Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows update problems.


  • This topic is locked This topic is locked
19 replies to this topic

#1 mishi4915

mishi4915

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 20 January 2009 - 11:19 PM

hello, i have encountered some viruses lately and i don't really know what i'm doing..
okay so i've tried to go to windows update on firefox and internet explorer, but they both link me back to google.
when i click on the links from my search results, it links me to some random site.
and now i get more pop ups than i ever had..
and my computer freezes on me often and after i restart it, it freezes up again.
oh yeah, my disk defragmenter doesn't work either...
i also had a problem when i couldn't double click on my hard drives to open them. it told me c:\resycled\boot.com is not a valid win32 application. i think i fixed it, but i'm not absolutely sure.
these are all the things that i've noticed so far.

here is my dds:

DDS (Ver_09-01-18.01) - NTFSx86
Run by Michelle at 19:37:10.51 on Tue 01/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.171 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
StartupFolder: c:\documents and settings\michelle\start menu\programs\startup\PowerReg SchedulerV2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 85.255.113.139,85.255.112.125
TCP: {839644B9-35DF-477C-9207-511592AE980D} = 85.255.113.139,85.255.112.125
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michelle\applic~1\mozilla\firefox\profiles\vcszrbsa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\michelle\application data\mozilla\firefox\profiles\vcszrbsa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-4-21 71496]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-4-21 34184]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-4-21 171240]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-4-21 37480]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090119.004\NAVENG.sys [2009-1-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090119.004\NAVEX15.sys [2009-1-19 876112]
R4 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-4-21 540776]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-29 206096]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-4-21 353368]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-4-21 256096]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-21 144960]
R4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-21 643664]
R4 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R4 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-4-21 32008]
S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);c:\windows\system32\drivers\SE30bus.sys [2007-10-5 61600]
S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;c:\windows\system32\drivers\SE30mdfl.sys [2007-10-5 9360]
S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;c:\windows\system32\drivers\SE30mdm.sys [2007-10-5 97184]
S3 SE30mgmt;Sony Ericsson Device 048 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE30mgmt.sys [2007-10-5 88688]
S3 se30nd5;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (NDIS);c:\windows\system32\drivers\se30nd5.sys [2007-10-5 18704]
S3 SE30obex;Sony Ericsson Device 048 USB WMC OBEX Interface;c:\windows\system32\drivers\SE30obex.sys [2007-10-5 86560]
S3 se30unic;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (WDM);c:\windows\system32\drivers\se30unic.sys [2007-10-5 90800]

=============== Created Last 30 ================

2009-01-19 20:09 0 -------- c:\windows\VPC32.INI
2009-01-19 19:06 123,619 -------- c:\windows\system32\SYMEVNT.386
2009-01-19 19:06 83,672 -------- c:\windows\system32\S32EVNT1.DLL
2009-01-19 19:06 73,224 -------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 19:04 <DIR> --d----- c:\program files\Symantec
2009-01-19 19:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-19 19:04 <DIR> --d----- c:\program files\Symantec_Client_Security
2009-01-19 19:04 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-19 18:39 2,152 -------- C:\autorun.PNF
2009-01-15 15:30 <DIR> --dshr-- C:\resycled
2009-01-15 15:30 255 ---shr-- C:\autorun.inf
2009-01-11 17:00 410,984 -------- c:\windows\system32\deploytk.dll
2009-01-01 01:49 <DIR> --d----- c:\docume~1\michelle\applic~1\WordPod
2008-12-22 22:39 <DIR> --d----- c:\program files\Red Kawa

