Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winpc Defender Installed and Particially Removed


  • This topic is locked This topic is locked
17 replies to this topic

#1 cruck123

cruck123

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 23 April 2009 - 07:17 AM

Recieved an e-mail that had a link that downloaded and install WinPc Defender. I did not executed the software and attempted a virus spyware removal process. Cleanup most of WinPc Defender but unable to access the internet. Windows Firewall/Internet Connection Service not running. Cannot find -k netsvcs executable.

Would like assistance with the cleanup of this issue.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Creed at 8:01:28.84 on Thu 04/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.356 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Blvd2009\blvdnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Creed.HELEN-PC\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MSS_NewsFlash] "c:\program files\blvd2009\blvdnews.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [ImgTask] c:\windows\Imgtask.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165442024609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165442318500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5159/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\bawayeka.dll c:\windows\system32\ c:\windows\system32\vaveseyi.dll c:\windows\system32\ c:\windows\system32\zuterolo.dll c:\windows\system32\ c:\windows\system32\yefugeba.dll c:\windows\system32\ c:\windows\system32\juhiruma.dll c:\windows\system32\ c:\windows\system32\zovudala.dll c:\windows\system32\ c:\windows\system32\galifure.dll c:\windows\system32\rapepute.dll c:\windows\system32\ c:\windows\system32\pedabara.dll c:\windows\system32\ c:\windows\system32\dejufedu.dll c:\windows\system32\ c:\windows\system32\jojilite.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli c:\windows\system32\galifure.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-4 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-4 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-4 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-23 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-28 206096]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-23 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-4 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-4 1079176]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-23 40552]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-23 359952]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 APL531;CRS Photo Scanner;c:\windows\system32\drivers\PS550.sys [2008-1-28 580992]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-23 34216]

=============== Created Last 30 ================

2009-04-21 22:25 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-21 22:25 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-04-21 22:25 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-04-21 22:25 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-04-21 22:25 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-04-21 22:24 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-04-21 22:24 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-04-21 22:24 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-04-21 22:24 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-04-21 22:24 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-04-21 22:24 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-04-21 22:22 19,528 a------- c:\windows\system32\dllcache\w840nd.sys
2009-04-21 22:21 794,399 a------- c:\windows\system32\dllcache\usr1806v.sys
2009-04-21 22:20 211,968 a------- c:\windows\system32\dllcache\um54scan.dll
2009-04-21 22:19 230,912 a------- c:\windows\system32\dllcache\tosdvd03.sys
2009-04-21 22:18 94,293 a------- c:\windows\system32\dllcache\sxports.dll
2009-04-21 22:17 24,660 a------- c:\windows\system32\dllcache\spxupchk.dll
2009-04-21 22:16 25,034 a------- c:\windows\system32\dllcache\smcpwr2n.sys
2009-04-21 22:15 32,768 a------- c:\windows\system32\dllcache\sisnic.sys
2009-04-21 22:15 238,592 a------- c:\windows\system32\dllcache\sisgrv.dll
2009-04-21 22:15 104,064 a------- c:\windows\system32\dllcache\sisgrp.sys
2009-04-21 22:15 150,144 a------- c:\windows\system32\dllcache\sis6306v.dll
2009-04-21 22:15 68,608 a------- c:\windows\system32\dllcache\sis6306p.sys
2009-04-21 22:15 252,032 a------- c:\windows\system32\dllcache\sis300iv.dll
2009-04-21 22:15 101,760 a------- c:\windows\system32\dllcache\sis300ip.sys
2009-04-21 22:15 18,944 a------- c:\windows\system32\dllcache\simptcp.dll
2009-04-21 22:15 161,568 a------- c:\windows\system32\dllcache\sgsmusb.sys
2009-04-21 22:15 18,400 a------- c:\windows\system32\dllcache\sgsmld.sys
2009-04-21 22:15 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-04-21 22:15 386,560 a------- c:\windows\system32\dllcache\sgiul50.dll
2009-04-21 22:15 36,480 a------- c:\windows\system32\dllcache\sfmanm.sys
2009-04-21 22:13 61,504 a------- c:\windows\system32\dllcache\s3sav3dm.sys
2009-04-21 22:12 3,840 a------- c:\windows\system32\dllcache\rpfun.sys
2009-04-21 22:11 159,232 a------- c:\windows\system32\dllcache\ptpusd.dll
2009-04-21 22:10 20,992 a------- c:\windows\system32\dllcache\permchk.dll
2009-04-21 22:09 116,736 a------- c:\windows\system32\dllcache\ovcodec2.dll
2009-04-21 22:08 7,552 a------- c:\windows\system32\dllcache\nsmmc.sys
2009-04-21 22:08 28,672 a------- c:\windows\system32\dllcache\nscirda.sys
2009-04-21 22:08 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-04-21 22:08 126,080 a------- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-04-21 22:08 32,840 a------- c:\windows\system32\dllcache\ngrpci.sys
2009-04-21 22:08 53,248 a------- c:\windows\system32\dllcache\nextlink.dll
2009-04-21 22:08 132,695 a------- c:\windows\system32\dllcache\netwlan5.sys
2009-04-21 22:08 65,278 a------- c:\windows\system32\dllcache\netflx3.sys
2009-04-21 22:08 39,264 a------- c:\windows\system32\dllcache\neo20xx.sys
2009-04-21 22:06 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-04-21 22:05 235,648 a------- c:\windows\system32\dllcache\mgaud.dll
2009-04-21 22:04 727,786 a------- c:\windows\system32\dllcache\ltck000c.sys
2009-04-21 22:03 6,144 a------- c:\windows\system32\dllcache\kbd106.dll
2009-04-21 22:02 3,584 a------- c:\windows\system32\dllcache\iismui.dll
2009-04-21 22:01 10,129,408 a------- c:\windows\system32\dllcache\hwxkor.dll
2009-04-21 22:00 32,768 a------- c:\windows\system32\dllcache\hpgtmcro.dll
2009-04-21 21:59 59,136 a------- c:\windows\system32\dllcache\gckernel.sys
2009-04-21 21:58 12,362 a------- c:\windows\system32\dllcache\f3ab18xi.sys
2009-04-21 21:57 283,904 a------- c:\windows\system32\dllcache\emu10k1m.sys
2009-04-21 21:56 952,007 a------- c:\windows\system32\dllcache\diwan.sys
2009-04-21 21:55 117,760 a------- c:\windows\system32\dllcache\d100ib5.sys
2009-04-21 21:54 1,677,824 a------- c:\windows\system32\dllcache\chsbrkr.dll
2009-04-21 21:53 5,120 a------- c:\windows\system32\dllcache\brscnrsm.dll
2009-04-21 21:52 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-04-21 21:42 7,168 a------- c:\windows\system32\dllcache\wamregps.dll
2009-04-21 21:42 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-04-21 21:41 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-04-21 21:41 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-04-21 21:41 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-04-21 21:41 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-04-21 21:41 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-04-21 21:41 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-04-21 21:41 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-04-21 19:45 <DIR> --d----- c:\windows\system32\vmm32
2009-04-19 23:37 28,160 a------- c:\windows\ieocx.dll
2009-04-15 12:37 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-06 23:09 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-25 10:48 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 473,600 a------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 a------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 a------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 a------- c:\windows\system32\dllcache\secur32.dll
2007-11-30 14:45 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-11-21 21:22 88 -c-shr-- c:\windows\system32\62B2119F74.sys
2007-11-21 21:23 2,828 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-29 02:23 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat
2009-01-07 11:12 16,384 ac-sh--- c:\windows\temp\cookies\index.dat
2009-01-07 11:12 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2009-01-07 11:12 49,152 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 8:03:30.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 02 May 2009 - 07:14 PM

