Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\Windows\System32\Jh9fgo4ksdgf.dll HijackThis, Please help


  • This topic is locked This topic is locked
8 replies to this topic

#1 adamgregory

adamgregory

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 April 2009 - 12:53 AM

Thanks for taking your time and looking at this. I just got my PC back from a friend and it was completely messed up random popups, sites closing unexpectedly and just acting wierd thanks again for your time

DDS (Ver_09-03-16.01) - NTFSx86
Run by Adam at 1:28:53.29 on Wed 04/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.34 [GMT -4:00]

FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: plentyoftorrents.com Toolbar: {90d7a308-e741-4ae2-9a47-fe38da9b798a} - c:\program files\plentyoftorrents.com\tbplen.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: plentyoftorrents.com Toolbar: {90d7a308-e741-4ae2-9a47-fe38da9b798a} - c:\program files\plentyoftorrents.com\tbplen.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Diagnostic Manager] c:\docume~1\adam\locals~1\temp\4146672144.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [autochk] rundll32.exe c:\docume~1\adam\protect.dll,_IWMPEvents@16
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad Muncher] "c:\program files\ad muncher\AdMunch.exe" /bt
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\gkvzi9.exe
dRun: [Windows Resurections] c:\windows\temp\gkvzi9.exe
dRun: [A00F1D6982B.exe] c:\windows\temp\_A00F1D6982B.exe
dRun: [A00F3A691A2.exe] c:\windows\temp\_A00F3A691A2.exe
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\adam\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\adam\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\person~1.lnk - c:\program files\broderbund\mavis beacon teaches typing 15\minimavis.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231625629208
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: __c009A755 - c:\windows\system32\__c009A755.dat
STS: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-14 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-14 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-14 144704]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-14 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-14 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-14 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-14 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-14 40552]
S1 560e4e5c;560e4e5c;c:\windows\system32\drivers\560e4e5c.sys [2009-4-15 0]
S1 67521688;67521688;c:\windows\system32\drivers\67521688.sys [2009-4-17 0]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-13 33752]

=============== Created Last 30 ================

2009-04-28 18:06 <DIR> --d----- c:\windows\system32\NtmsData
2009-04-28 18:05 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 18:05 24,064 a--sh--- c:\documents and settings\adam\protect.dll
2009-04-28 13:03 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-04-28 13:03 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-28 13:03 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-04-28 13:03 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-04-27 20:51 27,648 a------- c:\windows\system32\__c00F248A.dat
2009-04-27 19:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-27 19:57 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 19:57 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 19:57 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 19:57 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 19:57 <DIR> --d----- C:\98bc7d41f5dc6ce71d
2009-04-27 19:57 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-27 19:57 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-27 19:57 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-26 18:31 155 a------- C:\xcrashdump.dat
2009-04-24 01:59 <DIR> --d----- c:\docume~1\adam\applic~1\McAfee
2009-04-23 22:12 28,160 a------- c:\windows\system32\__c009A755.dat
2009-04-23 22:11 39,936 a------- c:\windows\system32\winglsetup.exe
2009-04-21 21:44 <DIR> --d----- c:\program files\Ad Muncher
2009-04-21 21:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ad Muncher
2009-04-17 20:04 <DIR> --d----- c:\program files\Conduit
2009-04-17 20:04 <DIR> --d----- c:\program files\plentyoftorrents.com
2009-04-17 19:57 <DIR> --d----- c:\docume~1\adam\applic~1\uTorrent
2009-04-17 13:58 0 a------- c:\windows\system32\drivers\67521688.sys
2009-04-17 06:23 1,400 a------- c:\windows\system32\ahtn.htm
2009-04-17 06:23 4,785 a------- c:\windows\system32\warning.gif
2009-04-17 06:22 104,960 a------- c:\windows\system32\ntdll64.exe
2009-04-17 06:22 1 a------- c:\windows\system32\uniq.tll
2009-04-16 11:25 46 a------- c:\windows\system32\p2hhr.bat
2009-04-16 11:24 15,000 a------- c:\windows\system32\jh9fgo4ksdgf.dll
2009-04-15 16:50 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-15 01:17 0 a------- c:\windows\system32\drivers\560e4e5c.sys
2009-04-15 01:08 <DIR> --d----- c:\docume~1\adam\applic~1\LimeWire
2009-04-15 01:06 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-15 01:06 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-15 01:00 19,603,824 a------- c:\docume~1\adam\applic~1\setup.exe
2009-04-14 19:56 9,077 a------- c:\windows\system32\Config.MPF
2009-04-14 19:47 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-14 19:47 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-14 19:47 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-14 19:47 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-14 19:46 <DIR> --d----- c:\program files\common files\McAfee
2009-04-14 19:46 <DIR> --d----- c:\program files\McAfee.com
2009-04-14 19:45 <DIR> --d----- c:\program files\McAfee
2009-04-14 19:41 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-14 18:24 <DIR> --dsh--- c:\documents and settings\adam\IECompatCache
2009-04-14 18:21 <DIR> --dsh--- c:\documents and settings\adam\PrivacIE
2009-04-14 18:15 <DIR> --dsh--- c:\documents and settings\adam\IETldCache
2009-04-14 18:09 <DIR> --d----- c:\windows\ie8updates
2009-04-14 18:09 <DIR> --d----- c:\program files\Yahoo!
2009-04-14 18:06 <DIR> -cd-h--- c:\windows\ie8
2009-04-14 18:06 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-14 18:03 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-11 19:32 438,784 a------- c:\docume~1\adam\applic~1\FFSJ.exe
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll

============= FINISH: 1:29:21.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 29 April 2009 - 03:15 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 adamgregory

adamgregory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 April 2009 - 04:18 AM

Hey thanks for getting back to me so fast
I hope I did this right Im the worst with computers
well heres combofixs log

ComboFix 09-04-28.02 - Adam 04/29/2009 4:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.216 [GMT -4:00]
Running from: c:\documents and settings\Adam\Desktop\ComboFix.exe
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam\protect.dll
c:\documents and settings\Adam\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Adam\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\__c009A755.dat
c:\windows\system32\__c00F248A.dat
c:\windows\system32\ahtn.htm
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\jh9fgo4ksdgf.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\p2hhr.bat
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 07:07 . 2009-04-29 07:07 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-28 22:06 . 2009-04-28 22:23 -------- d-----w c:\windows\system32\NtmsData
2009-04-28 17:03 . 2008-04-14 04:17 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys
2009-04-28 17:03 . 2008-04-14 04:17 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-04-28 17:03 . 2008-04-14 04:15 32128 -c--a-w c:\windows\system32\dllcache\usbccgp.sys
2009-04-28 17:03 . 2008-04-14 04:15 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-04-27 23:59 . 2009-04-27 23:59 83648 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-27 23:58 . 2009-04-27 23:58 -------- d-----w c:\windows\system32\XPSViewer
2009-04-27 23:58 . 2009-04-27 23:58 -------- d-----w c:\program files\MSBuild
2009-04-27 23:58 . 2009-04-27 23:58 -------- d-----w c:\program files\Reference Assemblies
2009-04-27 23:57 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 23:57 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 23:57 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 23:57 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 23:57 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 23:57 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 23:57 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 23:57 . 2009-04-27 23:57 -------- d-----w C:\98bc7d41f5dc6ce71d
2009-04-24 05:59 . 2009-04-24 05:59 -------- d-----w c:\documents and settings\Adam\Application Data\McAfee
2009-04-24 02:11 . 2009-04-28 00:51 39936 ----a-w c:\windows\system32\winglsetup.exe
2009-04-22 01:44 . 2009-04-22 01:44 -------- d-----w c:\program files\Ad Muncher
2009-04-22 01:44 . 2009-04-22 01:44 -------- d-----w c:\documents and settings\All Users\Application Data\Ad Muncher
2009-04-19 05:44 . 2009-04-19 05:44 -------- d-----w c:\windows\Sun
2009-04-18 20:32 . 2009-04-18 20:32 -------- d-----w c:\documents and settings\Adam\Local Settings\Application Data\Yahoo
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\documents and settings\Adam\Local Settings\Application Data\Conduit
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\program files\Conduit
2009-04-18 00:04 . 2009-04-18 00:05 -------- d-----w c:\documents and settings\Adam\Local Settings\Application Data\plentyoftorrents.com
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\program files\plentyoftorrents.com
2009-04-17 23:57 . 2009-04-24 05:52 -------- d-----w c:\documents and settings\Adam\Application Data\uTorrent
2009-04-17 17:58 . 2009-04-19 06:03 0 ----a-w c:\windows\system32\drivers\67521688.sys
2009-04-16 15:27 . 2009-04-16 15:27 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-16 15:26 . 2009-04-16 15:26 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-16 15:21 . 2009-04-16 15:21 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-15 20:50 . 2009-04-15 20:50 -------- d-----w c:\windows\system32\LogFiles
2009-04-15 05:17 . 2009-04-18 03:03 0 ----a-w c:\windows\system32\drivers\560e4e5c.sys