==================== Find3M ====================

2008-12-14 19:22 49,632 -c------ c:\docume~1\michelle\applic~1\GDIPFONTCACHEV1.DAT
2008-12-12 22:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-21 13:47 524,288 -------- c:\windows\system32\DivXsm.exe
2008-11-21 13:47 3,596,288 -------- c:\windows\system32\qt-dx331.dll
2008-11-21 13:46 1,044,480 -------- c:\windows\system32\libdivx.dll
2008-11-21 13:46 200,704 -------- c:\windows\system32\ssldivx.dll
2008-11-21 13:44 161,096 -c------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 13:44 12,288 -c------ c:\windows\system32\DivXWMPExtType.dll
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-10-27 08:47 722,176 -c------ c:\documents and settings\michelle\gotomypc_428.exe
2007-01-21 11:13 563,712 -c------ c:\documents and settings\michelle\gotomypc_370.exe
2006-04-29 14:57 563,712 -c------ c:\documents and settings\michelle\370_gotomypc.exe
2008-08-05 14:11 104 -c-shr-- c:\windows\system32\B927A8E3A8.sys
2008-08-05 14:11 6,686 -c-sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-14 11:37 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-10-03 21:26 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100320081004\index.dat

============= FINISH: 19:39:51.45 ===============

thank you in advance! any help would be greatly appreciated!

Attached Files


Edited by mishi4915, 20 January 2009 - 11:22 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 29 January 2009 - 06:03 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 29 January 2009 - 09:52 PM

thank you thank you thank you for replying to me, panda!
i just finished using combofix. i will post my combofix log below.

