- c:\program files\Common Files\supportsoft
2008-12-28 18:39 . 2008-12-28 18:39 <DIR> d-------- c:\documents and settings\Sue\Application Data\Talkback
2008-12-28 18:17 . 2008-12-28 18:18 <DIR> d-------- c:\documents and settings\Trish\.SunDownloadManager
2008-12-28 17:59 . 2008-12-28 17:59 <DIR> d-------- C:\VundoFix Backups
2008-12-28 17:59 . 2008-12-28 17:59 <DIR> d-------- c:\program files\Veoh Networks
2008-12-28 17:46 . 2008-12-28 17:46 <DIR> d-------- c:\documents and settings\Trish\Application Data\Flock
2008-12-28 17:42 . 2008-12-29 22:12 <DIR> d-------- c:\program files\Flock
2008-12-28 16:43 . 2003-02-28 16:34 313,856 --a------ c:\windows\system32\dx3j.dll
2008-12-28 16:43 . 2003-02-28 18:26 171,280 --a------ c:\windows\system32\jit.dll
2008-12-28 16:43 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2008-12-28 16:43 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2008-12-28 16:43 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2008-12-28 15:02 . 2008-12-28 17:53 <DIR> d-------- c:\documents and settings\Trish\.housecall6.6
2008-12-28 13:13 . 2008-12-28 13:13 <DIR> d-------- c:\documents and settings\Trish\Application Data\Talkback
2008-12-28 01:33 . 2008-12-28 01:33 45 --a------ c:\windows\system32\RPVersion.ini
2008-12-28 01:30 . 1999-12-17 22:43 86,016 --------- c:\windows\unvise32.exe
2008-12-28 01:25 . 2008-12-28 01:25 583 --a------ c:\windows\RegGenie.ini
2008-12-28 01:23 . 2008-11-27 04:35 158,720 --a------ c:\windows\RegGenieOnUninstall.exe
2008-12-28 01:03 . 2008-12-28 01:03 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Neopets Toolbar
2008-12-27 18:44 . 2008-12-27 18:44 164 --a------ C:\install.dat
2008-12-26 19:01 . 2007-03-29 07:56 18,944 --a------ c:\windows\system32\SET395.tmp
2008-12-26 19:01 . 2007-03-29 07:56 8,192 --a------ c:\windows\system32\SET397.tmp
2008-12-26 19:01 . 2007-03-29 07:56 8,192 --------- c:\windows\system32\dllcache\SET39E.tmp
2008-12-26 19:01 . 2007-03-29 07:56 7,168 --a------ c:\windows\system32\SET396.tmp
2008-12-26 19:01 . 2007-03-29 07:56 7,168 --------- c:\windows\system32\dllcache\SET39D.tmp
2008-12-26 18:50 . 2008-12-26 19:10 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-26 18:27 . 2008-12-26 18:29 1 --a------ c:\windows\system32\za.dat
2008-12-26 15:57 . 2008-12-26 18:50 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-26 15:27 . 2008-12-26 15:52 <DIR> d-------- c:\documents and settings\Trish\Application Data\ByteCrusher
2008-12-25 13:35 . 2008-12-25 13:35 <DIR> d-------- c:\windows\Profiles
2008-12-25 13:35 . 2008-12-25 13:35 <DIR> d-------- c:\program files\Learn2.com
2008-12-25 10:44 . 2008-12-25 10:44 <DIR> d-------- c:\documents and settings\Trish\Application Data\CANON INC
2008-12-25 10:44 . 2009-01-02 22:29 <DIR> d-------- c:\documents and settings\Trish\Application Data\CameraWindowDC
2008-12-25 10:40 . 2009-01-02 22:34 <DIR> d-------- c:\documents and settings\Trish\Application Data\ZoomBrowser EX
2008-12-25 10:29 . 2008-12-25 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-25 10:28 . 2008-12-25 10:30 <DIR> d-------- c:\program files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 22:18 --------- d-----w c:\program files\dl_Cats
2009-01-16 01:22 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-09 23:29 --------- d-----w c:\program files\Common Files\Real
2009-01-09 00:42 --------- d-----w c:\program files\Yahoo!
2009-01-02 23:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-30 23:33 --------- d-----w c:\program files\Java
2008-12-30 23:10 --------- d-----w c:\program files\McAfee
2008-12-30 03:11 --------- d-----w c:\program files\WildTangent
2008-12-30 03:11 --------- d-----w c:\program files\Dell Games
2008-12-30 02:50 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-12-28 23:57 --------- d--h--r c:\documents and settings\Ethan\Application Data\yahoo!
2008-12-28 23:56 --------- d-----w c:\program files\Web Publish
2008-12-28 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-27 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:25 --------- d-----w c:\program files\VideoLAN
2008-12-26 21:07 --------- d-----w c:\program files\Jasc Software Inc
2008-12-26 19:57 --------- d-----w c:\program files\DNA
2008-12-26 19:57 --------- d-----w c:\program files\DivX
2008-12-26 19:56 --------- d-----w c:\documents and settings\Trish\Application Data\BitTorrent
2008-12-25 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-15 12:24 --------- d-----w c:\documents and settings\Wayne\Application Data\Yahoo!
2008-12-13 03:59 --------- d-----w c:\documents and settings\Trish\Application Data\Corel
2008-11-28 00:36 --------- d-----w c:\documents and settings\Trish\Application Data\Pogo Games
2008-11-18 23:37 --------- d-----w c:\program files\Picaboo
2008-11-18 23:37 --------- d-----w c:\documents and settings\Trish\Application Data\Picaboo
2008-11-16 14:45 --------- d-----w c:\documents and settings\Wayne\Application Data\Winamp
2008-10-16 22:12 262,144 ----a-w C:\ntuser.dat
2007-06-13 23:32 25,990,392 -c--a-w c:\program files\FLV PlayerRCSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 106496]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-24 206064]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2008-07-10 5129504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-06 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\ljJAPJDW