2009-04-15 05:16 . 2009-04-15 05:16 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-15 05:08 . 2009-04-18 15:52 -------- d-----w c:\documents and settings\Adam\Application Data\LimeWire
2009-04-15 05:06 . 2009-04-15 05:05 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-15 05:04 . 2009-04-15 05:04 -------- d-----w c:\program files\Java
2009-04-15 05:00 . 2009-04-18 15:37 19603824 ----a-w c:\documents and settings\Adam\Application Data\setup.exe
2009-04-15 00:00 . 2009-04-15 00:00 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-14 23:58 . 2009-04-14 23:58 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-14 23:51 . 2009-04-14 23:51 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-14 23:47 . 2009-03-25 15:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-14 23:47 . 2009-03-25 15:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-14 23:47 . 2009-03-25 15:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-14 23:47 . 2008-10-23 17:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-14 23:46 . 2009-04-14 23:47 -------- d-----w c:\program files\Common Files\McAfee
2009-04-14 23:46 . 2009-04-14 23:46 -------- d-----w c:\program files\McAfee.com
2009-04-14 23:45 . 2009-04-17 16:28 -------- d-----w c:\program files\McAfee
2009-04-14 23:41 . 2009-03-25 15:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-14 23:36 . 2009-04-24 06:01 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-14 22:24 . 2009-04-14 22:24 -------- d-sh--w c:\documents and settings\Adam\IECompatCache
2009-04-14 22:21 . 2009-04-14 22:21 -------- d-sh--w c:\documents and settings\Adam\PrivacIE
2009-04-14 22:15 . 2009-04-14 22:15 -------- d-sh--w c:\documents and settings\Adam\IETldCache
2009-04-14 22:09 . 2009-04-14 22:09 -------- d-----w c:\windows\ie8updates
2009-04-14 22:09 . 2009-04-18 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 22:09 . 2009-04-14 22:09 -------- d-----w c:\documents and settings\Adam\Application Data\Yahoo!
2009-04-14 22:09 . 2009-04-14 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-14 22:09 . 2009-04-18 20:29 -------- d-----w c:\program files\Yahoo!
2009-04-14 22:06 . 2009-04-14 22:08 -------- dc-h--w c:\windows\ie8
2009-04-14 22:06 . 2009-04-14 22:10 -------- d--h--w c:\windows\msdownld.tmp
2009-04-14 22:03 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 00:04 . 2009-01-11 00:09 23960 ----a-w c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 15:09 . 2009-02-07 11:57 -------- d-----w c:\program files\SpyHunter
2009-04-15 23:09 . 2009-01-11 01:15 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 15:06 . 2009-01-17 00:04 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-23 21:33 . 2009-03-23 21:33 -------- d-----w c:\program files\directx
2009-03-23 21:33 . 2009-03-23 21:33 -------- d-----w c:\program files\Common Files\Broderbund
2009-03-23 21:32 . 2009-03-23 21:32 -------- d-----w c:\program files\Broderbund
2009-03-23 06:41 . 2009-03-23 06:40 -------- d-----w c:\program files\QuickTime
2009-03-11 23:32 . 2009-02-07 05:48 438784 ----a-w c:\documents and settings\Adam\Application Data\FFSJ.exe
2009-03-08 08:34 . 2002-09-03 13:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2002-09-03 13:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2002-09-03 13:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2002-09-03 13:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2002-09-03 13:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2002-09-03 13:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2002-09-03 13:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2002-09-03 13:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2002-09-03 13:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2002-09-03 13:00 156160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{90d7a308-e741-4ae2-9a47-fe38da9b798a}"= "c:\program files\plentyoftorrents.com\tbplen.dll" [2009-04-01 2086936]

[HKEY_CLASSES_ROOT\clsid\{90d7a308-e741-4ae2-9a47-fe38da9b798a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D7A308-E741-4AE2-9A47-FE38DA9B798A}"= "c:\program files\plentyoftorrents.com\tbplen.dll" [2009-04-01 2086936]