Hello cruck123 .

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member cruck123 only. If you are a lurker, do NOT try this on your system!
If you are not cruck123 and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

This system has a large amount of Vundo. I'd like to have you start with the following tools & procedures.
=
Close any of your open programs while you run these tools.

Next, Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Next, Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe {red lion icon} & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF and only if you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Have Infinite patience. Combofix has many, many phases.

-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Next, Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

=

Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.
  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
RE-Enable your AntiVirus and AntiSpyware applications.

Reply with a copy of the log C:\Combofix.txt
the MBAM log,
and the Eset scan log.

There will be much more to do later.

Edited by Maurice Naggar, 02 May 2009 - 07:16 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 03 May 2009 - 08:30 PM

Hello Maurice
Thanks for responding to my log. I have attempted to perform the instructions that you provided. I do not have internet access on the infected computer and the Microsoft Windows Recovery Console was not installed.Also I was not abel to get to ESET Online Scanner. The results of the instructions you provided are listed below. I did perform an MBAM scan on 05/01/2009 thinking I would not get assistance from this site. I have pasted the results from those scans as well.

Again thanks for your assistance.

ComboFix 09-05-03.1 - Creed 05/03/2009 20:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.587 [GMT -4:00]
Running from: c:\documents and settings\Creed.HELEN-PC\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Helen\Application Data\inst.exe
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\_000149_.tmp.dll
c:\windows\system32\_000154_.tmp.dll
c:\windows\system32\_000155_.tmp.dll
c:\windows\system32\_000156_.tmp.dll
c:\windows\system32\_000157_.tmp.dll
c:\windows\system32\_000158_.tmp.dll
c:\windows\system32\_000162_.tmp.dll
c:\windows\system32\_000163_.tmp.dll
c:\windows\system32\_000164_.tmp.dll
c:\windows\system32\_000165_.tmp.dll
c:\windows\system32\_000167_.tmp.dll
c:\windows\system32\_000170_.tmp.dll
c:\windows\system32\_000172_.tmp.dll
c:\windows\system32\_000174_.tmp.dll
c:\windows\system32\_000179_.tmp.dll
c:\windows\system32\_000180_.tmp.dll
c:\windows\system32\_000183_.tmp.dll
c:\windows\system32\_000184_.tmp.dll
c:\windows\system32\_000186_.tmp.dll
c:\windows\system32\_000187_.tmp.dll
c:\windows\system32\_000188_.tmp.dll
c:\windows\system32\_000190_.tmp.dll
c:\windows\system32\_000191_.tmp.dll
c:\windows\system32\_000194_.tmp.dll
c:\windows\system32\_000195_.tmp.dll
c:\windows\system32\_000197_.tmp.dll
c:\windows\system32\_000198_.tmp.dll
c:\windows\system32\_000199_.tmp.dll
c:\windows\system32\_000206_.tmp.dll
c:\windows\system32\_000207_.tmp.dll
c:\windows\system32\_000208_.tmp.dll
c:\windows\system32\_000209_.tmp.dll
c:\windows\system32\_000210_.tmp.dll
c:\windows\system32\drivers\UACvhhvmknsmfdkkfr.sys
c:\windows\system32\UACjlatqpbuegprnlo.dat
c:\windows\system32\UACmowkydnrjbitbxv.dll
c:\windows\system32\UACmqrbmtvxdonocqa.dll
c:\windows\system32\UACndlvfwesjfoyghq.dll
c:\windows\system32\UACngiktauydrqkwds.dll
c:\windows\system32\UACwmcfnpatkbormof.dll
c:\windows\system32\UACxcimgwrfmucqorb.log
c:\windows\system32\UACybvlsjtorujbkae.log
c:\windows\system32\UACyfqplfkapkucqxh.log