COMBOFIX LOG
ComboFix 09-01-21.04 - Michelle 2009-01-29 18:05:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.163 [GMT -8:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\resycled
c:\resycled\boot.com
c:\windows\system32\drivers\gaopdxmxdorgkc.sys
c:\windows\system32\drivers\gaopdxpnmqptnk.sys
c:\windows\system32\gaopdxdskbobqa.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-28 22:55 . 2009-01-28 22:55 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-19 20:09 . 2009-01-19 20:09 0 --------- c:\windows\VPC32.INI
2009-01-19 19:06 . 2009-01-19 19:03 123,619 --------- c:\windows\system32\SYMEVNT.386
2009-01-19 19:06 . 2009-01-19 19:03 83,672 --------- c:\windows\system32\S32EVNT1.DLL
2009-01-19 19:06 . 2009-01-19 19:03 73,224 --------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 19:04 . 2009-01-19 19:04 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-19 19:04 . 2009-01-19 19:06 <DIR> d-------- c:\program files\Symantec
2009-01-19 19:04 . 2009-01-19 19:06 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-19 19:04 . 2009-01-19 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-19 18:56 . 2009-01-19 18:56 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-19 18:39 . 2009-01-19 18:39 2,152 --------- C:\autorun.PNF
2009-01-18 01:25 . 2009-01-18 01:28 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-16 16:15 . 2009-01-16 16:18 <DIR> d-------- c:\program files\QuickTime
2009-01-11 17:00 . 2009-01-11 17:00 410,984 --------- c:\windows\system32\deploytk.dll
2009-01-01 01:49 . 2009-01-01 01:55 <DIR> d-------- c:\documents and settings\Michelle\Application Data\WordPod
2008-12-22 22:39 . 2008-12-22 22:39 <DIR> d-------- c:\program files\Red Kawa
2008-12-02 17:02 . 2008-12-02 17:03 <DIR> d-------- c:\documents and settings\Michelle\Application Data\EmailNotifier
2008-12-02 17:02 . 2008-12-06 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Megaupload
2008-12-02 17:02 . 2008-12-02 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 09:22 --------- d-----w c:\program files\Veoh Networks
2009-01-18 01:27 --------- d-----w c:\documents and settings\Michelle\Application Data\Canon
2009-01-16 02:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 02:05 --------- d-----w c:\documents and settings\Michelle\Application Data\Samsung
2009-01-16 02:04 --------- d-----w c:\program files\CyberLink
2009-01-16 02:04 --------- d-----w c:\program files\Common Files\Real
2009-01-16 02:02 --------- d-----w c:\program files\Ahead
2009-01-15 23:45 --------- d-----w c:\documents and settings\Michelle\Application Data\uTorrent
2009-01-13 02:19 --------- d-----w c:\documents and settings\Michelle\Application Data\LimeWire
2009-01-12 00:59 --------- d-----w c:\program files\Java
2008-12-18 22:58 --------- d-----w c:\program files\McAfee
2008-12-15 03:22 49,632 -c----w c:\documents and settings\Michelle\Application Data\GDIPFONTCACHEV1.DAT
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-08 04:25 --------- d-----w c:\program files\DivX
2008-12-03 09:29 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 07:27 --------- d-----w c:\program files\Bonjour
2008-11-29 18:13 --------- d-----w c:\program files\iTunes
2008-11-29 18:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 18:12 --------- d-----w c:\program files\iPod
2008-11-21 21:47 524,288 ------w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ------w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ------w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ------w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 -c----w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 -c----w c:\windows\system32\DivXWMPExtType.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ------w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ------w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ------w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ------w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 92,696 ------w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ------w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ------w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ------w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ------w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ------w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-10-01 00:43 1,286,152 ------w c:\windows\system32\msxml4.dll
2007-10-27 16:47 722,176 -c----w c:\documents and settings\Michelle\gotomypc_428.exe
2007-01-21 19:13 563,712 -c----w c:\documents and settings\Michelle\gotomypc_370.exe
2006-04-29 22:57 563,712 -c----w c:\documents and settings\Michelle\370_gotomypc.exe
2008-08-05 22:11 104 -csh--r c:\windows\system32\B927A8E3A8.sys
2008-08-05 22:11 6,686 -csh--w c:\windows\system32\KGyGaAvL.sys
2008-09-14 19:37 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091420080915\index.dat
2008-10-04 05:26 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100320081004\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2006-02-08 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-02-05 156784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-29 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-19 24652]
S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);c:\windows\system32\drivers\SE30bus.sys [2007-10-05 61600]
S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;c:\windows\system32\drivers\SE30mdfl.sys [2007-10-05 9360]
S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;c:\windows\system32\drivers\SE30mdm.sys [2007-10-05 97184]
S3 SE30mgmt;Sony Ericsson Device 048 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE30mgmt.sys [2007-10-05 88688]
S3 se30nd5;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (NDIS);c:\windows\system32\drivers\se30nd5.sys [2007-10-05 18704]
S3 SE30obex;Sony Ericsson Device 048 USB WMC OBEX Interface;c:\windows\system32\drivers\SE30obex.sys [2007-10-05 86560]
S3 se30unic;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (WDM);c:\windows\system32\drivers\se30unic.sys [2007-10-05 90800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\Shell\Open\command - h:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f81d370-b825-11da-b278-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com j:
\Shell\Open\command - j:\resycled\boot.com j:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{551b8fb3-c82c-11dd-b589-00038a000015}]
\Shell\AutoRun\command - ij.bat
\Shell\explore\Command - ij.bat
\Shell\open\Command - ij.bat
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKLM-Run-BigDog303 - c:\windows\VM303_STI.EXE


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\vcszrbsa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\vcszrbsa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 18:12:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-29 18:15:11
ComboFix-quarantined-files.txt 2009-01-30 02:15:06

Pre-Run: 52,175,147,008 bytes free
Post-Run: 52,378,959,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
237 --- E O F --- 2009-01-14 07:32:03




HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:47 PM, on 1/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.139,85.255.112.125
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.139,85.255.112.125
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Michelle/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 10486 bytes



here you go.
you asked for the changes ive made. well, ive deleted some minor programs. i cant remember any specifically. sorry.
i didnt do anything major that i can remember.
so hows my computer? good, bad?
thanks again for helping me out!

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 30 January 2009 - 08:16 AM

Hello.

Doesn't look to bad.