[HKEY_CLASSES_ROOT\clsid\{90d7a308-e741-4ae2-9a47-fe38da9b798a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-01-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-01-30 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 136600]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2009-04-22 779776]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-29 24064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2009-3-23 2392064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 560e4e5c;560e4e5c;c:\windows\System32\drivers\560e4e5c.sys [2009-04-18 0]
R1 67521688;67521688;c:\windows\System32\drivers\67521688.sys [2009-04-19 0]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 14:53]

2009-04-14 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 14:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\gkvzi9.exe
HKU-Default-Run-A00F1D6982B.exe - c:\windows\TEMP\_A00F1D6982B.exe
HKU-Default-Run-A00F3A691A2.exe - c:\windows\TEMP\_A00F3A691A2.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
Notify-__c009A755 - c:\windows\system32\__c009A755.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 05:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3108)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\SoftwareDistribution\Download\542ca89b62f4b2b2eebea38f60812a7c\update\update.exe
.
**************************************************************************
.
Completion time: 2009-04-29 5:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 09:06

Pre-Run: 12,379,226,112 bytes free
Post-Run: 12,886,593,536 bytes free

219



and the Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:00 AM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Adam\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: plentyoftorrents.com Toolbar - {90d7a308-e741-4ae2-9a47-fe38da9b798a} - C:\Program Files\plentyoftorrents.com\tbplen.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: plentyoftorrents.com Toolbar - {90d7a308-e741-4ae2-9a47-fe38da9b798a} - C:\Program Files\plentyoftorrents.com\tbplen.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Personal Coach.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231625629208
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6300 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 29 April 2009 - 04:28 AM

Tell me, do you use plentyoftorrents.com software?..



1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=223145&view=findpost&p=1243225

KillAll::

Driver::
560e4e5c
67521688

Collect::
c:\windows\system32\winglsetup.exe
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\drivers\67521688.sys
c:\windows\system32\drivers\560e4e5c.sys
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.
Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 adamgregory

adamgregory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 April 2009 - 04:45 PM

No, I don't use plentyoftorrents.com software. I was told it was good, but I didn't like it and never used it. I favor Utorrents and I deleted it out when the computer started to act up. My friend installed and used limewired, I uninstalled when I found out

ComboFix log

ComboFix 09-04-29.01 - Adam 04/29/2009 17:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.233 [GMT -4:00]
Running from: c:\documents and settings\Adam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adam\Desktop\CFScript.txt
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

file zipped: c:\windows\system32\drivers\67521688.sys
file zipped: c:\windows\system32\lmppcsetup.exe
file zipped: c:\windows\system32\winglsetup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\drivers\560e4e5c.sys
c:\windows\system32\drivers\67521688.sys
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\winglsetup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_560e4e5c
-------\Service_67521688


