Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I'm infected. Getting generic host process Win32 error on startup


  • This topic is locked This topic is locked
24 replies to this topic

#1 SporeArk

SporeArk

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 03 May 2009 - 02:49 PM

Hello,

I'm afraid my computer might yet be infected once again. Last night while browsing, my McAffee systemguard caught something trying to access the internet. I of course blocked it and then initiated a Quick scan of MalwareBytes. Unfortunately, it seems the virus was able to do some damage during the time it took to scan, because a fake virus software window appeared on screen before I could do anything. Once the Malwarebytes scan finished, I of course, took the actions to remove what it had caught. I then initiated a complete scan using SuperAntiSpyware to try and see if I was still infected, the scan found nothing and I thought I was in the clear, so I turned off the computer until this morning.

Now, whenever I startup my computer I am receiving a "Generic host process for Win32 has encountered a problem and needs to close" error. Since this only just began, I assume I am still infected. I ran a complete scan using Malwarebytes and it found one more problem to fix (also, while the scan took place, McAffee seemed to catch a trojan, or at least, it thinks it did) and I restarted after that, but am still getting the startup error.

I've attached the logs from my quick and complete Malwarebytes scans, plus my Hijackthis log and some pictures of my McAffee catches.

Please let me know if there's anything else you need from me to help with this. I hope this can get resolved soon.

Attached File  hijackthis.log   14.15KB   12 downloads

Thank you,

-Eric

Attached Files



BC AdBot (Login to Remove)

 


#2 SporeArk

SporeArk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 03 May 2009 - 05:39 PM

Just a little follow-up.

I ran MalwareBytes complete scan once again, but it did not detect anything. However, while running the scan, once again McAfee detection picked up another trojan (like with the last scan) and it seems to be attributing them to MBAM. I guess I'm just wondering what that's all about, as I don't recall this happening before, unless MBAM and McAfee are now conflicting somehow.

-Eric

EDIT: Ok, I ran a System Restore to the point prior to when all this started. This appears to have at least fixed the Win32 pop-up error as that does not seem to be appearing anymore when I restart the computer. I ran another Quick scan of MBAM and that picked up nothing. I'll try a Complete scan and see if that does anything (if McAfee picks up something again).

EDIT2: Alright, so I did run another Complete scan with MBAM, and once again, while the scan revealed nothing, McAfee detected this "Artemis" trojan during the scan, though this time it detected it in a different process, not in MBAM like the last times, but now the Generic Host process for Win32 Services (new pic attached). So, I'm guessing that means I must still be infected with something, though I am still perplexed as to why McAfee is only detecting these things during the running of the MBAM Complete scan.

So yeah, I'll appreciate any assistance that someone can offer me on how to deal with this.

Thank you,
-Eric

Edited by SporeArk, 04 May 2009 - 02:01 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:18 PM

Posted 17 May 2009 - 03:32 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 SporeArk

SporeArk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 17 May 2009 - 05:30 PM

Hello, and thank you very much for getting back to me.

While, it does seem that the original problems that I reported (Gen Win32 error and Artemis trojans from McAfee) are no longer appearing to occur, I do still have a feeling that my system is not yet clean.

For instance, it does seem that my network connection appears to be sending more packets out than receiving in, especially when the system is just idling (no browsers open or other active downloads taking place).

Also, in the past week my computer has experienced the infamous BSOD twice, both seemed to have occured in USBPORT.sys during browsing of the internet. Now, neither of these two instances may be related to the original attack and may be seperate or even, in the case of the connection, as designed.

So, I did go ahead and gather up the DDS logs from the scan and have placed them in this post as was instructed. Please let me know if you require further information from me.

Thank you,


DDS (Ver_09-05-14.01) - NTFSx86
Run by Eric Topf at 15:16:31.95 on 05/17/2009 Sun
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.2045.1293 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Center\Dell Inkjet Toolbox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Eric Topf\Desktop\dds.scr
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Sxthtq] "c:\program files\common files\sуstem\nοpdb.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RTDCPL] RTDCPL.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\dell photo p703w aio printer\3.2\apps\apdproxy.exe"
mRun: [DLKAStatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\DLKAMUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\ericto~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: &Translate with ATLAS - c:\program files\atlas v13\Atlscript.html
IE: ATLAS Translation &Editor - c:\program files\atlas v13\AtlscriptEdit.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\atlas v13\Atlscript.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15015/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} - hxxp://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142414585951
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15016/CTPID.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericto~1\applic~1\mozilla\firefox\profiles\9wx9d9cl.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-14 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 Dell Network Discovery Service;Dell Network Discovery Service;c:\program files\dell\dell photo p703w aio printer\printer\device\DLDiscovery.exe [2008-7-22 275696]
R2 dlSvc;Dell Photo Device Service;c:\program files\dell\dell photo p703w aio printer\printer\center\dlSvc.exe [2008-8-1 32768]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-1-10 66048]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-14 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-14 144704]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-14 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-14 35272]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-14 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-14 40552]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-1-10 272128]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-14 606736]