Run ComboFix with CFScript
We will run ComboFix again. The instructions are slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/196911/windows-update-problems/
    
    Suspect::[59]
    c:\documents and settings\Michelle\gotomypc_428.exe
    c:\documents and settings\Michelle\gotomypc_370.exe
    c:\documents and settings\Michelle\370_gotomypc.exe
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f81d370-b825-11da-b278-00038a000015}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{551b8fb3-c82c-11dd-b589-00038a000015}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Close all windows at this point.
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK".

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
Please post back with:
-the ComboFix log
-the MalwareBytes log

How is your computer running now?

With Regards,
The Panda

#5 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 30 January 2009 - 07:52 PM

hey. here is my combofix log and below it is the malwarebytes log.
i see that seven things are in quarantine, do i delete them or leave them there?

COMBOFIX LOG

ComboFix 09-01-21.04 - Michelle 2009-01-30 15:02:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.237 [GMT -8:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-29 18:32 . 2009-01-29 18:32 <DIR> d-------- c:\program files\Trend Micro
2009-01-29 18:28 . 2009-01-29 18:33 <DIR> d-------- C:\HJT
2009-01-28 22:55 . 2009-01-28 22:55 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-19 20:09 . 2009-01-19 20:09 0 --------- c:\windows\VPC32.INI
2009-01-19 19:06 . 2009-01-19 19:03 123,619 --------- c:\windows\system32\SYMEVNT.386
2009-01-19 19:06 . 2009-01-19 19:03 83,672 --------- c:\windows\system32\S32EVNT1.DLL
2009-01-19 19:06 . 2009-01-19 19:03 73,224 --------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 19:04 . 2009-01-19 19:04 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-19 19:04 . 2009-01-19 19:06 <DIR> d-------- c:\program files\Symantec
2009-01-19 19:04 . 2009-01-19 19:06 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-19 19:04 . 2009-01-19 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-19 18:56 . 2009-01-19 18:56 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-19 18:39 . 2009-01-19 18:39 2,152 --------- C:\autorun.PNF
2009-01-18 01:25 . 2009-01-18 01:28 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-16 16:15 . 2009-01-16 16:18 <DIR> d-------- c:\program files\QuickTime
2009-01-11 17:00 . 2009-01-11 17:00 410,984 --------- c:\windows\system32\deploytk.dll
2009-01-01 01:49 . 2009-01-01 01:55 <DIR> d-------- c:\documents and settings\Michelle\Application Data\WordPod
2008-12-22 22:39 . 2008-12-22 22:39 <DIR> d-------- c:\program files\Red Kawa
2008-12-02 17:02 . 2008-12-02 17:03 <DIR> d-------- c:\documents and settings\Michelle\Application Data\EmailNotifier
2008-12-02 17:02 . 2008-12-06 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Megaupload
2008-12-02 17:02 . 2008-12-02 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 09:22 --------- d-----w c:\program files\Veoh Networks
2009-01-18 01:27 --------- d-----w c:\documents and settings\Michelle\Application Data\Canon
2009-01-16 02:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 02:05 --------- d-----w c:\documents and settings\Michelle\Application Data\Samsung
2009-01-16 02:04 --------- d-----w c:\program files\CyberLink
2009-01-16 02:04 --------- d-----w c:\program files\Common Files\Real
2009-01-16 02:02 --------- d-----w c:\program files\Ahead
2009-01-15 23:45 --------- d-----w c:\documents and settings\Michelle\Application Data\uTorrent
2009-01-13 02:19 --------- d-----w c:\documents and settings\Michelle\Application Data\LimeWire
2009-01-12 00:59 --------- d-----w c:\program files\Java
2008-12-18 22:58 --------- d-----w c:\program files\McAfee
2008-12-15 03:22 49,632 -c----w c:\documents and settings\Michelle\Application Data\GDIPFONTCACHEV1.DAT
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-08 04:25 --------- d-----w c:\program files\DivX
2008-12-03 09:29 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 07:27 --------- d-----w c:\program files\Bonjour
2008-11-29 18:13 --------- d-----w c:\program files\iTunes
2008-11-29 18:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 18:12 --------- d-----w c:\program files\iPod
2008-11-21 21:47 524,288 ------w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ------w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ------w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ------w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 -c----w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 -c----w c:\windows\system32\DivXWMPExtType.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ------w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ------w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ------w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ------w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 92,696 ------w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ------w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ------w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ------w c:\windows\system32\dllcache\wups.dll
2008-10-16 22:06 268,648 ------w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ------w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-10-01 00:43 1,286,152 ------w c:\windows\system32\msxml4.dll
2007-10-27 16:47 722,176 -c----w c:\documents and settings\Michelle\gotomypc_428.exe
2007-01-21 19:13 563,712 -c----w c:\documents and settings\Michelle\gotomypc_370.exe
2006-04-29 22:57 563,712 -c----w c:\documents and settings\Michelle\370_gotomypc.exe
2008-08-05 22:11 104 -csh--r c:\windows\system32\B927A8E3A8.sys
2008-08-05 22:11 6,686 -csh--w c:\windows\system32\KGyGaAvL.sys
2008-09-14 19:37 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091420080915\index.dat
2008-10-04 05:26 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100320081004\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-29_18.13.52.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-30 01:41:54 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-30 22:35:48 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-30 01:41:54 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-30 22:35:48 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\dllcache\shell32.dll
+ 2009-01-30 22:30:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2006-02-08 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-02-05 156784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-29 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-19 24652]
S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);c:\windows\system32\drivers\SE30bus.sys [2007-10-05 61600]
S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;c:\windows\system32\drivers\SE30mdfl.sys [2007-10-05 9360]
S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;c:\windows\system32\drivers\SE30mdm.sys [2007-10-05 97184]
S3 SE30mgmt;Sony Ericsson Device 048 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE30mgmt.sys [2007-10-05 88688]
S3 se30nd5;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (NDIS);c:\windows\system32\drivers\se30nd5.sys [2007-10-05 18704]
S3 SE30obex;Sony Ericsson Device 048 USB WMC OBEX Interface;c:\windows\system32\drivers\SE30obex.sys [2007-10-05 86560]
S3 se30unic;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (WDM);c:\windows\system32\drivers\se30unic.sys [2007-10-05 90800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\vcszrbsa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\vcszrbsa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 15:05:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-30 15:07:43
ComboFix-quarantined-files.txt 2009-01-30 23:07:39
ComboFix2.txt 2009-01-30 02:15:13

