Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Opens Multiple Blank Windows


  • This topic is locked This topic is locked
31 replies to this topic

#1 texan16

texan16

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 03 May 2009 - 07:11 PM

Internet Explorer will connect to the internet and functions normally on Yahoo home page, including links in email; however, when trying to open any website in "Favorites", IE opens multiple windows with no content. It is usually three to six blank windows, but on two occasions it was in the forty to fifty range. These windows cannot be closed from the upper right-hand corner "X" or by right clicking in the taskbar, which results in "send error" messages from Microsoft. I have been using Task Manager to "shut down and restart". No time rush on this request since Firefox, which I primarily use, is operating with no problems. Thanks in advance!

DDS (Ver_09-03-16.01) - NTFSx86
Run by P416User at 16:07:36.87 on Sun 05/03/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1110 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\AOL\1150319672\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINXP\vVX3000.exe
C:\PROGRA~1\Discover\SOAN\SOAN.exe
C:\WINXP\system32\igfxtray.exe
C:\WINXP\system32\igfxpers.exe
C:\WINXP\system32\igfxsrvc.exe
C:\WINXP\RTHDCPL.EXE
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\P416User\Start Menu\Programs\Startup\CAT.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\Documents and Settings\P416User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
{32341e7e-c319-46de-91d0-e30bb1a3caba}
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
{7ab32675-62a4-42ac-a611-461ff44c10c6}
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\winxp\system32\BhoDshop.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winxp\system32\Shdocvw.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [POINTER] point32.exe
mRun: [HostManager] c:\program files\common files\aol\1150319672\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VX3000] c:\winxp\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Secure Online Account Numbers] c:\progra~1\discover\soan\SOAN.exe /dontopenmycards
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\winxp\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxp\system32\hkcmd.exe
mRun: [Persistence] c:\winxp\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\documents and settings\p416user\start menu\programs\startup\CAT.EXE
StartupFolder: c:\documents and settings\all users.winxp\start menu\programs\startup\think.lgo
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\progra~1\discover\soan\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winxp\system32\Shdocvw.dll
Trusted Zone: vectorvest.com\www
DPF: Microsoft XML Parser for Java - file://c:\winxp\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.vectorvest.com/install/vvonlineus/setup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: rqRKEVPG - rqRKEVPG.dll
{32341e7e-c319-46de-91d0-e30bb1a3caba}
LSA: Authentication Packages = msv1_0 c:\winxp\system32\xxyxXRhG

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\p416user\applic~1\mozilla\firefox\profiles\c748seim.default\
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winxp\system32\drivers\mfehidk.sys [2009-4-30 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-30 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winxp\system32\drivers\mfeavfk.sys [2009-4-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\winxp\system32\drivers\mfebopk.sys [2009-4-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winxp\system32\drivers\mfesmfk.sys [2009-4-30 40488]
S2 gupdate1c9649a30c51a13;Google Update Service (gupdate1c9649a30c51a13);c:\program files\google\update\GoogleUpdate.exe [2008-12-22 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\p416user\locals~1\temp\alsysio.sys --> c:\docume~1\p416user\locals~1\temp\ALSysIO.sys [?]
S3 DCamUSBConexant;Ezonics EZCam II;c:\winxp\system32\drivers\usbcone.sys [2005-9-3 80576]
S3 mferkdk;McAfee Inc. mferkdk;c:\winxp\system32\drivers\mferkdk.sys [2009-4-30 33832]