=============== Created Last 30 ================


==================== Find3M ====================

2009-04-20 22:43 32,112 a------- c:\docume~1\ericto~1\applic~1\GDIPFONTCACHEV1.DAT
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-12-02 12:57 22,328 a------- c:\docume~1\ericto~1\applic~1\PnkBstrK.sys
2007-01-24 17:00 4,859 a------- c:\program files\system.pak
2007-01-24 12:41 4,588,022 a------- c:\program files\0cg.pak
2006-01-13 12:47 288,417 a------- c:\program files\script.pak
2008-08-23 09:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 15:17:21.39 ===============

Attached Files


Edited by SporeArk, 17 May 2009 - 05:33 PM.


#5 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 18 May 2009 - 09:07 PM

Welcome to Bleeping Computer! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  • If at any point you don't understand something, please let me know and I will be glad to explain or go more into depth for you. :thumbup2:
  • Please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  • Please keep all of your replies in this topic/thread and do not make a new topic/thread, thanks!
  • Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.
  • Please do not run other tools to remove the malware unless I ask you to until I give you the all clean. They will just mess up my fixes and make things more complicated, not fix the problem.
I will post back soon with my first fix for you.

Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#6 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 18 May 2009 - 09:31 PM

Hi there,

Upload a file to VirusTotal

Please visit Virustotal
  • Click the Browse.. button
  • Navigate to the file C:\WINDOWS\system32\conime.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results into a new reply in this thread please.
Please repeat that process for this file as well: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe

Scan with Malwarebytes' Anti-Malware
  • Double click on the Malwarebytes' Anti-Malware icon on your desktop.
  • Once the program has loaded, click on the Update tab and click on Check for Updates.
  • Click on the Scanner tab.
  • Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Download HijackThis
  • Download HJTInstall.exe to your desktop and run it.
  • Following the on-screen prompts.
  • After the installation has finished, browse to C:\Program Files\Trend Micro
  • Now start HijackThis.
  • Click Do a system scan and save a log file.
  • Post the log file here. (Notepad will automatically open with the log file once HijackThis! has finished scanning). Do not attach the log file.
In your next reply, please include:
  • 2 VirusTotal results
  • MBAM log
  • HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#7 SporeArk

SporeArk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 19 May 2009 - 11:04 PM

Hello,

Thank you for taking my case. I have gone and performed the steps you outlined and have brought the results here:


Virustotal scan of conime.exe:

File conime.exe received on 05.20.2009 03:50:02 (CET)
Current status: finished

Result: 0/40 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.20 -
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 -
Antiy-AVL 2.0.3.1 2009.05.19 -
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.19 -
AVG 8.5.0.336 2009.05.19 -
BitDefender 7.2 2009.05.20 -
CAT-QuickHeal 10.00 2009.05.19 -
ClamAV 0.94.1 2009.05.20 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.20 -
eSafe 7.0.17.0 2009.05.19 -
eTrust-Vet 31.6.6512 2009.05.20 -
F-Prot 4.4.4.56 2009.05.19 -
F-Secure 8.0.14470.0 2009.05.20 -
Fortinet 3.117.0.0 2009.05.19 -
GData 19 2009.05.20 -
Ikarus T3.1.1.49.0 2009.05.20 -
K7AntiVirus 7.10.739 2009.05.19 -
Kaspersky 7.0.0.125 2009.05.20 -
McAfee 5620 2009.05.19 -
McAfee+Artemis 5620 2009.05.19 -
McAfee-GW-Edition 6.7.6 2009.05.19 -
Microsoft 1.4602 2009.05.19 -
NOD32 4089 2009.05.20 -
Norman 6.01.05 2009.05.19 -
nProtect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.19 -
PCTools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.20 -
Rising 21.30.14.00 2009.05.19 -
Sophos 4.41.0 2009.05.20 -
Sunbelt 3.2.1858.2 2009.05.19 -
Symantec 1.4.4.12 2009.05.20 -
TheHacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
VBA32 3.12.10.5 2009.05.20 -
ViRobot 2009.5.19.1741 2009.05.20 -
VirusBuster 4.6.5.0 2009.05.19 -
Additional information
File size: 27648 bytes
MD5...: abc9002269e569538901109441660dd2
SHA1..: 7ef33a2fe818bea3d8b32061369d6ae615aeacb9
SHA256: ecc72676b7cbf977b46a83ecf5276ce22c09c6d62248dd5620ee2402f02e51db
SHA512: 884282785516484579255791715067c8be53caaf2a086d27dbe046c11ca7e2d3
fae8c371afc0352f8aa29a2c876bf0d2da8d4afe23b9b87f377ea08ed1118ab6
ssdeep: 768:R/qu3FG11xvqrIKA/lGK+cZahN/ej+1E1c:dqaFJJA/MxOc