----- BITS: Possible infected sites -----

hxxp://winpcdown99.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-03 22:52 . 2009-05-03 22:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-01 19:33 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 19:33 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 19:33 . 2009-05-01 19:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 02:25 . 2008-04-13 23:12 116224 ----a-w c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-22 02:25 . 2001-08-18 02:36 23040 ----a-w c:\windows\system32\dllcache\xrxwbtmp.dll
2009-04-22 02:25 . 2008-04-13 23:12 18944 ----a-w c:\windows\system32\dllcache\xrxscnui.dll
2009-04-22 02:25 . 2001-08-18 02:37 27648 ----a-w c:\windows\system32\dllcache\xrxftplt.exe
2009-04-22 02:25 . 2001-08-18 02:37 4608 ----a-w c:\windows\system32\dllcache\xrxflnch.exe
2009-04-22 02:24 . 2001-08-18 02:37 99865 ----a-w c:\windows\system32\dllcache\xlog.exe
2009-04-22 02:24 . 2001-08-17 16:11 16970 ----a-w c:\windows\system32\dllcache\xem336n5.sys
2009-04-22 02:24 . 2004-08-04 02:29 19455 ----a-w c:\windows\system32\dllcache\wvchntxx.sys
2009-04-22 02:24 . 2004-08-04 02:29 12063 ----a-w c:\windows\system32\dllcache\wsiintxx.sys
2009-04-22 02:24 . 2008-04-13 23:12 8192 ----a-w c:\windows\system32\dllcache\wshirda.dll
2009-04-22 02:22 . 2001-08-17 16:13 19528 ----a-w c:\windows\system32\dllcache\w840nd.sys
2009-04-22 02:21 . 2001-08-17 17:28 794399 ----a-w c:\windows\system32\dllcache\usr1806v.sys
2009-04-22 02:20 . 2001-08-18 02:36 211968 ----a-w c:\windows\system32\dllcache\um54scan.dll
2009-04-22 02:19 . 2001-08-17 18:02 230912 ----a-w c:\windows\system32\dllcache\tosdvd03.sys
2009-04-22 02:18 . 2001-08-18 02:36 94293 ----a-w c:\windows\system32\dllcache\sxports.dll
2009-04-22 02:17 . 2001-08-18 02:36 24660 ----a-w c:\windows\system32\dllcache\spxupchk.dll
2009-04-22 02:16 . 2001-08-17 16:12 25034 ----a-w c:\windows\system32\dllcache\smcpwr2n.sys
2009-04-22 02:15 . 2004-08-04 02:31 32768 ----a-w c:\windows\system32\dllcache\sisnic.sys
2009-04-22 02:15 . 2001-08-18 02:36 238592 ----a-w c:\windows\system32\dllcache\sisgrv.dll
2009-04-22 02:15 . 2001-08-17 16:50 104064 ----a-w c:\windows\system32\dllcache\sisgrp.sys
2009-04-22 02:15 . 2001-08-17 18:56 150144 ----a-w c:\windows\system32\dllcache\sis6306v.dll
2009-04-22 02:15 . 2001-08-17 16:50 68608 ----a-w c:\windows\system32\dllcache\sis6306p.sys
2009-04-22 02:15 . 2001-08-17 18:56 252032 ----a-w c:\windows\system32\dllcache\sis300iv.dll
2009-04-22 02:15 . 2001-08-17 16:50 101760 ----a-w c:\windows\system32\dllcache\sis300ip.sys
2009-04-22 02:15 . 2004-08-10 11:00 18944 ----a-w c:\windows\system32\dllcache\simptcp.dll
2009-04-22 02:15 . 2001-07-21 18:29 161568 ----a-w c:\windows\system32\dllcache\sgsmusb.sys
2009-04-22 02:15 . 2001-07-21 18:29 18400 ----a-w c:\windows\system32\dllcache\sgsmld.sys
2009-04-22 02:15 . 2001-08-17 16:51 98080 ----a-w c:\windows\system32\dllcache\sgiulnt5.sys
2009-04-22 02:15 . 2001-08-18 02:36 386560 ----a-w c:\windows\system32\dllcache\sgiul50.dll
2009-04-22 02:15 . 2001-08-17 16:19 36480 ----a-w c:\windows\system32\dllcache\sfmanm.sys
2009-04-22 02:13 . 2001-08-17 16:50 61504 ----a-w c:\windows\system32\dllcache\s3sav3dm.sys
2009-04-22 02:12 . 2001-08-17 16:19 3840 ----a-w c:\windows\system32\dllcache\rpfun.sys
2009-04-22 02:11 . 2008-04-13 23:12 159232 ----a-w c:\windows\system32\dllcache\ptpusd.dll
2009-04-22 02:10 . 2004-08-10 11:00 20992 ----a-w c:\windows\system32\dllcache\permchk.dll
2009-04-22 02:09 . 2001-08-18 02:36 116736 ----a-w c:\windows\system32\dllcache\ovcodec2.dll
2009-04-22 02:08 . 2001-08-17 17:53 7552 ----a-w c:\windows\system32\dllcache\nsmmc.sys
2009-04-22 02:08 . 2008-04-13 17:54 28672 ----a-w c:\windows\system32\dllcache\nscirda.sys
2009-04-22 02:08 . 2001-08-17 16:20 87040 ----a-w c:\windows\system32\dllcache\nm6wdm.sys
2009-04-22 02:08 . 2001-08-17 16:20 126080 ----a-w c:\windows\system32\dllcache\nm5a2wdm.sys
2009-04-22 02:08 . 2001-08-17 16:12 32840 ----a-w c:\windows\system32\dllcache\ngrpci.sys
2009-04-22 02:08 . 2004-08-10 11:00 53248 ----a-w c:\windows\system32\dllcache\nextlink.dll
2009-04-22 02:08 . 2004-08-04 02:31 132695 ----a-w c:\windows\system32\dllcache\netwlan5.sys
2009-04-22 02:08 . 2001-08-17 16:11 65278 ----a-w c:\windows\system32\dllcache\netflx3.sys
2009-04-22 02:08 . 2001-08-17 16:50 39264 ----a-w c:\windows\system32\dllcache\neo20xx.sys
2009-04-22 02:06 . 2008-04-13 17:46 49024 ----a-w c:\windows\system32\dllcache\mstape.sys
2009-04-22 02:06 . 2001-08-17 17:48 12416 ----a-w c:\windows\system32\dllcache\msriffwv.sys
2009-04-22 02:06 . 2001-08-17 18:00 2944 ----a-w c:\windows\system32\dllcache\msmpu401.sys
2009-04-22 02:06 . 2008-04-13 17:54 22016 ----a-w c:\windows\system32\dllcache\msircomm.sys
2009-04-22 02:06 . 2004-08-10 11:00 98304 ----a-w c:\windows\system32\dllcache\msir3jp.dll
2009-04-22 02:06 . 2001-08-17 18:02 35200 ----a-w c:\windows\system32\dllcache\msgame.sys
2009-04-22 02:06 . 2001-08-17 17:48 6016 ----a-w c:\windows\system32\dllcache\msfsio.sys
2009-04-22 02:06 . 2008-04-13 17:46 51200 ----a-w c:\windows\system32\dllcache\msdv.sys