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk
backup=c:\windows\pss\CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-10 05:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 05:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 05:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-29 18:30 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-07-09 16:33 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-23 12:12 1617920 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\Program Files\\Dell Photo AIO Printer 926\\dlcxmon.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R4 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-02 206096]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-16 c:\windows\Tasks\hhxdfsyd.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-09 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D71XW6C1-Sue).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2007-02-18 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-01-16 c:\windows\Tasks\nlbvrtvv.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-16 c:\windows\Tasks\qmuqixui.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1C9E090C-9BA6-404D-A232-C143E319E653} - (no file)
BHO-{2CE3E644-D239-4784-BE2C-75AD92A539E1} - (no file)
BHO-{498D5F6A-9FC4-45E2-BECE-3E4B12AB0C2B} - c:\windows\system32\ljJAPJDW.dll
BHO-{894070BA-DB7D-4952-A409-57DED4870A0D} - (no file)
BHO-{98514361-E3F4-424E-8BFA-391E3974D09D} - (no file)
BHO-{aaff3103-48f3-4b18-ab6e-c7be6335a14a} - (no file)
BHO-{C1DE144F-E4D7-4B95-8F66-64D3D0E30E6E} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
Toolbar-Reg - (no file)
HKCU-Run-cogad - c:\documents and settings\Trish\Application Data\cogad\cogad.exe
Notify-ssqPfFyX - ssqPfFyX.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-PC Pitstop Optimize Reminder - c:\program files\PCPitstop\Optimize2\Reminder.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Trish\Application Data\Mozilla\Firefox\Profiles\4wwox5e9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Trish\Application Data\Mozilla\Firefox\Profiles\4wwox5e9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 17:18:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\dlcxcoms.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2009-01-16 17:23:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 22:22:35

Pre-Run: 49,443,508,224 bytes free
Post-Run: 51,505,213,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

390 --- E O F --- 2009-01-16 22:20:52

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 17 January 2009 - 06:02 PM

Hello Drexxy,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/195498/help-ie6-and-firefox-hijacked/
Collect::
c:\windows\system32\luvlxqgx.dll
File::
c:\windows\Tasks\hhxdfsyd.job
c:\windows\Tasks\nlbvrtvv.job
c:\windows\Tasks\qmuqixui.job
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbsup:

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Drexxy

Drexxy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 17 January 2009 - 09:01 PM

ComboFix
ComboFix 09-01-17.03 - Trish 2009-01-17 19:12:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.595 [GMT -5:00]
Running from: c:\documents and settings\Trish\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Trish\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\hhxdfsyd.job
c:\windows\Tasks\nlbvrtvv.job
c:\windows\Tasks\qmuqixui.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SelectRebates
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\windows\system32\luvlxqgx.dll
c:\windows\Tasks\hhxdfsyd.job
c:\windows\Tasks\nlbvrtvv.job
c:\windows\Tasks\qmuqixui.job