Pre-Run: 52,339,712,000 bytes free
Post-Run: 52,317,700,096 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
214 --- E O F --- 2009-01-14 07:32:03






MALWAREBYES

Malwarebytes' Anti-Malware 1.33
Database version: 1710
Windows 5.1.2600 Service Pack 3

1/30/2009 3:19:00 PM
mbam-log-2009-01-30 (15-19-00).txt

Scan type: Quick Scan
Objects scanned: 57546
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.1 (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0409743c-e5e3-4bdd-9ec7-eff622530282} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{40722371-e24c-4b36-8e76-010bb6c7185b} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{825c19d3-35ce-428f-876b-88e080466689} (Adware.CWS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.139,85.255.112.125 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{839644b9-35df-477c-9207-511592ae980d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.139,85.255.112.125 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.




now my internet explorer opens and i tried to use windows update and it works now!
and the disk defragmenter works too.
i plugged in my external harddrive and the resycled\boot.com is not a valid Win32 application thing popped up again.
this is all i noticed so far.
thanks for helping me out!

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 31 January 2009 - 09:59 AM

Hello.

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

After run ComboFix again just by double clicking it. Post that log.

With Regards,
The Panda

#7 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 01 February 2009 - 02:11 AM

today i opened my external harddrive without the resycled/boot.com thing showing up..
but i used that flash disinfector anyway.
heres my combofix log.