2009-04-22 02:06 . 2008-04-13 17:46 15232 ----a-w c:\windows\system32\dllcache\mpe.sys
2009-04-22 02:06 . 2001-08-17 17:57 16128 ----a-w c:\windows\system32\dllcache\modemcsa.sys
2009-04-22 02:06 . 2001-08-17 17:52 6528 ----a-w c:\windows\system32\dllcache\miniqic.sys
2009-04-22 02:06 . 2004-08-10 11:00 34304 ----a-w c:\windows\system32\dllcache\migisol.exe
2009-04-22 02:06 . 2001-08-17 16:50 320384 ----a-w c:\windows\system32\dllcache\mgaum.sys
2009-04-22 02:04 . 2001-08-17 17:28 727786 ----a-w c:\windows\system32\dllcache\ltck000c.sys
2009-04-22 02:03 . 2008-04-13 23:09 6144 ----a-w c:\windows\system32\dllcache\kbd106.dll
2009-04-22 02:02 . 2004-08-10 11:00 3584 ----a-w c:\windows\system32\dllcache\iismui.dll
2009-04-22 02:01 . 2004-08-10 11:00 10129408 ----a-w c:\windows\system32\dllcache\hwxkor.dll
2009-04-22 02:00 . 2001-08-18 02:36 32768 ----a-w c:\windows\system32\dllcache\hpgtmcro.dll
2009-04-22 01:59 . 2008-04-13 17:45 59136 ----a-w c:\windows\system32\dllcache\gckernel.sys
2009-04-22 01:58 . 2001-08-17 16:11 12362 ----a-w c:\windows\system32\dllcache\f3ab18xi.sys
2009-04-22 01:57 . 2001-08-17 16:19 283904 ----a-w c:\windows\system32\dllcache\emu10k1m.sys
2009-04-22 01:56 . 2001-08-17 16:14 952007 ----a-w c:\windows\system32\dllcache\diwan.sys
2009-04-22 01:55 . 2001-08-17 16:12 117760 ----a-w c:\windows\system32\dllcache\d100ib5.sys
2009-04-22 01:54 . 2004-08-10 11:00 1677824 ----a-w c:\windows\system32\dllcache\chsbrkr.dll
2009-04-22 01:53 . 2001-08-18 02:36 5120 ----a-w c:\windows\system32\dllcache\brscnrsm.dll
2009-04-22 01:52 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-04-22 01:42 . 2004-08-10 11:00 7168 ----a-w c:\windows\system32\dllcache\wamregps.dll
2009-04-22 01:42 . 2001-08-17 18:56 66048 ----a-w c:\windows\system32\dllcache\s3legacy.dll
2009-04-22 01:41 . 2004-08-10 11:00 19968 ----a-w c:\windows\system32\dllcache\inetsloc.dll
2009-04-22 01:41 . 2004-08-10 11:00 7680 ----a-w c:\windows\system32\dllcache\inetmgr.exe
2009-04-22 01:41 . 2004-08-10 11:00 169984 ----a-w c:\windows\system32\dllcache\iisui.dll
2009-04-22 01:41 . 2004-08-10 11:00 5632 ----a-w c:\windows\system32\dllcache\iisrstap.dll
2009-04-22 01:41 . 2004-08-10 11:00 14336 ----a-w c:\windows\system32\dllcache\iisreset.exe
2009-04-22 01:41 . 2004-08-10 11:00 6144 ----a-w c:\windows\system32\dllcache\ftpsapi2.dll
2009-04-21 23:45 . 2009-04-21 23:45 -------- d-----w c:\windows\system32\vmm32
2009-04-15 16:37 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-09 20:26 . 2009-04-09 20:26 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 20:23 . 2009-04-09 20:24 -------- d-----w c:\program files\Common Files\Adobe
2009-04-09 20:12 . 2009-04-10 00:09 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-09 20:12 . 2009-04-10 00:09 -------- d-----w c:\program files\NOS
2009-04-07 03:09 . 2009-04-07 03:09 -------- d-----w c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 00:30 . 2005-08-16 10:49 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-30 14:39 . 2007-06-29 01:14 384 -c--a-w c:\documents and settings\Helen\Application Data\wklnhst.dat
2009-04-20 03:40 . 2009-04-20 03:40 0 ----a-w c:\documents and settings\Helen\Application Data\~eu37.tmp
2009-04-17 13:46 . 2008-03-23 23:20 -------- d-----w c:\program files\McAfee
2009-04-15 23:44 . 2006-12-07 23:14 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-15 05:00 . 2008-03-23 23:21 340 ----a-w c:\windows\Tasks\McDefragTask.job
2009-04-07 03:08 . 2006-12-01 18:28 -------- d-----w c:\program files\Common Files\Real
2009-04-01 17:44 . 2006-12-01 18:12 -------- d-----w c:\program files\Java
2009-03-25 15:06 . 2008-03-23 23:21 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2008-03-23 23:21 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:06 . 2008-03-23 23:21 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2008-03-23 23:21 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:05 . 2008-03-23 23:21 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-09 09:19 . 2008-11-13 16:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 16:52 . 2009-03-08 16:52 -------- d-----w c:\program files\DVD Shrink
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-25 19:15 . 2009-02-25 14:48 47360 -c--a-w c:\documents and settings\Helen\Application Data\pcouffin.sys
2009-02-25 14:48 . 2009-02-25 14:48 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2008-08-27 13:42 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-27 13:42 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-08-27 13:42 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-08-27 13:42 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-08-27 13:42 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-27 13:42 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-27 13:42 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 10:18 56832 ----a-w c:\windows\system32\secur32.dll
2007-11-22 01:22 . 2006-12-07 15:36 88 -csh--r c:\windows\system32\62B2119F74.sys
2007-11-22 01:23 . 2006-12-07 15:36 2828 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 00:10 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