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5cb5
timedatestamp.....: 0x48025314 (Sun Apr 13 18:38:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x588a 0x5a00 6.49 e7568281a2d5ac648d595aca7b29f2de
.data 0x7000 0x1d8 0x200 3.06 5fccd504c38d847c5720bea9a9792712
.rsrc 0x8000 0xab0 0xc00 2.96 d8dde879e58ffbbbd118c602d8714cd5

( 7 imports )
> KERNEL32.dll: GetModuleHandleA, RegisterConsoleIME, UnregisterConsoleIME, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, lstrlenW, lstrcpyW, lstrcatW, lstrcpynW, WideCharToMultiByte, GetSystemDirectoryW, SetCurrentDirectoryW, OpenEventW, SetEvent, CloseHandle, LocalAlloc, LocalFree, GetStartupInfoA, GetCurrentThreadId
> USER32.dll: IsWindowEnabled, ActivateKeyboardLayout, PostMessageW, GetKeyboardLayoutList, SendMessageTimeoutW, PostQuitMessage, SetForegroundWindow, DefWindowProcW, EnableWindow, DestroyWindow, GetKeyState, GetKeyboardLayoutNameW, GetMessageW, TranslateMessage, DispatchMessageW, LoadStringW, LoadIconW, LoadCursorW, RegisterClassW, GetSystemMetrics, CreateWindowExW, UnregisterClassW, AttachThreadInput
> ntdll.dll: RtlLeaveCriticalSection, NtOpenProcessToken, RtlUnicodeToMultiByteSize, NtQueryInformationToken, NtClose, RtlInitializeCriticalSection, NtQueryVirtualMemory, RtlUnwind, RtlCopyLuid, RtlEnterCriticalSection
> IMM32.dll: ImmGetContext, ImmReleaseContext, ImmGetConversionStatus, ImmGetGuideLineW, ImmSetConversionStatus, ImmSimulateHotKey, ImmGetIMEFileNameW, ImmEscapeW, ImmDisableTextFrameService, ImmGetOpenStatus, ImmNotifyIME, ImmGetCandidateListW, ImmGetCompositionStringW, ImmSetActiveContextConsoleIME, ImmTranslateMessage, ImmCallImeConsoleIME, ImmGetProperty, ImmCreateContext, ImmAssociateContext, ImmSetOpenStatus, ImmDestroyContext, ImmIsIME
> GDI32.dll: GetStockObject
> msvcrt.dll: _controlfp, __set_app_type, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegCloseKey

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set
-
ThreatExpert info: http://www.threatexpert.com/report.aspx?md...901109441660dd2


Virustotal scan of DLKAMUI.exe

File DLKAMUI.exe received on 05.20.2009 03:57:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.20 -
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 -
Antiy-AVL 2.0.3.1 2009.05.19 -
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.19 -
AVG 8.5.0.336 2009.05.19 -
BitDefender 7.2 2009.05.20 -
CAT-QuickHeal 10.00 2009.05.19 -
ClamAV 0.94.1 2009.05.20 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.20 -
eSafe 7.0.17.0 2009.05.19 -
eTrust-Vet 31.6.6512 2009.05.20 -
F-Prot 4.4.4.56 2009.05.19 -
F-Secure 8.0.14470.0 2009.05.20 -
Fortinet 3.117.0.0 2009.05.19 -
GData 19 2009.05.20 -
Ikarus T3.1.1.49.0 2009.05.20 -
K7AntiVirus 7.10.739 2009.05.19 -
Kaspersky 7.0.0.125 2009.05.20 -
McAfee 5620 2009.05.19 -
McAfee+Artemis 5620 2009.05.19 -
McAfee-GW-Edition 6.7.6 2009.05.19 -
Microsoft 1.4602 2009.05.19 -
NOD32 4089 2009.05.20 -
Norman 6.01.05 2009.05.19 -
nProtect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.19 -
PCTools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.20 -
Rising 21.30.14.00 2009.05.19 -
Sophos 4.41.0 2009.05.20 -
Sunbelt 3.2.1858.2 2009.05.19 -
Symantec 1.4.4.12 2009.05.20 -
TheHacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
VBA32 3.12.10.5 2009.05.20 -
ViRobot 2009.5.19.1741 2009.05.20 -
VirusBuster 4.6.5.0 2009.05.19 -
Additional information
File size: 1327104 bytes
MD5...: 97251b29deb0fcfc171f5bf114303ca9
SHA1..: 73416c6ae5da06ba2275cdf43dc5f17d8d67d886
SHA256: 148c8ed8a8b20156764d43fab8f2ec47d4ac9b602d213fdcd046417c679b97a9
SHA512: 9cc212798e23b41a000b77dbfd5b887afa5bbf145cb1a56a21edaa1746af24b8
e2b34bdbfe0fbd55a81c20f506c0f0f56cb18a1291c495ff52f909b85fd0ca4d
ssdeep: 24576:ah03J/H+WL+ZaAU9ESZqad7uKDrcX7H0tB:aweWLUBU9Fqad7uzjUB

PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4a0e7
timedatestamp.....: 0x488eb3e2 (Tue Jul 29 06:08:34 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6763c 0x68000 6.62 c2d061bf4a532b9159d5a21a88ad14ec
.rdata 0x69000 0x1c228 0x1d000 4.83 e875655a18e4fd1f3b6caded25fffce6
.data 0x86000 0x7ef8 0x5000 3.73 cdd538c0cc3064c181361f4d813d00ff
.rsrc 0x8e000 0xb8610 0xb9000 6.38 e6449c6c95b6a8c90e0ae9e4c200d60a

( 19 imports )
> KERNEL32.dll: RtlUnwind, GetLocalTime, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, ExitThread, HeapReAlloc, ExitProcess, HeapSize, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, SetStdHandle, LCMapStringA, LCMapStringW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEnvironmentVariableA, GetProcessHeap, ExpandEnvironmentStringsA, HeapAlloc, HeapFree, GetFileTime, GetFileAttributesW, FileTimeToLocalFileTime, SetErrorMode, WritePrivateProfileStringW, FileTimeToSystemTime, lstrlenA, GlobalFlags, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalReAlloc, TlsGetValue, LocalAlloc, CreateFileW, GetFullPathNameW, GetVolumeInformationW, FindClose, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetThreadLocale, ConvertDefaultLocale, EnumResourceLanguagesW, lstrcmpA, CompareStringA, InterlockedExchange, GetVersion, GlobalGetAtomNameW, GetModuleHandleA, InterlockedDecrement, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, CompareStringW, LoadLibraryA, lstrcmpW, GetVersionExA, FreeResource, FormatMessageW, LocalFree, ReleaseMutex, CreateMutexW, WTSGetActiveConsoleSessionId, GetCurrentThread, CreateProcessW, CreateThread, SuspendThread, GetExitCodeThread, UnmapViewOfFile, CreateFileMappingW, MapViewOfFile, MulDiv, CreateEventW, ResumeThread, SetEvent, WaitForSingleObject, ResetEvent, GetCurrentProcessId, GetModuleHandleW, FindFirstFileW, GetProcAddress, GetUserDefaultLangID, lstrlenW, Beep, GetPrivateProfileIntW, GetPrivateProfileStringW, GetLocaleInfoW, LoadLibraryW, FreeLibrary, GetCurrentProcess, GetTickCount, CloseHandle, SetLastError, GetLastError, WaitForMultipleObjects, DeleteCriticalSection, InitializeCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GlobalHandle, Sleep, EnterCriticalSection, lstrcpynW, WideCharToMultiByte, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, GetVersionExW, GetCurrentThreadId, DeleteFileW, GetSystemDirectoryW, MultiByteToWideChar, FindResourceW, LoadResource, LockResource, VirtualFree, SizeofResource
> USER32.dll: SetCapture, CharNextW, CopyAcceleratorTableW, InvalidateRgn, GetNextDlgGroupItem, PostThreadMessageW, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, IsWindowVisible, GetMenu, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, EqualRect, DeferWindowPos, PtInRect, GetDlgCtrlID, CallWindowProcW, SetWindowLongW, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamW, DestroyWindow, IsWindowEnabled, GetNextDlgTabItem, EndDialog, GetMenuState, GetMenuItemCount, OffsetRect, GetWindowLongW, SetWindowRgn, DrawEdge, GetCapture, ReleaseCapture, SetWindowPos, WaitForInputIdle, PeekMessageW, TranslateMessage, DispatchMessageW, WindowFromDC, ReuseDDElParam, RemoveMenu, GetCursorPos, TrackPopupMenu, FindWindowExW, DrawAnimatedRects, GetSubMenu, GetMenuItemID, FillRect, CopyImage, TrackMouseEvent, WindowFromPoint, ClientToScreen, DrawFocusRect, FrameRect, InflateRect, CopyRect, SetCursor, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FindWindowW, ScreenToClient, SystemParametersInfoW, GetAsyncKeyState, LoadBitmapW, GetDlgItem, SetForegroundWindow, GetFocus, RedrawWindow, UpdateWindow, IsIconic, DrawIcon, SetRect, GetWindow, EnumWindows, LoadCursorW, GetWindowTextW, ShowWindow, LoadAcceleratorsW, InsertMenuItemW, SetFocus, DefWindowProcW, DestroyIcon, UnregisterClassA, GetClientRect, IsRectEmpty, UnregisterClassW, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorW, DestroyMenu, GetMenuItemInfoW, GetWindowThreadProcessId, EndPaint, ReleaseDC, GetDC, MessageBoxW, GetSystemMetrics, KillTimer, SetTimer, GetSystemMenu, DeleteMenu, DrawIconEx, GetSysColor, GetParent, InvalidateRect, GetKeyState, MonitorFromWindow, GetMonitorInfoW, MessageBeep, GetWindowRect, PostMessageW, IsWindow, LoadImageW, LoadIconW, GetSysColorBrush, CharUpperW, RegisterClipboardFormatW, SetWindowContextHelpId, MapDialogRect, ShowOwnedPopups, GetMessageW, EnableWindow, SendMessageW, ValidateRect, PostQuitMessage, LoadMenuW, UnpackDDElParam, BeginPaint, GetWindowDC, MoveWindow, SetWindowTextW, IsDialogMessageW, GetLastActivePopup, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, ModifyMenuW, EnableMenuItem, CheckMenuItem, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, SetWindowsHookExW, CallNextHookEx, GetClassLongW, GetClassNameW, SetPropW, GetPropW, RemovePropW, GetWindowTextLengthW, SetMenuDefaultItem, GetForegroundWindow
> GDI32.dll: Rectangle, GetPixel, CombineRgn, CreateRectRgn, SelectClipRgn, GetClipBox, SetTextColor, SetBkColor, CreateRectRgnIndirect, GetMapMode, CreatePatternBrush, SaveDC, RestoreDC, SetBkMode, SetStretchBltMode, SetMapMode, LineTo, MoveToEx, SetTextAlign, GetTextExtentPoint32W, GetViewportExtEx, GetWindowExtEx, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, CreateBitmapIndirect, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, GetStockObject, CreatePen, GetBkColor, GetTextColor, GetRgnBox, StretchDIBits, CreateFontIndirectW, Escape, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetCurrentObject, StretchBlt, RealizePalette, GetDeviceCaps, CreateCompatibleBitmap, CreateBitmap, CreateBrushIndirect, CreatePenIndirect, CreateCompatibleDC, CreateDIBSection, SelectObject, DeleteDC, DeleteObject, CreateFontW, BitBlt, GetObjectW, ScaleViewportExtEx, SelectPalette, CreateSolidBrush
> MSIMG32.dll: TransparentBlt
> COMDLG32.dll: GetFileTitleW
> WINSPOOL.DRV: GetPrinterDataW, EnumPrintersW, GetPrinterDriverDirectoryW, DocumentPropertiesW, GetPrinterW, EnumJobsW, SetJobW, FindNextPrinterChangeNotification, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification, OpenPrinterW, GetPrintProcessorDirectoryW, DeletePrinterDataW, ClosePrinter
> ADVAPI32.dll: RegOpenKeyExA, RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, ImpersonateSelf, OpenThreadToken, RevertToSelf, DuplicateTokenEx, GetUserNameW, CreateProcessAsUserW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyW, RegOpenKeyExW, RegCreateKeyExW, RegCreateKeyW, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegQueryValueExA
> SHELL32.dll: SHGetSpecialFolderPathW, ShellExecuteW, DragQueryFileW, DragFinish, Shell_NotifyIconW
> COMCTL32.dll: _TrackMouseEvent
> SHLWAPI.dll: PathFindFileNameW, PathStripToRootW, PathFindExtensionW, PathIsUNCW
> oledlg.dll: OleUIBusyW
> ole32.dll: OleUninitialize, CreateStreamOnHGlobal, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, CLSIDFromString, CoRegisterMessageFilter, CoFreeUnusedLibraries, OleInitialize, CoGetClassObject, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, CoRevokeClassObject, OleIsCurrentClipboard, OleFlushClipboard
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -
> gdiplus.dll: GdiplusStartup, GdiplusShutdown, GdipDrawImageRectI, GdipFree, GdipAlloc, GdipDeleteGraphics, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateFromHDC, GdipDrawImageI, GdipCloneImage, GdipReleaseDC
> WINMM.dll: PlaySoundW
> PSAPI.DLL: EnumProcesses
> VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
> WTSAPI32.dll: WTSQueryUserToken
> USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock

( 0 exports )

PDFiD.: -
RDS...: NSRL Reference Data Set
-


Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3

5/19/2009 9:01:02 PM
mbam-log-2009-05-19 (21-01-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 313294
Time elapsed: 1 hour(s), 51 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:32 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Center\Dell Inkjet Toolbox.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLKAStatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Sxthtq] "C:\Program Files\Common Files\s?stem\n?Ipdb.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142414585951
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Dell Network Discovery Service - Dell - C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
O23 - Service: Dell Photo Device Service (dlSvc) - Dell Inc. - C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 14526 bytes

#8 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 20 May 2009 - 11:16 PM

Just to let you know, I am asking my colleagues about something that I found in your logs and will post back as soon as I can.

Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#9 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 21 May 2009 - 07:59 AM

Hello,

Download and Run ComboFix
Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.

    Posted Image

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply. Please also post a new HijackThis log.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#10 SporeArk

SporeArk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 21 May 2009 - 07:45 PM

Hello,

I ran Combofix following the instructions that were provided. One thing that popped out to me was that I had forgotten to disconnect my external HD from my computer before the scan, and I think Combofix deleted a file off of it (an Autorun file). Hopefully it's nothing necessary though.

It's also strange that, when I ran ComboFix it did not prompt me at all to install the Recovery Console, yet the scan states I do not have it installed either.

Anyway, here are the scan results from Combofix and Hijackthis:


ComboFix 09-05-21.01 - Eric Topf 1/2009 Thu 17:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.932.81.1033.18.2045.1449 [GMT -7:00]
Running from: c:\documents and settings\Eric Topf\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-21 02:15 . 2009-05-21 02:15 -------- d-----w c:\program files\Western Digital
2009-05-21 02:14 . 2009-05-21 02:14 -------- d-----w c:\program files\Western Digital Corporation
2009-04-29 14:17 . 2009-04-29 14:17 -------- d-----w c:\documents and settings\Eric Topf\Local Settings\Application Data\Dell_Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 00:21 . 2009-03-27 01:41 117760 ----a-w c:\documents and settings\Eric Topf\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-22 00:21 . 2007-03-17 03:26 -------- d-----w c:\documents and settings\Eric Topf\Application Data\WTablet
2009-05-22 00:20 . 2006-01-11 23:20 -------- d-----w c:\program files\Steam
2009-05-21 04:19 . 2006-01-11 20:48 -------- d-----w c:\documents and settings\Eric Topf\Application Data\Azureus
2009-04-30 02:41 . 2008-09-28 22:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-26 20:32 . 2008-09-28 22:13 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 22:07 . 2006-05-29 20:32 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-18 22:07 . 2006-05-29 20:32 -------- d-----w c:\program files\AGEIA Technologies
2009-04-18 03:38 . 2008-01-26 20:33 -------- d-----w c:\documents and settings\All Users\Application Data\Dell
2009-04-17 14:08 . 2005-12-31 23:10 -------- d-----w c:\program files\McAfee
2009-04-16 03:15 . 2006-01-11 20:48 -------- d-----w c:\program files\Azureus
2009-04-13 14:21 . 2005-12-31 22:59 -------- d-----w c:\program files\Java
2009-04-13 14:21 . 2009-04-13 14:21 152576 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-13 14:20 . 2009-04-13 14:20 -------- d-----w c:\program files\MSXML 4.0
2009-04-13 03:05 . 2006-02-16 21:22 32112 ----a-w c:\documents and settings\Eric Topf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 03:03 . 2009-04-13 03:03 -------- d-----w c:\documents and settings\All Users\Application Data\Dell Inc
2009-04-13 03:03 . 2006-01-11 06:43 -------- d-----w c:\program files\Common Files\Adobe
2009-04-13 03:02 . 2009-04-13 03:02 -------- d-----w c:\program files\Bonjour
2009-04-13 03:01 . 2005-12-31 22:47 -------- d-----w c:\program files\Dell
2009-04-10 14:41 . 2005-12-31 23:10 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-10 03:44 . 2008-09-28 21:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 03:43 . 2008-10-21 01:44 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 22:32 . 2008-09-28 21:07 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-09-28 21:07 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 05:14 . 2009-03-30 05:14 57344 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-1e7bece9-n\Decora-SSE.dll
2009-03-30 05:14 . 2009-03-30 05:14 24064 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-57843c05-n\Decora-D3D.dll
2009-03-30 05:14 . 2009-03-30 05:14 499712 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6d17a247-n\msvcp71.dll
2009-03-30 05:14 . 2009-03-30 05:14 499712 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6d17a247-n\jmc.dll
2009-03-30 05:14 . 2009-03-30 05:14 348160 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6d17a247-n\msvcr71.dll
2009-03-27 15:14 . 2008-07-19 02:58 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-25 18:06 . 2007-02-15 04:37 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2007-02-15 04:37 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2007-02-15 04:37 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2007-02-15 04:37 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2007-02-15 04:37 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-15 04:51 . 2009-03-15 04:51 57344 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-6e322fbc-n\Decora-SSE.dll
2009-03-15 04:51 . 2009-03-15 04:51 24064 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-13944a06-n\Decora-D3D.dll
2009-03-15 04:51 . 2009-03-15 04:51 114688 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-3f9f524f-n\jogl_cg.dll
2009-03-15 04:51 . 2009-03-15 04:51 315392 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-3f9f524f-n\jogl.dll
2009-03-15 04:51 . 2009-03-15 04:51 20480 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-3f9f524f-n\jogl_awt.dll
2009-03-15 04:51 . 2009-03-15 04:51 503808 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5d21aff3-n\msvcp71.dll
2009-03-15 04:51 . 2009-03-15 04:51 499712 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5d21aff3-n\jmc.dll
2009-03-15 04:51 . 2009-03-15 04:51 348160 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-5d21aff3-n\msvcr71.dll
2009-03-15 04:51 . 2009-03-15 04:51 20480 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-78cbd3d2-n\gluegen-rt.dll
2009-03-15 04:48 . 2009-03-15 04:48 152576 ----a-w c:\documents and settings\Eric Topf\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 12:19 . 2008-12-10 15:34 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 18:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 04:28 . 2009-03-04 04:28 13686 ----a-r c:\documents and settings\Eric Topf\Application Data\Microsoft\Installer\{609B342B-262B-4A8B-98A0-6B43AF5FF2D8}\NewShortcut3_8D4B69976465472D98773803E656AFC5.exe
2009-03-04 04:28 . 2009-03-04 04:28 13686 ----a-r c:\documents and settings\Eric Topf\Application Data\Microsoft\Installer\{609B342B-262B-4A8B-98A0-6B43AF5FF2D8}\NewShortcut2_D53574EE89C5459B9EFCACEA808FEEBF.exe
2009-03-04 04:28 . 2009-03-04 04:28 13686 ----a-r c:\documents and settings\Eric Topf\Application Data\Microsoft\Installer\{609B342B-262B-4A8B-98A0-6B43AF5FF2D8}\NewShortcut1_4BB21498D6FC4F979A20C824B267B80E.exe
2009-03-04 04:28 . 2009-03-04 04:28 13686 ----a-r c:\documents and settings\Eric Topf\Application Data\Microsoft\Installer\{609B342B-262B-4A8B-98A0-6B43AF5FF2D8}\ARPPRODUCTICON.exe
2009-03-03 00:18 . 2004-08-10 18:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-21 23:22 . 2009-02-21 23:22 0 ----a-w c:\windows\nsreg.dat
2007-01-25 00:00 . 2007-01-27 06:09 4859 ----a-w c:\program files\system.pak
2007-01-24 19:41 . 2007-01-27 06:09 4588022 ----a-w c:\program files\0cg.pak
2006-01-13 19:47 . 2008-03-15 22:53 288417 ----a-w c:\program files\script.pak
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-05-19 1217784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2005-12-31 168448]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"DLKAStatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe" [2008-07-29 1327104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"RTDCPL"="RTDCPL.EXE" - c:\windows\system32\RTDCPL.EXE [2005-07-09 12298240]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-28 19456]