ComboFix 09-01-31.01 - Michelle 2009-01-31 22:50:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.179 [GMT -8:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Autorun.inf
H:\resycled
h:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-30 15:12 . 2009-01-30 15:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 15:12 . 2009-01-30 15:12 <DIR> d-------- c:\documents and settings\Michelle\Application Data\Malwarebytes
2009-01-30 15:12 . 2009-01-30 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-30 15:12 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 15:12 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 18:32 . 2009-01-29 18:32 <DIR> d-------- c:\program files\Trend Micro
2009-01-29 18:28 . 2009-01-29 18:33 <DIR> d-------- C:\HJT
2009-01-28 22:55 . 2009-01-28 22:55 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-19 20:09 . 2009-01-19 20:09 0 --------- c:\windows\VPC32.INI
2009-01-19 19:06 . 2009-01-19 19:03 123,619 --------- c:\windows\system32\SYMEVNT.386
2009-01-19 19:06 . 2009-01-19 19:03 83,672 --------- c:\windows\system32\S32EVNT1.DLL
2009-01-19 19:06 . 2009-01-19 19:03 73,224 --------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 19:04 . 2009-01-19 19:04 <DIR> d-------- c:\program files\Symantec_Client_Security
2009-01-19 19:04 . 2009-01-19 19:06 <DIR> d-------- c:\program files\Symantec
2009-01-19 19:04 . 2009-01-19 19:06 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-19 19:04 . 2009-01-19 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-01-19 18:56 . 2009-01-19 18:56 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-19 18:39 . 2009-01-19 18:39 2,152 --------- C:\autorun.PNF
2009-01-18 01:25 . 2009-01-18 01:28 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-16 16:15 . 2009-01-16 16:18 <DIR> d-------- c:\program files\QuickTime
2009-01-11 17:00 . 2009-01-11 17:00 410,984 --------- c:\windows\system32\deploytk.dll
2009-01-01 01:49 . 2009-01-01 01:55 <DIR> d-------- c:\documents and settings\Michelle\Application Data\WordPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 09:22 --------- d-----w c:\program files\Veoh Networks
2009-01-18 01:27 --------- d-----w c:\documents and settings\Michelle\Application Data\Canon
2009-01-16 02:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 02:05 --------- d-----w c:\documents and settings\Michelle\Application Data\Samsung
2009-01-16 02:04 --------- d-----w c:\program files\CyberLink
2009-01-16 02:04 --------- d-----w c:\program files\Common Files\Real
2009-01-16 02:02 --------- d-----w c:\program files\Ahead
2009-01-15 23:45 --------- d-----w c:\documents and settings\Michelle\Application Data\uTorrent
2009-01-13 02:19 --------- d-----w c:\documents and settings\Michelle\Application Data\LimeWire
2009-01-12 00:59 --------- d-----w c:\program files\Java
2008-12-23 06:39 --------- d-----w c:\program files\Red Kawa
2008-12-18 22:58 --------- d-----w c:\program files\McAfee
2008-12-15 03:22 49,632 -c----w c:\documents and settings\Michelle\Application Data\GDIPFONTCACHEV1.DAT
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-08 04:25 --------- d-----w c:\program files\DivX
2008-12-07 04:10 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-12-03 09:29 --------- d-----w c:\program files\Common Files\Adobe
2008-12-03 07:27 --------- d-----w c:\program files\Bonjour
2008-12-03 01:03 --------- d-----w c:\documents and settings\Michelle\Application Data\EmailNotifier
2008-12-03 01:02 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-11-21 21:47 524,288 ------w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ------w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ------w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ------w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 -c----w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 -c----w c:\windows\system32\DivXWMPExtType.dll
2007-10-27 16:47 722,176 -c----w c:\documents and settings\Michelle\gotomypc_428.exe
2007-01-21 19:13 563,712 -c----w c:\documents and settings\Michelle\gotomypc_370.exe
2006-04-29 22:57 563,712 -c----w c:\documents and settings\Michelle\370_gotomypc.exe
2008-08-05 22:11 104 -csh--r c:\windows\system32\B927A8E3A8.sys
2008-08-05 22:11 6,686 -csh--w c:\windows\system32\KGyGaAvL.sys
2008-09-14 19:37 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091420080915\index.dat
2008-10-04 05:26 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100320081004\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-29_18.13.52.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 16:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2009-01-30 01:41:54 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-01 06:23:30 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-30 01:41:54 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-01 06:23:30 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:11:54 110,080 ----a-w c:\windows\system32\dllcache\imm32.dll
+ 2008-04-14 00:11:56 22,016 ----a-w c:\windows\system32\dllcache\lpk.dll
+ 2008-04-14 00:11:59 159,232 ----a-w c:\windows\system32\dllcache\msimtf.dll
+ 2008-04-14 00:12:04 399,360 ----a-w c:\windows\system32\dllcache\rpcss.dll
+ 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-04-14 00:12:08 578,560 ----a-w c:\windows\system32\dllcache\user32.dll
+ 2008-04-14 00:12:08 218,624 ----a-w c:\windows\system32\dllcache\uxtheme.dll
+ 2008-04-14 00:12:09 176,128 ----a-w c:\windows\system32\dllcache\winmm.dll
+ 2008-04-14 00:12:10 22,528 ----a-w c:\windows\system32\dllcache\wsock32.dll
- 2007-10-11 22:12:48 1,468,968 ------w c:\windows\system32\LegitCheckControl.dll
+ 2008-03-21 02:06:36 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
+ 2009-02-01 06:16:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_468.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2006-02-08 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-02-05 156784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-29 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-19 24652]
S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);c:\windows\system32\drivers\SE30bus.sys [2007-10-05 61600]
S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;c:\windows\system32\drivers\SE30mdfl.sys [2007-10-05 9360]
S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;c:\windows\system32\drivers\SE30mdm.sys [2007-10-05 97184]
S3 SE30mgmt;Sony Ericsson Device 048 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE30mgmt.sys [2007-10-05 88688]
S3 se30nd5;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (NDIS);c:\windows\system32\drivers\se30nd5.sys [2007-10-05 18704]
S3 SE30obex;Sony Ericsson Device 048 USB WMC OBEX Interface;c:\windows\system32\drivers\SE30obex.sys [2007-10-05 86560]
S3 se30unic;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (WDM);c:\windows\system32\drivers\se30unic.sys [2007-10-05 90800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\vcszrbsa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\vcszrbsa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 22:54:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-31 22:56:38
ComboFix-quarantined-files.txt 2009-02-01 06:56:34
ComboFix2.txt 2009-01-30 23:07:44
ComboFix3.txt 2009-01-30 02:15:13