2007-02-12 12:51 . 2007-02-12 12:51 64584 c:\program files\Blvd\bak\blvdnews.exe

2004-07-27 22:50 . 2004-07-27 22:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2004-07-27 22:50 . 2004-07-27 22:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-12-01 18:37 . 2007-05-02 22:16 184320 c:\program files\Dell\MediaDirect\bak\PCMService.exe
2008-08-09 17:24 . 2007-05-02 22:16 184320 c:\program files\Dell\MediaDirect\PCMService.exe

2006-12-01 18:20 . 2006-08-04 00:51 1032192 c:\program files\Dell\QuickSet\bak\quickset.exe

2006-08-29 03:57 . 2006-08-29 03:57 395776 c:\program files\Dell Support\bak\DSAgnt.exe

2006-12-01 18:31 . 2006-12-01 18:31 236544 c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe

2007-06-16 12:00 . 2007-06-16 12:00 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2003-08-04 22:28 . 2003-08-04 22:28 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd.exe

2003-12-22 13:38 . 2003-12-22 13:38 241664 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

2006-10-18 21:58 . 2006-10-18 21:58 696320 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe

2006-10-18 22:04 . 2006-10-18 22:04 802816 c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2008-11-20 18:20 . 2008-11-20 18:20 290088 c:\program files\iTunes\iTunesHelper.exe

2005-08-16 10:37 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-12-29 05:40 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2006-12-01 18:21 . 2003-09-10 08:24 20480 c:\program files\NetWaiting\bak\netWaiting.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2008-11-04 15:30 . 2008-11-04 15:30 413696 c:\program files\QuickTime\QTTask.exe

2006-12-01 18:28 . 2006-12-01 18:28 26112 c:\program files\Real\RealPlayer\bak\RealPlay.exe
2008-05-21 20:57 . 2009-04-07 03:08 214536 c:\program files\Real\RealPlayer\realplay.exe

2006-12-01 18:21 . 2006-03-09 00:48 761947 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2006-09-25 20:10 . 2006-11-21 19:02 1807960 c:\program files\Trend Micro\Internet Security 14\bak\pccguide.exe

2006-11-03 22:20 . 2006-11-03 22:20 866584 c:\program files\Windows Defender\bak\MSASCui.exe
2006-11-04 00:20 . 2006-11-04 00:20 866584 c:\program files\Windows Defender\MSASCui.exe

2005-08-16 10:37 . 2005-09-29 20:01 67584 c:\windows\ehome\bak\ehtray.exe

2005-08-16 10:18 . 2004-08-10 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-08-16 10:18 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2006-12-01 17:50 . 2005-12-14 05:41 77824 c:\windows\system32\bak\hkcmd.exe

2006-12-01 17:50 . 2005-12-14 05:45 118784 c:\windows\system32\bak\igfxpers.exe

2006-12-01 17:50 . 2005-12-14 05:44 98304 c:\windows\system32\bak\igfxtray.exe

2006-12-01 18:29 . 2004-12-06 07:05 127035 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [N/A]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [N/A]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"MSS_NewsFlash"="c:\program files\Blvd2009\blvdnews.exe" [2008-02-01 87336]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [N/A]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [N/A]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [N/A]
"ehTray"="c:\windows\ehome\ehtray.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [N/A]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [N/A]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [N/A]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"ImgTask"="c:\windows\Imgtask.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-07 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"DXDllRegExe"="dxdllreg.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Helen\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-6-7 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-1 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
R3 APL531;CRS Photo Scanner;c:\windows\system32\Drivers\PS550.sys [2008-01-28 580992]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-05 206096]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-23 14:53]

2008-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-23 14:53]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\*& 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ **]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2408)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-04 20:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 00:38

Pre-Run: 58,344,394,752 bytes free
Post-Run: 58,218,012,672 bytes free

396 --- E O F --- 2009-04-16 04:35


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/1/2009 4:29:35 PM
mbam-log-2009-05-01 (16-29-35).txt

Scan type: Quick Scan
Objects scanned: 106658
Time elapsed: 19 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Helen\Local Settings\Temp\yVkgIJRL.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Helen\Application Data\BIT15E.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.



Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/1/2009 5:57:09 PM
mbam-log-2009-05-01 (17-57-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217730
Time elapsed: 1 hour(s), 8 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/3/2009 8:55:07 PM
mbam-log-2009-05-03 (20-55-07).txt

Scan type: Quick Scan
Objects scanned: 89556
Time elapsed: 8 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 04 May 2009 - 06:32 AM

Do let me know about internet access on this pc. In the meantime, use another pc to do downloads and put copy of tools on the Desktop of problem-system.