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 17:03 . 2009-01-17 17:03 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-17 17:03 . 2009-01-17 17:03 1,409 --a------ c:\windows\QTFont.for
2009-01-17 00:08 . 2009-01-17 00:08 197,976 -ra------ c:\windows\system32\cpnprt2.cid
2009-01-13 16:46 . 2008-04-13 19:12 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-13 16:46 . 2001-08-17 22:37 99,865 --a------ c:\windows\system32\dllcache\xlog.exe
2009-01-13 16:46 . 2001-08-17 22:37 27,648 --a------ c:\windows\system32\dllcache\xrxftplt.exe
2009-01-13 16:46 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-13 16:46 . 2004-08-03 21:29 19,455 --a------ c:\windows\system32\dllcache\wvchntxx.sys
2009-01-13 16:46 . 2008-04-13 19:12 18,944 --a------ c:\windows\system32\dllcache\xrxscnui.dll
2009-01-13 16:46 . 2001-08-17 12:11 16,970 --a------ c:\windows\system32\dllcache\xem336n5.sys
2009-01-13 16:46 . 2004-08-03 21:29 12,063 --a------ c:\windows\system32\dllcache\wsiintxx.sys
2009-01-13 16:46 . 2008-04-13 19:12 8,192 --a------ c:\windows\system32\dllcache\wshirda.dll
2009-01-13 16:46 . 2001-08-17 22:37 4,608 --a------ c:\windows\system32\dllcache\xrxflnch.exe
2009-01-13 16:45 . 2001-08-17 13:28 771,581 --a------ c:\windows\system32\dllcache\winacisa.sys
2009-01-13 16:45 . 2004-08-03 21:31 154,624 --a------ c:\windows\system32\dllcache\wlluc48.sys
2009-01-13 16:45 . 2001-08-17 12:12 34,890 --a------ c:\windows\system32\dllcache\wlandrv2.sys
2009-01-13 16:45 . 2008-04-13 13:36 8,832 --a------ c:\windows\system32\dllcache\wmiacpi.sys
2009-01-13 16:43 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys
2009-01-13 16:42 . 2001-08-17 22:36 525,568 --a------ c:\windows\system32\dllcache\tridxp.dll
2009-01-13 16:41 . 2001-08-17 14:56 440,576 --a------ c:\windows\system32\dllcache\tridkb.dll
2009-01-13 16:40 . 2001-08-17 14:56 172,768 --a------ c:\windows\system32\dllcache\t2r4disp.dll
2009-01-13 16:39 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys
2009-01-13 16:38 . 2001-08-17 14:56 147,200 --a------ c:\windows\system32\dllcache\smidispb.dll
2009-01-13 16:37 . 2004-08-10 05:00 2,178,131 --a------ c:\windows\system32\dllcache\shvlres.dll
2009-01-13 16:36 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll
2009-01-13 16:35 . 2004-08-10 05:00 753,236 --a------ c:\windows\system32\dllcache\rvseres.dll
2009-01-13 16:34 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-01-13 16:33 . 2001-08-17 14:04 173,696 --a------ c:\windows\system32\dllcache\philcam2.sys
2009-01-13 16:32 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys
2009-01-13 16:31 . 2001-08-17 12:50 198,144 --a------ c:\windows\system32\dllcache\nv3.sys
2009-01-13 16:30 . 2001-08-17 12:20 87,040 --a------ c:\windows\system32\dllcache\nm6wdm.sys
2009-01-13 16:28 . 2001-08-17 12:50 103,296 --a------ c:\windows\system32\dllcache\mtxvideo.sys
2009-01-13 16:28 . 2008-04-13 13:46 51,200 --a------ c:\windows\system32\dllcache\msdv.sys
2009-01-13 16:28 . 2008-04-13 13:46 49,024 --a------ c:\windows\system32\dllcache\mstape.sys
2009-01-13 16:28 . 2001-08-17 14:02 35,200 --a------ c:\windows\system32\dllcache\msgame.sys
2009-01-13 16:28 . 2008-04-13 13:54 22,016 --a------ c:\windows\system32\dllcache\msircomm.sys
2009-01-13 16:28 . 2001-08-17 13:50 21,888 --a------ c:\windows\system32\dllcache\mxcard.sys
2009-01-13 16:28 . 2001-08-17 13:49 19,968 --a------ c:\windows\system32\dllcache\mxnic.sys
2009-01-13 16:28 . 2001-08-17 22:36 19,968 --a------ c:\windows\system32\dllcache\mxicfg.dll
2009-01-13 16:28 . 2008-04-13 13:46 15,232 --a------ c:\windows\system32\dllcache\mpe.sys
2009-01-13 16:28 . 2001-08-17 13:48 12,416 --a------ c:\windows\system32\dllcache\msriffwv.sys
2009-01-13 16:28 . 2001-08-17 13:48 6,016 --a------ c:\windows\system32\dllcache\msfsio.sys
2009-01-13 16:28 . 2001-08-17 14:00 2,944 --a------ c:\windows\system32\dllcache\msmpu401.sys
2009-01-13 16:26 . 2001-08-17 13:28 727,786 --a------ c:\windows\system32\dllcache\ltck000c.sys
2009-01-13 16:25 . 2001-08-17 22:36 372,824 --a------ c:\windows\system32\dllcache\iconf32.dll
2009-01-13 16:24 . 2008-04-13 19:11 702,845 --a------ c:\windows\system32\dllcache\i81xdnt5.dll
2009-01-13 16:23 . 2004-08-10 05:00 1,175,635 --a------ c:\windows\system32\dllcache\hrtzres.dll
2009-01-13 16:22 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\system32\dllcache\g400d.dll
2009-01-13 16:21 . 2001-08-17 12:14 444,416 --a------ c:\windows\system32\dllcache\fpcibase.sys
2009-01-13 16:20 . 2001-08-17 13:28 634,134 --a------ c:\windows\system32\dllcache\el656ct5.sys
2009-01-13 16:19 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys
2009-01-13 16:18 . 2001-08-17 22:36 419,357 --a------ c:\windows\system32\dllcache\dgconfig.dll
2009-01-13 16:17 . 2001-08-17 12:13 980,034 --a------ c:\windows\system32\dllcache\cicap.sys
2009-01-13 16:16 . 2004-08-10 05:00 1,817,687 --a------ c:\windows\system32\dllcache\bckgres.dll
2009-01-13 16:15 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys
2009-01-13 16:13 . 2004-08-10 05:00 169,984 --a------ c:\windows\system32\dllcache\iisui.dll
2009-01-13 16:13 . 2004-08-10 05:00 94,720 --a------ c:\windows\system32\dllcache\certmap.ocx
2009-01-13 16:13 . 2001-08-17 14:56 66,048 --a------ c:\windows\system32\dllcache\s3legacy.dll
2009-01-13 16:13 . 2004-08-10 05:00 19,968 --a------ c:\windows\system32\dllcache\inetsloc.dll
2009-01-13 16:13 . 2004-08-10 05:00 14,336 --a------ c:\windows\system32\dllcache\iisreset.exe
2009-01-13 16:13 . 2004-08-10 05:00 7,680 --a------ c:\windows\system32\dllcache\inetmgr.exe
2009-01-13 16:13 . 2004-08-10 05:00 7,168 --a------ c:\windows\system32\dllcache\wamregps.dll