Pre-Run: 51,033,538,560 bytes free
Post-Run: 51,074,641,920 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
208 --- E O F --- 2009-01-14 07:32:03


is my computer okay now? or is there still more to do to it?
thank you for helping by the way.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 01 February 2009 - 12:15 PM

Hello.

Looks good. Let's just get an online scan off.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you use Opera browser also...
    [list]
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Any issues at the moment?

With Regards,
The Panda

#9 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 04 February 2009 - 11:00 PM

its been a while since i responded..sorry
well the scanning finally finished.
here are my results.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 04, 2009 23:43:30
Records in database: 1752427
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 92228
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 03:23:02


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C200000.VBN Infected: Trojan.Win32.Agent.bknk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C200001.VBN Infected: Trojan.Win32.Agent.bknk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\15680003.VBN Infected: Trojan.Win32.Agent2.nn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\15680005.VBN Infected: Rootkit.Win32.TDSS.eyj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\15680007.VBN Infected: Rootkit.Win32.TDSS.eyj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\15680009.VBN Infected: Rootkit.Win32.TDSS.eyj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1568000B.VBN Infected: Trojan.Win32.Agent2.lf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1568000D.VBN Infected: Rootkit.Win32.TDSS.eyj 1

The selected area was scanned.

my computer doesnt freeze anymore.
i only notice that my computer is slow.