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 04 May 2009 - 11:16 AM

Maurice,

I have completed the Trend Micro Sysclean process and the sysclean.log is attached. Also I have internet access on the infected PC now.


~ Copied and pasted Sysclean.log in-line ~ Maurice
/--------------------------------------------------------------\| Trend Micro System Cleaner || Copyright 2006-2007, Trend Micro, Inc. || http://www.antivirus.com |\--------------------------------------------------------------/2009-05-04, 09:02:48, Auto-clean mode specified.2009-05-04, 09:02:50, Initialized Rootkit Driver version 2.2.0.1004.2009-05-04, 09:02:50, Running scanner "C:\CDE\TSC.BIN"...2009-05-04, 09:03:32, Scanner "C:\CDE\TSC.BIN" has finished running.2009-05-04, 09:03:32, TSC Log:Damage Cleanup Engine (DCE) 6.0(Build 1172)Windows XP(Build 2600: Service Pack 3)Start time : Mon May 04 2009 09:02:54Load Damage Cleanup Template (DCT) "C:\CDE\TMRDCT.ptn" (version ) [fail]Load Damage Cleanup Template (DCT) "C:\CDE\tsc.ptn" (version 1030) [success]Complete time : Mon May 04 2009 09:03:32Execute pattern count(3050), Virus found count(0), Virus clean count(0), Clean failed count(0)2009-05-04, 09:03:32, Running scanner "C:\CDE\VSCANTM.BIN"...2009-05-04, 11:01:05, Scanner "C:\CDE\VSCANTM.BIN" has finished running.2009-05-04, 11:01:05, VSCANTM Log:2009-05-04, 11:01:05, Files Detected:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 5/4/2009 09:03:32VSAPI Engine Version : 8.910-1002VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invoked Virus Pattern Version : 106 (392387/392387 Patterns) (2009/05/04) (610604)Command Line: C:\CDE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\CDE\lpt$vpn.106 96975 files have been read.96975 files have been checked.96919 files have been scanned.279766 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 5/4/2009 11:01:05 1 hour 57 minutes 32 seconds (7052.42 seconds) has elapsed.(72.724 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2009-05-04, 11:01:05, Files Clean:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 5/4/2009 09:03:32VSAPI Engine Version : 8.910-1002VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invoked Virus Pattern Version : 106 (392387/392387 Patterns) (2009/05/04) (610604)Command Line: C:\CDE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\CDE\lpt$vpn.106 96975 files have been read.96975 files have been checked.96919 files have been scanned.279766 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 5/4/2009 11:01:05 1 hour 57 minutes 32 seconds (7052.42 seconds) has elapsed.(72.724 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2009-05-04, 11:01:05, Clean Fail:Copyright © 1990 - 2006 Trend Micro Inc.Report Date : 5/4/2009 09:03:32VSAPI Engine Version : 8.910-1002VSCANTM Version : 3.00-1018 (Official Build)VSGetVirusPatternInformation is invoked Virus Pattern Version : 106 (392387/392387 Patterns) (2009/05/04) (610604)Command Line: C:\CDE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\CDE\lpt$vpn.106 96975 files have been read.96975 files have been checked.96919 files have been scanned.279766 files have been scanned. (including files in archived)0 files containing viruses.Found 0 viruses totally.Maybe 0 viruses totally.Stop At: 5/4/2009 11:01:05 1 hour 57 minutes 32 seconds (7052.42 seconds) has elapsed.(72.724 msec/file)---------*---------*---------*---------*---------*---------*---------*---------*2009-05-04, 11:01:05, Running SSAPI scanner ""...2009-05-04, 11:56:46, SSAPI Log:SSAPI Scanner Version: 1.0.1003SSAPI Engine Version: 5.2.1032SSAPI Pattern Version: 7.63SSAPI Anti-Rootkit Version: 2.2.0.1004Spyware Scan Started: 05/04/2009 11:01:09SSAPI requires the system to reboot.Detected Items:[CLEAN SUCCESS][JOKE_AGENT] C:\WINDOWS\system32\drivers\qcsqh.sys,C:\WINDOWS\system32\drivers\qcsqh.sys,9833Detected: 1 items.Cleaned Success: 1 items.Clean Failed: 0 items.Spyware Scan Ended: 05/04/2009 11:56:46Scan Complete. Time=3340.296875.

Edited by Maurice Naggar, 04 May 2009 - 02:57 PM.


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 04 May 2009 - 02:59 PM

The Sysclean run did not find much of anything.
I need for you to do the following, to remove some Vundo files, and to see about any leftover rootkit:

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\drivers\UACvhhvmknsmfdkkfr.sys
    c:\windows\system32\drivers\msqpdxserv.sys 
    C:\WINDOWS\system32\drivers\TDSSmqlt.sys 
    C:\windows\system32\drivers\tdssserv.sys
    C:\WINDOWS\system32\drivers\TDSSmact.sys
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe
    c:\windows\system32\bawayeka.dll 
    c:\windows\system32\vaveseyi.dll 
    c:\windows\system32\zuterolo.dll 
    c:\windows\system32\yefugeba.dll 
    c:\windows\system32\juhiruma.dll 
    c:\windows\system32\zovudala.dll 
    c:\windows\system32\galifure.dll 
    c:\windows\system32\rapepute.dll 
    c:\windows\system32\pedabara.dll 
    c:\windows\system32\dejufedu.dll 
    c:\windows\system32\jojilite.dll 
    c:\windows\system32\galifure.dll
    
    
    Drivers to delete:
    UACvhhvmknsmfdkkfr
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Reply with copy of C:\Avenger.txt

Be sure to Copy and paste it's contents in-line {within body of reply box}
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 May 2009 - 06:37 AM

The Avenger was installed and executed per instructions. The log is listed below.

Logfile of The Avenger Version 2.0, by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Edited for readability, and removed lines for items not found, added emphasis~ Maurice



Folder "C:\recycler" deleted successfully.