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 22:06 . 2009-04-28 22:23 -------- d-----w c:\windows\system32\NtmsData
2009-04-28 17:03 . 2008-04-14 04:17 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys
2009-04-28 17:03 . 2008-04-14 04:17 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-04-28 17:03 . 2008-04-14 04:15 32128 -c--a-w c:\windows\system32\dllcache\usbccgp.sys
2009-04-28 17:03 . 2008-04-14 04:15 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-04-27 23:59 . 2009-04-27 23:59 83648 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-27 23:58 . 2009-04-27 23:58 -------- d-----w c:\windows\system32\XPSViewer
2009-04-27 23:58 . 2009-04-27 23:58 -------- d-----w c:\program files\MSBuild
2009-04-27 23:58 . 2009-04-27 23:58 -------- d-----w c:\program files\Reference Assemblies
2009-04-27 23:57 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 23:57 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 23:57 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 23:57 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 23:57 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 23:57 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 23:57 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 23:57 . 2009-04-27 23:57 -------- d-----w C:\98bc7d41f5dc6ce71d
2009-04-24 05:59 . 2009-04-24 05:59 -------- d-----w c:\documents and settings\Adam\Application Data\McAfee
2009-04-22 01:44 . 2009-04-22 01:44 -------- d-----w c:\program files\Ad Muncher
2009-04-22 01:44 . 2009-04-22 01:44 -------- d-----w c:\documents and settings\All Users\Application Data\Ad Muncher
2009-04-19 05:44 . 2009-04-19 05:44 -------- d-----w c:\windows\Sun
2009-04-18 20:32 . 2009-04-18 20:32 -------- d-----w c:\documents and settings\Adam\Local Settings\Application Data\Yahoo
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\documents and settings\Adam\Local Settings\Application Data\Conduit
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\program files\Conduit
2009-04-18 00:04 . 2009-04-18 00:05 -------- d-----w c:\documents and settings\Adam\Local Settings\Application Data\plentyoftorrents.com
2009-04-18 00:04 . 2009-04-18 00:04 -------- d-----w c:\program files\plentyoftorrents.com
2009-04-17 23:57 . 2009-04-24 05:52 -------- d-----w c:\documents and settings\Adam\Application Data\uTorrent
2009-04-16 15:27 . 2009-04-16 15:27 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-16 15:26 . 2009-04-16 15:26 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-16 15:21 . 2009-04-16 15:21 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-15 20:50 . 2009-04-15 20:50 -------- d-----w c:\windows\system32\LogFiles
2009-04-15 05:16 . 2009-04-15 05:16 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-15 05:08 . 2009-04-18 15:52 -------- d-----w c:\documents and settings\Adam\Application Data\LimeWire
2009-04-15 05:06 . 2009-04-15 05:05 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-15 05:04 . 2009-04-15 05:04 -------- d-----w c:\program files\Java
2009-04-15 05:00 . 2009-04-18 15:37 19603824 ----a-w c:\documents and settings\Adam\Application Data\setup.exe
2009-04-15 00:00 . 2009-04-15 00:00 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-14 23:58 . 2009-04-14 23:58 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-14 23:51 . 2009-04-14 23:51 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-14 23:47 . 2009-03-25 15:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-14 23:47 . 2009-03-25 15:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-14 23:47 . 2009-03-25 15:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-14 23:47 . 2008-10-23 17:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-14 23:46 . 2009-04-14 23:47 -------- d-----w c:\program files\Common Files\McAfee
2009-04-14 23:46 . 2009-04-14 23:46 -------- d-----w c:\program files\McAfee.com
2009-04-14 23:45 . 2009-04-17 16:28 -------- d-----w c:\program files\McAfee
2009-04-14 23:41 . 2009-03-25 15:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-14 23:36 . 2009-04-24 06:01 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-14 22:24 . 2009-04-14 22:24 -------- d-sh--w c:\documents and settings\Adam\IECompatCache
2009-04-14 22:21 . 2009-04-14 22:21 -------- d-sh--w c:\documents and settings\Adam\PrivacIE
2009-04-14 22:15 . 2009-04-14 22:15 -------- d-sh--w c:\documents and settings\Adam\IETldCache
2009-04-14 22:09 . 2009-04-14 22:09 -------- d-----w c:\windows\ie8updates
2009-04-14 22:09 . 2009-04-18 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-14 22:09 . 2009-04-14 22:09 -------- d-----w c:\documents and settings\Adam\Application Data\Yahoo!
2009-04-14 22:09 . 2009-04-14 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-14 22:09 . 2009-04-18 20:29 -------- d-----w c:\program files\Yahoo!
2009-04-14 22:06 . 2009-04-14 22:08 -------- dc-h--w c:\windows\ie8
2009-04-14 22:06 . 2009-04-14 22:10 -------- d--h--w c:\windows\msdownld.tmp
2009-04-14 22:03 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 00:04 . 2009-01-11 00:09 23960 ----a-w c:\documents and settings\Adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 15:09 . 2009-02-07 11:57 -------- d-----w c:\program files\SpyHunter
2009-04-15 23:09 . 2009-01-11 01:15 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 15:06 . 2009-01-17 00:04 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-23 21:33 . 2009-03-23 21:33 -------- d-----w c:\program files\directx
2009-03-23 21:33 . 2009-03-23 21:33 -------- d-----w c:\program files\Common Files\Broderbund
2009-03-23 21:32 . 2009-03-23 21:32 -------- d-----w c:\program files\Broderbund
2009-03-23 06:41 . 2009-03-23 06:40 -------- d-----w c:\program files\QuickTime
2009-03-11 23:32 . 2009-02-07 05:48 438784 ----a-w c:\documents and settings\Adam\Application Data\FFSJ.exe
2009-03-08 08:34 . 2002-09-03 13:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2002-09-03 13:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2002-09-03 13:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2002-09-03 13:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2002-09-03 13:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2002-09-03 13:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2002-09-03 13:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2002-09-03 13:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2002-09-03 13:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2002-09-03 13:00 156160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_09.03.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 21:29 . 2009-04-29 21:29 16384 c:\windows\Temp\Perflib_Perfdata_a98.dat
+ 2009-04-29 21:25 . 2009-04-29 21:25 16384 c:\windows\Temp\Perflib_Perfdata_640.dat
+ 2008-11-04 04:39 . 2009-04-29 21:11 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-04 04:39 . 2009-04-29 05:24 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-04 04:39 . 2009-04-29 21:11 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-04 04:39 . 2009-04-29 05:24 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"= "c:\program files\Yahoo!\Companion\Installs\cpn\yt.dll" [2008-11-20 911600]
"{90d7a308-e741-4ae2-9a47-fe38da9b798a}"= "c:\program files\plentyoftorrents.com\tbplen.dll" [2009-04-01 2086936]