2009-01-13 16:13 . 2004-08-10 05:00 6,144 --a------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-13 16:13 . 2004-08-10 05:00 5,632 --a------ c:\windows\system32\dllcache\iisrstap.dll
2009-01-13 15:25 . 2009-01-13 15:25 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-10 19:50 . 2009-01-10 20:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-10 19:50 . 2009-01-10 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-10 03:11 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-10 03:10 . 2009-01-10 07:03 <DIR> d-------- c:\documents and settings\Trish\Application Data\HouseCall 6.6
2009-01-09 20:24 . 2009-01-09 21:08 <DIR> d-------- c:\documents and settings\Trish\Application Data\Twain
2009-01-09 20:06 . 2009-01-09 20:06 <DIR> d-------- c:\documents and settings\Trish\Application Data\Malwarebytes
2009-01-09 20:06 . 2009-01-09 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 19:26 . 2009-01-10 20:21 <DIR> d-------- c:\documents and settings\Trish\Application Data\cogad
2009-01-03 18:07 . 2008-08-14 05:09 2,145,280 --a------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-03 18:07 . 2008-08-14 04:33 2,023,936 --a------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-03 17:56 . 2009-01-03 17:56 <DIR> d-------- c:\windows\system32\scripting
2009-01-03 17:56 . 2009-01-03 17:56 <DIR> d-------- c:\windows\system32\en
2009-01-03 17:56 . 2009-01-03 17:56 <DIR> d-------- c:\windows\l2schemas
2009-01-03 17:52 . 2009-01-03 17:57 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-02 22:37 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2009-01-01 20:51 . 2009-01-01 20:51 <DIR> d-------- c:\documents and settings\Trish\Application Data\iWin
2008-12-29 20:15 . 2008-12-29 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop
2008-12-29 18:31 . 2008-12-29 18:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 20:38 . 2008-12-28 20:38 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-28 20:37 . 2008-12-28 20:38 <DIR> d-------- c:\program files\MSECACHE
2008-12-28 20:24 . 2008-12-28 20:24 <DIR> d-------- c:\documents and settings\Ethan\Application Data\Flock
2008-12-28 19:15 . 2008-12-28 19:15 <DIR> d-------- c:\documents and settings\Ethan\Application Data\Talkback
2008-12-28 19:12 . 2008-12-28 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft
2008-12-28 19:11 . 2008-12-28 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCDr
2008-12-28 19:11 . 2008-12-28 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC-Doctor
2008-12-28 19:10 . 2008-12-28 19:11 <DIR> d-------- c:\program files\Dell Support Center
2008-12-28 19:10 . 2008-12-28 19:10 <DIR> d-------- c:\program files\Common Files\supportsoft
2008-12-28 18:39 . 2008-12-28 18:39 <DIR> d-------- c:\documents and settings\Sue\Application Data\Talkback
2008-12-28 18:17 . 2008-12-28 18:18 <DIR> d-------- c:\documents and settings\Trish\.SunDownloadManager
2008-12-28 17:59 . 2008-12-28 17:59 <DIR> d-------- C:\VundoFix Backups
2008-12-28 17:59 . 2008-12-28 17:59 <DIR> d-------- c:\program files\Veoh Networks
2008-12-28 17:46 . 2008-12-28 17:46 <DIR> d-------- c:\documents and settings\Trish\Application Data\Flock
2008-12-28 17:42 . 2008-12-29 22:12 <DIR> d-------- c:\program files\Flock
2008-12-28 16:43 . 2003-02-28 16:34 313,856 --a------ c:\windows\system32\dx3j.dll
2008-12-28 16:43 . 2003-02-28 18:26 171,280 --a------ c:\windows\system32\jit.dll
2008-12-28 16:43 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2008-12-28 16:43 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2008-12-28 16:43 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2008-12-28 15:02 . 2008-12-28 17:53 <DIR> d-------- c:\documents and settings\Trish\.housecall6.6
2008-12-28 13:13 . 2008-12-28 13:13 <DIR> d-------- c:\documents and settings\Trish\Application Data\Talkback
2008-12-28 01:33 . 2008-12-28 01:33 45 --a------ c:\windows\system32\RPVersion.ini
2008-12-28 01:30 . 1999-12-17 22:43 86,016 --------- c:\windows\unvise32.exe
2008-12-28 01:25 . 2008-12-28 01:25 583 --a------ c:\windows\RegGenie.ini
2008-12-28 01:23 . 2008-11-27 04:35 158,720 --a------ c:\windows\RegGenieOnUninstall.exe
2008-12-28 01:03 . 2008-12-28 01:03 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Neopets Toolbar
2008-12-27 18:44 . 2008-12-27 18:44 164 --a------ C:\install.dat
2008-12-26 19:01 . 2007-03-29 07:56 18,944 --a------ c:\windows\system32\SET395.tmp
2008-12-26 19:01 . 2007-03-29 07:56 8,192 --a------ c:\windows\system32\SET397.tmp
2008-12-26 19:01 . 2007-03-29 07:56 8,192 --------- c:\windows\system32\dllcache\SET39E.tmp
2008-12-26 19:01 . 2007-03-29 07:56 7,168 --a------ c:\windows\system32\SET396.tmp
2008-12-26 19:01 . 2007-03-29 07:56 7,168 --------- c:\windows\system32\dllcache\SET39D.tmp
2008-12-26 18:50 . 2008-12-26 19:10 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-26 18:27 . 2008-12-26 18:29 1 --a------ c:\windows\system32\za.dat
2008-12-26 15:57 . 2008-12-26 18:50 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-26 15:27 . 2008-12-26 15:52 <DIR> d-------- c:\documents and settings\Trish\Application Data\ByteCrusher
2008-12-25 13:35 . 2008-12-25 13:35 <DIR> d-------- c:\windows\Profiles
2008-12-25 13:35 . 2008-12-25 13:35 <DIR> d-------- c:\program files\Learn2.com
2008-12-25 10:44 . 2008-12-25 10:44 <DIR> d-------- c:\documents and settings\Trish\Application Data\CANON INC
2008-12-25 10:44 . 2009-01-02 22:29 <DIR> d-------- c:\documents and settings\Trish\Application Data\CameraWindowDC
2008-12-25 10:40 . 2009-01-02 22:34 <DIR> d-------- c:\documents and settings\Trish\Application Data\ZoomBrowser EX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 21:19 --------- d-----w c:\program files\dl_Cats
2009-01-17 05:33 --------- d-----w c:\program files\Coupons