Edited for readability, and removed lines for items not found. ~ Maurice


Completed script processing.

*******************

Finished! Terminate.

Edited by Maurice Naggar, 05 May 2009 - 09:14 PM.


#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 05 May 2009 - 09:47 AM

After these next steps, you need to let me know if internet access on this pc is available and ok.

Please do the following, as a follow-up to an autorun infection.
I'm going to have you get and run two utilities.

Plug in your USB-pen-flash-thumb drives so they can be accessed by the following tools.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
=
Next, do a new run of DDS as you did initially.

reply with a copy of the Drweb report,
the new DDS report,
and advise me, How is your system now ?
How is the internet access?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 May 2009 - 05:19 PM

Maurice,
The system is working fine now. I do have internet access.

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Creed.HELEN-PC\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Creed.HELEN-PC\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Creed.HELEN-PC\Desktop;Container contains infected objects;Deleted.;
A0000063.EXE;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0;Program.PsExec.170;Deleted.;
A0000078.EXE;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0;Program.PsExec.170;Deleted.;



DDS (Ver_09-03-16.01) - NTFSx86
Run by Creed at 18:08:14.92 on Tue 05/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.556 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Blvd2009\blvdnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Creed.HELEN-PC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MSS_NewsFlash] "c:\program files\blvd2009\blvdnews.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [ImgTask] c:\windows\Imgtask.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165442024609
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165442318500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5159/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-23 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-28 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-23 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-23 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-23 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-23 35272]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 APL531;CRS Photo Scanner;c:\windows\system32\drivers\PS550.sys [2008-1-28 580992]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-4 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-4 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-4 81288]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-23 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-23 40552]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-4 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-4 1079176]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-23 606736]

=============== Created Last 30 ================

2009-05-05 11:55 <DIR> --d----- c:\documents and settings\creed.helen-pc\DoctorWeb
2009-05-05 11:37 <DIR> a-dshr-- C:\autorun.inf
2009-05-05 11:27 266,360 a------- c:\windows\system32\TweakUI.exe
2009-05-05 11:27 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-05-04 08:48 <DIR> --d----- C:\CDE
2009-05-03 20:17 161,792 a------- c:\windows\SWREG.exe
2009-05-03 20:17 98,816 a------- c:\windows\sed.exe
2009-05-03 18:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-01 15:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 15:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 15:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-21 22:25 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-21 22:25 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-04-21 22:25 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-04-21 22:25 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-04-21 22:25 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-04-21 22:24 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-04-21 22:24 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-04-21 22:24 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-04-21 22:24 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-04-21 22:24 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-04-21 22:24 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-04-21 22:22 19,528 a------- c:\windows\system32\dllcache\w840nd.sys
2009-04-21 22:21 794,399 a------- c:\windows\system32\dllcache\usr1806v.sys
2009-04-21 22:20 211,968 a------- c:\windows\system32\dllcache\um54scan.dll
2009-04-21 22:19 230,912 a------- c:\windows\system32\dllcache\tosdvd03.sys
2009-04-21 22:18 94,293 a------- c:\windows\system32\dllcache\sxports.dll
2009-04-21 22:17 24,660 a------- c:\windows\system32\dllcache\spxupchk.dll
2009-04-21 22:16 25,034 a------- c:\windows\system32\dllcache\smcpwr2n.sys
2009-04-21 22:15 32,768 a------- c:\windows\system32\dllcache\sisnic.sys
2009-04-21 22:15 238,592 a------- c:\windows\system32\dllcache\sisgrv.dll
2009-04-21 22:15 104,064 a------- c:\windows\system32\dllcache\sisgrp.sys
2009-04-21 22:15 150,144 a------- c:\windows\system32\dllcache\sis6306v.dll
2009-04-21 22:15 68,608 a------- c:\windows\system32\dllcache\sis6306p.sys
2009-04-21 22:15 252,032 a------- c:\windows\system32\dllcache\sis300iv.dll
2009-04-21 22:15 101,760 a------- c:\windows\system32\dllcache\sis300ip.sys
2009-04-21 22:15 18,944 a------- c:\windows\system32\dllcache\simptcp.dll
2009-04-21 22:15 161,568 a------- c:\windows\system32\dllcache\sgsmusb.sys
2009-04-21 22:15 18,400 a------- c:\windows\system32\dllcache\sgsmld.sys
2009-04-21 22:15 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-04-21 22:15 386,560 a------- c:\windows\system32\dllcache\sgiul50.dll
2009-04-21 22:15 36,480 a------- c:\windows\system32\dllcache\sfmanm.sys
2009-04-21 22:13 61,504 a------- c:\windows\system32\dllcache\s3sav3dm.sys
2009-04-21 22:12 3,840 a------- c:\windows\system32\dllcache\rpfun.sys
2009-04-21 22:11 159,232 a------- c:\windows\system32\dllcache\ptpusd.dll
2009-04-21 22:10 20,992 a------- c:\windows\system32\dllcache\permchk.dll
2009-04-21 22:09 116,736 a------- c:\windows\system32\dllcache\ovcodec2.dll
2009-04-21 22:08 7,552 a------- c:\windows\system32\dllcache\nsmmc.sys
2009-04-21 22:08 28,672 a------- c:\windows\system32\dllcache\nscirda.sys
2009-04-21 22:08 87,040 a------- c:\windows\system32\dllcache\nm6wdm.sys
2009-04-21 22:08 126,080 a------- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-04-21 22:08 32,840 a------- c:\windows\system32\dllcache\ngrpci.sys
2009-04-21 22:08 53,248 a------- c:\windows\system32\dllcache\nextlink.dll
2009-04-21 22:08 132,695 a------- c:\windows\system32\dllcache\netwlan5.sys
2009-04-21 22:08 65,278 a------- c:\windows\system32\dllcache\netflx3.sys
2009-04-21 22:08 39,264 a------- c:\windows\system32\dllcache\neo20xx.sys
2009-04-21 22:06 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-04-21 22:05 235,648 a------- c:\windows\system32\dllcache\mgaud.dll
2009-04-21 22:04 727,786 a------- c:\windows\system32\dllcache\ltck000c.sys
2009-04-21 22:03 6,144 a------- c:\windows\system32\dllcache\kbd106.dll
2009-04-21 22:02 3,584 a------- c:\windows\system32\dllcache\iismui.dll
2009-04-21 22:01 10,129,408 a------- c:\windows\system32\dllcache\hwxkor.dll
2009-04-21 22:00 32,768 a------- c:\windows\system32\dllcache\hpgtmcro.dll
2009-04-21 21:59 59,136 a------- c:\windows\system32\dllcache\gckernel.sys
2009-04-21 21:58 12,362 a------- c:\windows\system32\dllcache\f3ab18xi.sys
2009-04-21 21:57 283,904 a------- c:\windows\system32\dllcache\emu10k1m.sys
2009-04-21 21:56 952,007 a------- c:\windows\system32\dllcache\diwan.sys
2009-04-21 21:55 117,760 a------- c:\windows\system32\dllcache\d100ib5.sys
2009-04-21 21:54 1,677,824 a------- c:\windows\system32\dllcache\chsbrkr.dll
2009-04-21 21:53 5,120 a------- c:\windows\system32\dllcache\brscnrsm.dll
2009-04-21 21:52 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-04-21 21:42 7,168 a------- c:\windows\system32\dllcache\wamregps.dll
2009-04-21 21:42 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-04-21 21:41 19,968 a------- c:\windows\system32\dllcache\inetsloc.dll
2009-04-21 21:41 7,680 a------- c:\windows\system32\dllcache\inetmgr.exe
2009-04-21 21:41 169,984 a------- c:\windows\system32\dllcache\iisui.dll
2009-04-21 21:41 5,632 a------- c:\windows\system32\dllcache\iisrstap.dll
2009-04-21 21:41 14,336 a------- c:\windows\system32\dllcache\iisreset.exe
2009-04-21 21:41 6,144 a------- c:\windows\system32\dllcache\ftpsapi2.dll
2009-04-21 21:41 94,720 a------- c:\windows\system32\dllcache\certmap.ocx
2009-04-21 19:45 <DIR> --d----- c:\windows\system32\vmm32
2009-04-15 12:37 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-06 23:09 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 10:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 473,600 a------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 a------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 a------- c:\windows\system32\dllcache\wmiprvse.exe
2007-11-30 14:45 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-11-21 21:22 88 -c-shr-- c:\windows\system32\62B2119F74.sys
2007-11-21 21:23 2,828 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-29 02:23 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat

============= FINISH: 18:09:14.29 ===============

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 05 May 2009 - 09:43 PM

So far, so good. You need to remove older versions of Java, and get the latest version. Then, I'm suggesting you run one more anti-malware tool.

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 13
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_13 from Sun Microsystems Inc.
=

Next, Close all applications and windows.

If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.
The most current version is Version 2.414

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in a Reply here.
=
Please reply with a copy of Report.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 06 May 2009 - 07:17 AM

Process completed.


SDFix: Version 1.240
Run by Creed on Wed 05/06/2009 at 08:00 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 08:11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"="C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\WgaTray.exe"="C:\\WINDOWS\\system32\\WgaTray.exe:*:Enabled:WgaTray"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 21 Nov 2007 88 ..SHR --- "C:\WINDOWS\system32\62B2119F74.sys"
Wed 21 Nov 2007 2,828 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 12 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 16 Apr 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 16 Apr 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 29 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 12 Dec 2006 11,115 ..SH. --- "C:\Documents and Settings\Helen\My Documents\My Music\License Backup\drmv2key.bak"
Fri 1 Dec 2006 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Fri 1 Dec 2006 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 1 Dec 2006 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Fri 1 Dec 2006 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Fri 1 Dec 2006 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Fri 1 Dec 2006 8 ...H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"
Mon 18 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"
Sun 3 May 2009 0 A..H. --- "C:\Documents and Settings\Creed.HELEN-PC\Local Settings\Application Data\SupportSoft\dellsupportcenter\Creed\data\BITB.tmp"

Finished!

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 06 May 2009 - 08:23 AM

The SDFix run was ok. I have to apologize to you: I intended to have you also run SmitFraudFix.
The MVP Hosts file will help to block un-desired websites.
The SmitFraudFix is a tool to check for and remove rogue programs.
These next 2 things will not take very long.
Please do the following

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________
+---+
THE MVPS HOSTS FILE IS NOW UPDATED v
+---+



Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .


Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat

=


If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri) Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.414 or later).
Extract the contents of the file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you had been infected
Please reply with a copy of Rapport.txt
and advise, How is your system now?

Edited by Maurice Naggar, 06 May 2009 - 08:29 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 06 May 2009 - 11:29 AM

System appears to be running fine.

SmitFraudFix v2.414

Scan done at 12:05:02.18, Wed 05/06/2009
Run from C:\Documents and Settings\Creed.HELEN-PC\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

Problem while deleting C:\autorun.inf

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{86AEB6DA-717D-499A-8D13-F4C7BA914993}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{86AEB6DA-717D-499A-8D13-F4C7BA914993}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{86AEB6DA-717D-499A-8D13-F4C7BA914993}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:46 PM

Posted 06 May 2009 - 12:39 PM

Excellent. You have done well.

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Download OTListIt2 by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double click OTListIt2.exe to start it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#15 cruck123

cruck123
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 06 May 2009 - 02:32 PM

Maurice,

I am having trouble with the removal of Combofix. When I downloaded it, it was downloaded to a flashdrive as Combofix.exe without the -. Is there a manual process for the removal?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users