Edited by mishi4915, 04 February 2009 - 11:01 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 05 February 2009 - 08:11 AM

That's good to hear.

If it's only slowness, take a HijackThis log so we can disable some startup items.

Download, Install, and Save Log with HijackThis
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Do a System Scan and Save a Log File.
  • The scan will complete in a moment and the log will pop-up.
  • Copy the contents of the log into your next post.

With Regards,
The Panda

#11 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 05 February 2009 - 07:50 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:59 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Michelle/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 10866 bytes


is there still malware in my computer?

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 05 February 2009 - 08:05 PM

Hello.

No. You are clean of infections.

Let's try to free up some memory. I suspect your McAfee suite is taking up a lot of it.

Use HijackThis to Remove Uneeded Startup Entries
Programs that run automatically at startup can take up memory, causing your computer to be slow. Many of these entries are not needed.

Below is a list of entries in your HijackThis log that can be removed safely. Below each entry, you will find a brief description of it. Some are up to preference.

To remove entries you do not want, open HijackThis, select "Do a system scan only", put a check mark next to those entries and select "Fix checked".

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
Related to Windows Messenger. Not required at startup.

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
"Related to Sigmatel_Audio_sound_card now owned by FreeScale. This program is not required to start automatically."

O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
"IAA Event Monitor User Notification Tool". This is not required at startup.

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"Control panel for the ATI series of video cards ". This is not required at startup.

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"Related to connection events on an Intel chipset based modem" This is not required at startup.

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

Install Shield Updater. Not required at startup.

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
"Used in connection with memory dumps ". Not required at startup.

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
Java updater. Not required at startup.

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
Required only if you use an iPod.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Allows Adobe Reader to open faster. Not required at startup.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
Required only if you use an iPod.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Related to quicktime streaming, though not required for it to function.

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
Norton antivirus. You can remove it since you don't have that anymore.

O4 - Startup: PowerReg SchedulerV2.exe
Not required. This actually has some spyware capabilities. I would advise removing this.

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
AOL tray icon. Not required at startup.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Related to Microsoft office programs. Not required at startup.
--
Post back a new HijackThis log after removing some of the above.

With Regards,
The Panda

#13 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 06 February 2009 - 12:15 AM

hey.
if i remove these things, then how do i get it back if i wanted to?
because some of those things i don't need every time i turn on my comp.
for example the ituneshelper i dont plug in my ipod everyday,
but when i do put it into my comp, will everything work automatically?
and i dont know what a sound card and video card is..
i watch tv shows and movies on my computer all the time, will it affect my sound?
sorry, i dont know how a computer works. i just know how to use it. haha
sorry for all these questions, i just dont want to do anything that i wont be able to do later on
since you cant help me forever. haha
thanks for all the help you have given me so far!

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 06 February 2009 - 08:13 AM

Hello.

They can be restored at any time using the backup feature in HijackThis. At the opening screen in HijackThis, there is View List of Backups.

If you use an iPod with it at all, keep those.

It should not affect your sound.

If you experience any issues, just restore the backups.

With Regards,
The Panda

#15 mishi4915

mishi4915
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 06 February 2009 - 06:27 PM

i was trying to open firefox and it takes super long to open. i had to wait a few minutes before it opened.

ok thank you for clearing it up.

heres my new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:12 PM, on 2/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Michelle/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9605 bytes


oh i have a question, its a little off topic but i have no one else to ask...
anyway, i got a new hard drive (thats bigger and faster) because i thought that my computer wasnt fix-able
and i want to transfer EVERYTHING, not just my files but with the windows xp
without reformatting or redownloading any of my programs and etc. into the new hard drive.
is that possible? thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users