2009-01-16 01:22 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-09 23:29 --------- d-----w c:\program files\Common Files\Real
2009-01-09 00:42 --------- d-----w c:\program files\Yahoo!
2009-01-02 23:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-30 23:33 --------- d-----w c:\program files\Java
2008-12-30 23:10 --------- d-----w c:\program files\McAfee
2008-12-30 03:11 --------- d-----w c:\program files\WildTangent
2008-12-30 03:11 --------- d-----w c:\program files\Dell Games
2008-12-30 02:50 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 23:30 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-29 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-12-28 23:57 --------- d--h--r c:\documents and settings\Ethan\Application Data\yahoo!
2008-12-28 23:56 --------- d-----w c:\program files\Web Publish
2008-12-28 21:43 155,995 ----a-w c:\windows\java\Packages\4V5ZJNZD.ZIP
2008-12-28 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-27 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 21:25 --------- d-----w c:\program files\VideoLAN
2008-12-26 21:07 --------- d-----w c:\program files\Jasc Software Inc
2008-12-26 19:57 --------- d-----w c:\program files\DNA
2008-12-26 19:57 --------- d-----w c:\program files\DivX
2008-12-26 19:56 --------- d-----w c:\documents and settings\Trish\Application Data\BitTorrent
2008-12-25 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 15:45 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-15 12:24 --------- d-----w c:\documents and settings\Wayne\Application Data\Yahoo!
2008-12-13 03:59 --------- d-----w c:\documents and settings\Trish\Application Data\Corel
2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\dllcache\srv.sys
2008-11-28 00:36 --------- d-----w c:\documents and settings\Trish\Application Data\Pogo Games
2008-11-18 23:37 --------- d-----w c:\program files\Picaboo
2008-11-18 23:37 --------- d-----w c:\documents and settings\Trish\Application Data\Picaboo
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2007-06-13 23:32 25,990,392 -c--a-w c:\program files\FLV PlayerRCSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-16_17.21.26.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-16 21:40:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-17 21:24:17 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-16 21:40:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-17 21:24:17 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-16 21:40:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-17 21:24:17 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-14 00:11:52 147,968 ----a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dllcache\dnsapi.dll
- 2008-04-14 00:12:01 245,248 ----a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\system32\dllcache\mswsock.dll
- 2008-04-13 19:20:16 361,344 ----a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\system32\dllcache\tcpip.sys
- 2008-04-13 19:00:02 225,664 ----a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ----a-w c:\windows\system32\dllcache\tcpip6.sys
- 2008-04-14 00:11:52 147,968 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2008-04-13 19:20:16 361,344 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2008-04-13 19:00:02 225,664 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:01 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\system32\mswsock.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"cogad"="c:\documents and settings\Trish\Application Data\cogad\cogad.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 106496]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-24 206064]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2008-06-13 1176808]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2008-07-10 5129504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-06 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPfFyX]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk
backup=c:\windows\pss\CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-10 05:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 05:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-10 05:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-10 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-10 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-29 18:30 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-07-09 16:33 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-23 12:12 1617920 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\Program Files\\Dell Photo AIO Printer 926\\dlcxmon.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R4 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-02 206096]
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-16 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D71XW6C1-Sue).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2007-02-18 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1C9E090C-9BA6-404D-A232-C143E319E653} - (no file)
BHO-{2CE3E644-D239-4784-BE2C-75AD92A539E1} - (no file)
BHO-{498D5F6A-9FC4-45E2-BECE-3E4B12AB0C2B} - (no file)
BHO-{894070BA-DB7D-4952-A409-57DED4870A0D} - (no file)
BHO-{98514361-E3F4-424E-8BFA-391E3974D09D} - (no file)
BHO-{aaff3103-48f3-4b18-ab6e-c7be6335a14a} - (no file)
BHO-{C1DE144F-E4D7-4B95-8F66-64D3D0E30E6E} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
Toolbar-Reg - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Trish\Application Data\Mozilla\Firefox\Profiles\4wwox5e9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Trish\Application Data\Mozilla\Firefox\Profiles\4wwox5e9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 19:15:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-17 19:18:02
ComboFix-quarantined-files.txt 2009-01-18 00:16:52
ComboFix2.txt 2009-01-16 22:23:43