[HKEY_CLASSES_ROOT\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand]

[HKEY_CLASSES_ROOT\clsid\{90d7a308-e741-4ae2-9a47-fe38da9b798a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D7A308-E741-4AE2-9A47-FE38DA9B798A}"= "c:\program files\plentyoftorrents.com\tbplen.dll" [2009-04-01 2086936]

[HKEY_CLASSES_ROOT\clsid\{90d7a308-e741-4ae2-9a47-fe38da9b798a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-01-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-01-30 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 136600]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2009-04-22 779776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2009-3-23 2392064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-03-08 236544]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 14:53]

2009-04-14 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 14:53]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2544)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\KeyHook.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-29 17:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 21:31
ComboFix2.txt 2009-04-29 09:06

Pre-Run: 12,763,402,240 bytes free
Post-Run: 12,710,424,576 bytes free

232


Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:39 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Adam\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: plentyoftorrents.com Toolbar - {90d7a308-e741-4ae2-9a47-fe38da9b798a} - C:\Program Files\plentyoftorrents.com\tbplen.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: plentyoftorrents.com Toolbar - {90d7a308-e741-4ae2-9a47-fe38da9b798a} - C:\Program Files\plentyoftorrents.com\tbplen.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Personal Coach.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231625629208
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6088 bytes


again thanks for your Time

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 29 April 2009 - 04:56 PM

Please uninstall plentyoftorrents.com Toolbar


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 adamgregory

adamgregory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 April 2009 - 07:41 PM

The computer is no longer having popups or closing on me and it has gotten faster as well thanks a alot

heres MBAM

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

4/29/2009 7:30:31 PM
mbam-log-2009-04-29 (19-30-31).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 104689
Time elapsed: 37 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Adam\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Adam\Start Menu\Programs\Startup\ChkDisk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jh9fgo4ksdgf.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00F248A.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03864AB3-8F06-457D-9B09-ABE3E795EF9F}\RP102\A0030048.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03864AB3-8F06-457D-9B09-ABE3E795EF9F}\RP102\A0030049.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03864AB3-8F06-457D-9B09-ABE3E795EF9F}\RP102\A0030053.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03864AB3-8F06-457D-9B09-ABE3E795EF9F}\RP102\A0030054.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03864AB3-8F06-457D-9B09-ABE3E795EF9F}\RP102\A0030056.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adam\Favorites\Free Porn, Sex, Tube Videos, XXX Pics, Porno Movies - XNXX.COM.url (Rogue.Link) -> Quarantined and deleted successfully.


ESET Online


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4043 (20090429)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=0a3c8ee94ea23542a81289c210497917
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-30 12:34:30
# local_time=2009-04-29 08:34:30 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=163017
# found=4
# scan_time=3180
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_17.22.22.zip Win32/Rootkit.Agent.NIZ trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_17.22.22.zip »ZIP »ChkDisk.dll Win32/Rootkit.Agent.NIZ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthoymlpraeoafmqppalkjdbvrsdkhpbfdv_.sys.zip Win32/Agent.PHE trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthoymlpraeoafmqppalkjdbvrsdkhpbfdv_.sys.zip »ZIP »ovfsthoymlpraeoafmqppalkjdbvrsdkhpbfdv.sys Win32/Agent.PHE trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

Edited by adamgregory, 29 April 2009 - 09:25 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 30 April 2009 - 04:51 AM

Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 adamgregory

adamgregory
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 April 2009 - 09:04 PM

The computer is working like new, thanks for all your hard work and thanks for the articles




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users