c:\documents and settings\Eric Topf\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-3-16 140848]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2006-1-10 745472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-30 19:37 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"c:\\Program Files\\Crazybump\\cb.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9222:TCP"= 9222:TCP:DLDiscovery

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 Dell Network Discovery Service;Dell Network Discovery Service;c:\program files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe [7/22/2008 9:57 AM 275696]
R2 dlSvc;Dell Photo Device Service;c:\program files\Dell\Dell Photo P703w AIO Printer\Printer\Center\dlSvc.exe [8/1/2008 8:46 AM 32768]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [1/10/2006 7:11 PM 66048]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [1/10/2006 7:11 PM 272128]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [1/10/2006 7:11 PM 13532]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/27/2008 8:21 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/27/2008 8:21 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/27/2008 8:21 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/27/2008 8:21 PM 566296]
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-15 17:53]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-15 17:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sxthtq - c:\program files\Common Files\sуstem\nοpdb.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Translate with ATLAS - c:\program files\ATLAS V13\Atlscript.html
IE: ATLAS Translation &Editor - c:\program files\ATLAS V13\AtlscriptEdit.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\ATLAS V13\Atlscript.html
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Eric Topf\Application Data\Mozilla\Firefox\Profiles\9wx9d9cl.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 17:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2273441508-1025763171-2655020708-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\枢|"斧|ヤw*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-05-22 17:38
ComboFix-quarantined-files.txt 2009-05-22 00:38

Pre-Run: 112,999,153,664 bytes free
Post-Run: 113,515,491,328 bytes free

241 --- E O F --- 2009-05-13 14:57


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:54 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Center\Dell Inkjet Toolbox.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLKAStatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142414585951
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Dell Network Discovery Service - Dell - C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
O23 - Service: Dell Photo Device Service (dlSvc) - Dell Inc. - C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 14105 bytes

Edited by SporeArk, 21 May 2009 - 07:54 PM.


#11 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 23 May 2009 - 12:47 AM

Hello,

Are experincing any issues right now with the computer?