Pre-Run: 51,364,397,056 bytes free
Post-Run: 51,353,980,928 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
374 --- E O F --- 2009-01-17 05:55:09

DDS


DDS (Ver_09-01-07.01) - NTFSx86
Run by Trish at 19:19:24.64 on Sat 01/17/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.562 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Trish\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Refresh Bar: {6f2db0ca-d4ca-455b-9f0b-db135c875345} - c:\program files\refresh bar\IERefresh.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [cogad] "c:\documents and settings\trish\application data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {F009BAD5-2FAF-4E10-B7AA-61A22524AC30} - {6F2DB0CA-D4CA-455B-9F0B-DB135C875345} - c:\program files\refresh bar\IERefresh.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\trish\applic~1\mozilla\firefox\profiles\4wwox5e9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\trish\application data\mozilla\firefox\profiles\4wwox5e9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-18 207656]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-18 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-18 35240]
R4 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-2 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-18 358736]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-18 144704]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-18 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-18 40488]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-18 605512]

=============== Created Last 30 ================

2009-01-17 19:11 <DIR> --d----- C:\ComboFix
2009-01-17 17:03 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-17 17:03 1,409 a------- c:\windows\QTFont.for
2009-01-17 00:08 197,976 a----r-- c:\windows\system32\cpnprt2.cid
2009-01-16 17:10 <DIR> a-dshr-- C:\cmdcons
2009-01-16 17:06 161,792 a------- c:\windows\SWREG.exe
2009-01-16 17:06 98,816 a------- c:\windows\sed.exe
2009-01-13 16:46 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-13 16:46 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-01-13 16:46 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-13 16:46 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-01-13 16:46 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-01-13 16:46 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-01-13 16:46 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-01-13 16:46 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-01-13 16:46 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-01-13 16:46 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-01-13 16:45 8,832 a------- c:\windows\system32\dllcache\wmiacpi.sys
2009-01-13 16:45 154,624 a------- c:\windows\system32\dllcache\wlluc48.sys
2009-01-13 16:45 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-01-13 16:45 771,581 a------- c:\windows\system32\dllcache\winacisa.sys
2009-01-13 16:43 604,253 a------- c:\windows\system32\dllcache\vmodem.sys
2009-01-13 16:42 94,720 a------- c:\windows\system32\dllcache\umaxud32.dll
2009-01-13 16:41 440,576 a------- c:\windows\system32\dllcache\tridkb.dll
2009-01-13 16:40 17,129 a------- c:\windows\system32\dllcache\tdkcd31.sys
2009-01-13 16:39 53,248 a------- c:\windows\system32\dllcache\stlncoin.dll
2009-01-13 16:38 7,040 a------- c:\windows\system32\dllcache\snyaitmc.sys
2009-01-13 16:37 94,698 a------- c:\windows\system32\dllcache\sk98xwin.sys
2009-01-13 16:36 386,560 a------- c:\windows\system32\dllcache\sgiul50.dll
2009-01-13 16:35 75,392 a------- c:\windows\system32\dllcache\s3savmxm.sys
2009-01-13 16:34 3,840 a------- c:\windows\system32\dllcache\rpfun.sys
2009-01-13 16:33 130,942 a------- c:\windows\system32\dllcache\ptserlv.sys
2009-01-13 16:32 105,984 a------- c:\windows\system32\dllcache\phdsext.ax
2009-01-13 16:31 28,032 a------- c:\windows\system32\dllcache\ovcd.sys
2009-01-13 16:30 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-01-13 16:28 19,968 a------- c:\windows\system32\dllcache\mxnic.sys
2009-01-13 16:28 19,968 a------- c:\windows\system32\dllcache\mxicfg.dll
2009-01-13 16:28 21,888 a------- c:\windows\system32\dllcache\mxcard.sys
2009-01-13 16:28 103,296 a------- c:\windows\system32\dllcache\mtxvideo.sys
2009-01-13 16:28 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-01-13 16:28 12,416 a------- c:\windows\system32\dllcache\msriffwv.sys
2009-01-13 16:28 2,944 a------- c:\windows\system32\dllcache\msmpu401.sys
2009-01-13 16:28 22,016 a------- c:\windows\system32\dllcache\msircomm.sys
2009-01-13 16:28 35,200 a------- c:\windows\system32\dllcache\msgame.sys
2009-01-13 16:28 6,016 a------- c:\windows\system32\dllcache\msfsio.sys
2009-01-13 16:28 51,200 a------- c:\windows\system32\dllcache\msdv.sys
2009-01-13 16:28 15,232 a------- c:\windows\system32\dllcache\mpe.sys
2009-01-13 16:26 727,786 a------- c:\windows\system32\dllcache\ltck000c.sys
2009-01-13 16:25 18,432 a------- c:\windows\system32\dllcache\jupiw.dll
2009-01-13 16:24 61,952 a------- c:\windows\system32\dllcache\icam4ext.dll
2009-01-13 16:23 542,879 a------- c:\windows\system32\dllcache\hsf_msft.sys
2009-01-13 16:22 126,976 a------- c:\windows\system32\dllcache\hpgt34tk.dll
2009-01-13 16:21 7,680 a------- c:\windows\system32\dllcache\ftpctrs2.dll
2009-01-13 16:20 347,550 a------- c:\windows\system32\dllcache\es56tpi.sys
2009-01-13 16:19 24,653 a------- c:\windows\system32\dllcache\el574nd4.sys
2009-01-13 16:18 102,484 a------- c:\windows\system32\dllcache\digiinf.dll
2009-01-13 16:17 42,112 a------- c:\windows\system32\dllcache\crtaud.sys
2009-01-13 16:16 66,082 a------- c:\windows\system32\dllcache\c_20273.nls
2009-01-13 16:15 10,240 a------- c:\windows\system32\dllcache\atipcxxx.sys
2009-01-13 16:13 7,168 a------- c:\windows\system32\dllcache\wamregps.dll
2009-01-13 16:13 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-01-13 16:13 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-01-13 16:13 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-01-13 16:13 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-01-13 16:13 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-01-13 16:13 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-01-13 16:13 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-01-13 16:13 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-01-13 15:25 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-10 19:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-10 19:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-10 03:11 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-10 03:10 <DIR> --d----- c:\docume~1\trish\applic~1\HouseCall 6.6
2009-01-09 20:24 <DIR> --d----- c:\docume~1\trish\applic~1\Twain
2009-01-09 20:06 <DIR> --d----- c:\docume~1\trish\applic~1\Malwarebytes
2009-01-09 20:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-08 19:26 <DIR> --d----- c:\docume~1\trish\applic~1\cogad
2009-01-03 18:07 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-03 18:07 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-03 17:56 <DIR> --d----- c:\windows\system32\scripting
2009-01-03 17:56 <DIR> --d----- c:\windows\l2schemas
2009-01-03 17:56 <DIR> --d----- c:\windows\system32\en
2009-01-03 17:52 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-02 22:37 139,536 a------- c:\windows\system32\javaee.dll
2009-01-01 20:51 <DIR> --d----- c:\docume~1\trish\applic~1\iWin
2008-12-29 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2008-12-29 18:31 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-28 20:38 <DIR> --d----- c:\program files\Windows Installer Clean Up
2008-12-28 20:37 <DIR> --d----- c:\program files\MSECACHE
2008-12-28 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCDr
2008-12-28 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC-Doctor
2008-12-28 19:10 <DIR> --d----- c:\program files\Dell Support Center
2008-12-28 19:10 <DIR> --d----- c:\program files\common files\supportsoft
2008-12-28 18:17 <DIR> --d----- c:\documents and settings\trish\.SunDownloadManager
2008-12-28 17:59 <DIR> --d----- C:\VundoFix Backups
2008-12-28 17:59 <DIR> --d----- c:\program files\Veoh Networks
2008-12-28 17:46 <DIR> --d----- c:\docume~1\trish\applic~1\Flock
2008-12-28 17:42 <DIR> --d----- c:\program files\Flock
2008-12-28 16:43 46,352 a------- c:\windows\setdebug.exe
2008-12-28 16:43 171,280 a------- c:\windows\system32\jit.dll
2008-12-28 16:43 7,315 a------- c:\windows\system32\javasup.vxd
2008-12-28 16:43 313,856 a------- c:\windows\system32\dx3j.dll
2008-12-28 16:43 6,550 a------- c:\windows\jautoexp.dat
2008-12-28 15:02 <DIR> --d----- c:\documents and settings\trish\.housecall6.6
2008-12-28 01:33 45 a------- c:\windows\system32\RPVersion.ini
2008-12-28 01:30 86,016 -------- c:\windows\unvise32.exe
2008-12-28 01:25 583 a------- c:\windows\RegGenie.ini
2008-12-28 01:23 158,720 a------- c:\windows\RegGenieOnUninstall.exe
2008-12-27 23:55 <DIR> --d----- c:\windows\pss
2008-12-27 18:44 164 a------- C:\install.dat
2008-12-26 19:01 18,944 a------- c:\windows\system32\SET395.tmp
2008-12-26 19:01 8,192 a------- c:\windows\system32\SET397.tmp
2008-12-26 19:01 7,168 a------- c:\windows\system32\SET396.tmp
2008-12-26 19:01 8,192 -------- c:\windows\system32\dllcache\SET39E.tmp
2008-12-26 19:01 7,168 -------- c:\windows\system32\dllcache\SET39D.tmp
2008-12-26 18:50 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2008-12-26 18:27 1 a------- c:\windows\system32\za.dat
2008-12-26 15:27 <DIR> --d----- c:\docume~1\trish\applic~1\ByteCrusher
2008-12-25 13:35 <DIR> --d----- c:\windows\Profiles
2008-12-25 13:35 <DIR> --d----- c:\program files\Learn2.com
2008-12-25 10:44 <DIR> --d----- c:\docume~1\trish\applic~1\CameraWindowDC
2008-12-25 10:44 <DIR> --d----- c:\docume~1\trish\applic~1\CANON INC
2008-12-25 10:40 <DIR> --d----- c:\docume~1\trish\applic~1\ZoomBrowser EX
2008-12-25 10:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2008-12-25 10:28 <DIR> --d----- c:\program files\Canon
2008-12-25 10:27 <DIR> --d----- c:\program files\common files\Canon