Download and Run OTM.exe

Download OTM.exe by Old Timer and save it to your Desktop.
  • Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
:Commands
[purity]
[EmptyTemp]
[Reboot]
  • Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.exe
Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply, please include:
  • OTM log
  • Kaspersky report
  • A new HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#12 SporeArk

SporeArk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 23 May 2009 - 02:50 PM

Hello,

I haven't noticed anything wrong with my computer. However, I still performed the actions requested. First I ran OTM.exe, it asked me to reboot the system though and I did so. It then generated this log:

========== COMMANDS ==========
C:\Program Files\Common Files\sуstem moved successfully.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Eric Topf\Local Settings\Temporary Internet Files\Content.IE5\T4CCP8WU\index[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Topf\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Topf\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\632 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_Hh5CqmKIAh6bc3c scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_vAwnnPEZnxKLV5F scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_iCca0PQt1qjhpN2 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_nSDA65AKNNCsmWd scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_s4cwHIq2AXV2DAF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_19c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_igWcne1qHljWUHO scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_jZ9CALsyTFqIejP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_rFicgS94x7zDBCR scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_Zv6IKATnbphP3No scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.0 log created on 05232009_082255

Files moved on Reboot...
C:\Documents and Settings\Eric Topf\Local Settings\Temporary Internet Files\Content.IE5\T4CCP8WU\index[1].htm moved successfully.
C:\Documents and Settings\Eric Topf\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\hsperfdata_SYSTEM\632 not found!
File C:\WINDOWS\temp\mcafee_Hh5CqmKIAh6bc3c not found!
File C:\WINDOWS\temp\mcafee_vAwnnPEZnxKLV5F not found!
File C:\WINDOWS\temp\mcmsc_iCca0PQt1qjhpN2 not found!
File C:\WINDOWS\temp\mcmsc_nSDA65AKNNCsmWd not found!
File C:\WINDOWS\temp\mcmsc_s4cwHIq2AXV2DAF not found!
File C:\WINDOWS\temp\Perflib_Perfdata_19c.dat not found!
File C:\WINDOWS\temp\sqlite_igWcne1qHljWUHO not found!
File C:\WINDOWS\temp\sqlite_jZ9CALsyTFqIejP not found!
File C:\WINDOWS\temp\sqlite_rFicgS94x7zDBCR not found!
File C:\WINDOWS\temp\sqlite_Zv6IKATnbphP3No not found!

Registry entries deleted on Reboot...


However, when the system rebooted, McAfee popped up a window another Artemis trojan. It detected it in the Combofix.exe file on my Desktop and the Windows\explorer.EXE process.


I then ran the Kaspersky online scanner. I decided to run the scan without having the scanner scan the "Archive" files, as the scan was taking extremely long to scan those files. If you insist on scanning those, I will re-scan the next time. Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 23, 2009 14:58:51
Records in database: 2226468
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: no
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 213557
Threat name: 1
Infected objects: 0
Suspicious objects: 2
Duration of the scan: 01:50:47


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\2\Front\2\M0000001229.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\2\Front\2\M0000005536.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.


And lastly, here is the latest HijackThis log too:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:38 PM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Center\Dell Inkjet Toolbox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\Dell Photo P703w AIO Printer\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLKAStatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLKAMUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html
O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142414585951
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Dell Network Discovery Service - Dell - C:\Program Files\Dell\Dell Photo P703w AIO Printer\Printer\Device\DLDiscovery.exe
O23 - Service: Dell Photo Device Service (dlSvc) - Dell Inc. - C:\Program Files\Dell\Dell Photo P703w AIO Printer\printer\center\dlSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 14448 bytes

#13 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 24 May 2009 - 01:19 AM

However, when the system rebooted, McAfee popped up a window another Artemis trojan. It detected it in the Combofix.exe file on my Desktop and the Windows\explorer.EXE process.

That was a false positive for ComboFix. I assure you that it is safe. Sometimes the tools we use are so powerful that the things they do look like what a virus would do and antiviruses pick them up.

Download and Run OTM.exe
  • Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
:Files
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\2\Front\2\M0000001229.eml
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\2\Front\2\M0000005536.eml
  • Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.exe
If you don't have it scan the archives then I can't know for sure that you are clean or not. I would recommend just letting it run overnight or something like that when you don't need to use it. Let me know if it will take you more than a few days.

In your next reply, please include:
  • OTM log
  • Kaspersky report
  • A new HijackThis log
Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image

#14 SporeArk

SporeArk
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 24 May 2009 - 04:49 PM

Hello,

I'm afraid I'm having a bit of a problem now with OTM. I re-downloaded the exe to my desktop (cause I had deleted it before) and tried to run it, but nothing seems to be happening. The OTM.exe process is running in the task manager (eating up 50% of my CPU), but the window is not appearing on screen (I tried letting it run for a few minutes, but still, no window ever appeared). This is very strange because it was obviously working yesterday (I got the log in the previous post).

Is there anything I can do to get it to work? I even tried turning off McAfee but that didn't seem to help.

Thanks

#15 Axephilic

Axephilic

    MRU Graduate


  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, US
  • Local time:04:18 PM

Posted 24 May 2009 - 04:51 PM

Please from now on, do not delete the tools we use until I give you the all clean.

Try deleting OTM.exe, restarting your computer, disable McAfee, then download it and try again.

Regards,
Adam
Proud to be a Graduate of Malware Removal University - I am a member of:
Posted Image Posted Image

If I helped you, please consider a donation: Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users