==================== Find3M ====================

2009-01-03 18:02 88,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-02 22:38 2,678 a------- c:\windows\java\packages\data\DB5B1JVP.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\KV13HZBX.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\E5JD7D3L.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\KW25B31J.DAT
2009-01-02 22:37 2,678 a------- c:\windows\java\packages\data\79BJ7FHF.DAT
2008-12-29 18:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-28 16:43 155,995 a------- c:\windows\java\packages\4V5ZJNZD.ZIP
2008-12-28 16:43 2,232 a------- c:\windows\java\packages\data\FXVTZZ5B.DAT
2008-12-25 10:45 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-12 12:01 3,067,904 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:21 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\dllcache\gdi32.dll
2007-06-13 18:32 25,990,392 ac------ c:\program files\FLV PlayerRCSetup.exe

============= FINISH: 19:19:44.70 ===============

Attached Files



#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 18 January 2009 - 06:18 AM

Hello Drexxy,

Did you upload the sample file ?

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Drexxy

Drexxy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 20 January 2009 - 06:08 PM

Well so far so good..no more program popups (still have explorer disabled) no more trojans detected. As for the upload..Combo never asked me to restart and I haven't been able to upload the virus sample. Is there another way to do it?

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 21 January 2009 - 05:55 AM

Hello Drexxy,

Another easy way to upload a sample file is :
Simply go to http://www.bleepingcomputer.com/submit-malware.php?channel=9
Then : 1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=195498
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :thumbsup:
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Open Notepad and copy and paste the bold, blue text below in it:
(don't forget to copy and paste REGEDIT4)REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPfFyX]

Save this as fix.reg Choose to save as "all files" and place it on your Desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Drexxy

Drexxy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 21 January 2009 - 08:05 PM

Thank you so much. Can you tell me what exactly was my problem?

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 22 January 2009 - 05:16 AM

Glad we could help, Drexxy :thumbsup:

Your problem was mainly a redirector taking over FireFox,
combined with a multiple Vundo/Conhook - downloader - trojan infection.
Unfortunately, lately these infections are written to trigger each other,
making a real mess of your system.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users