=============== Created Last 30 ================

2009-04-30 22:17 8,005 a------- c:\winxp\system32\Config.MPF
2009-04-30 22:15 33,832 a------- c:\winxp\system32\drivers\mferkdk.sys
2009-04-30 22:15 201,320 a------- c:\winxp\system32\drivers\mfehidk.sys
2009-04-30 22:15 79,304 a------- c:\winxp\system32\drivers\mfeavfk.sys
2009-04-30 22:15 40,488 a------- c:\winxp\system32\drivers\mfesmfk.sys
2009-04-30 22:15 35,240 a------- c:\winxp\system32\drivers\mfebopk.sys
2009-04-30 22:15 113,952 a------- c:\winxp\system32\drivers\Mpfp.sys
2009-04-30 22:14 <DIR> --d----- c:\program files\common files\McAfee
2009-04-30 22:14 <DIR> --d----- c:\program files\McAfee
2009-04-16 03:51 473,600 -c------ c:\winxp\system32\dllcache\fastprox.dll
2009-04-16 03:51 401,408 -c------ c:\winxp\system32\dllcache\rpcss.dll
2009-04-16 03:51 284,160 -c------ c:\winxp\system32\dllcache\pdh.dll
2009-04-16 03:51 227,840 -c------ c:\winxp\system32\dllcache\wmiprvse.exe
2009-04-16 03:51 110,592 -c------ c:\winxp\system32\dllcache\services.exe
2009-04-16 03:51 729,088 -c------ c:\winxp\system32\dllcache\lsasrv.dll
2009-04-16 03:51 714,752 -c------ c:\winxp\system32\dllcache\ntdll.dll
2009-04-16 03:51 617,472 -c------ c:\winxp\system32\dllcache\advapi32.dll
2009-04-16 03:51 453,120 -c------ c:\winxp\system32\dllcache\wmiprvsd.dll
2009-04-16 03:48 2,560 -------- c:\winxp\system32\xpsp4res.dll
2009-04-16 03:48 1,203,922 -c------ c:\winxp\system32\dllcache\sysmain.sdb
2009-04-16 03:48 215,552 -c------ c:\winxp\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-25 17:42 499,712 a------- c:\winxp\system32\msvcp71.dll
2009-03-25 17:42 348,160 a------- c:\winxp\system32\msvcr71.dll
2009-03-06 07:22 284,160 a------- c:\winxp\system32\pdh.dll
2009-02-20 01:10 666,112 a------- c:\winxp\system32\wininet.dll
2009-02-20 01:10 81,920 a------- c:\winxp\system32\ieencode.dll
2009-02-19 11:52 21,280 a------- c:\docume~1\p416user\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 05:10 729,088 a------- c:\winxp\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\winxp\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\winxp\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\winxp\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\winxp\system32\win32k.sys
2009-02-06 04:11 110,592 a------- c:\winxp\system32\services.exe
2009-02-06 04:06 2,145,280 a------- c:\winxp\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\winxp\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\winxp\system32\ntkrnlpa.exe
2009-02-03 12:59 56,832 a------- c:\winxp\system32\secur32.dll
2007-12-25 12:42 32 a------- c:\docume~1\alluse~1.win\applic~1\ezsid.dat
2001-08-22 13:15 245,760 a------- c:\winxp\inf\i386\viceo.dll
2001-08-22 13:13 32,768 a------- c:\winxp\inf\i386\Pmicro.dll
2001-08-22 13:13 61,440 a------- c:\winxp\inf\i386\gl.dll
2001-08-03 18:29 13,824 a------- c:\winxp\inf\i386\Usbscan.sys
2001-04-19 08:00 15,716 a------- c:\winxp\inf\i386\Pmxscan.sys
1998-09-24 13:32 11,079 a---h--- c:\program files\folder.htt
1998-09-24 13:32 266 ---sh--- c:\program files\desktop.ini
2008-06-15 20:50 1,475 a--sh--- c:\winxp\system32\GhRXxyxx.ini2

============= FINISH: 16:08:05.64 ===============
Your instruction will be greatly appreciated!!

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 AM

Posted 04 May 2009 - 01:56 PM

Hello texan16,

Have you been playing with Registry Cleaners? Because I know Registry Cleaners can break Windows. :thumbup2:

The following is referring to RegCure.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
*******************

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


*******************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    Java™ 6 Update 11
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*******************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 04 May 2009 - 05:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 05 May 2009 - 04:39 PM

Thank you for your response. Regarding RegCure, I installed and scanned with it about an hour before my first post to BC, hoping it would solve my problem, which obviously it did not. I have completed your instructions including the anti-malware scan and a fresh Hijackthis log, which I hope to get properly posted in this reply! Thanks again for your expertise and assistance!


Malwarebytes' Anti-Malware 1.36
Database version: 2079
Windows 5.1.2600 Service Pack 3

5/5/2009 1:40:39 PM
mbam-log-2009-05-05 (13-40-39).txt

Scan type: Quick Scan
Objects scanned: 100627
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{031cbf6a-c70e-4177-a0d4-c5268ee311fb} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b0eceac-f597-4858-a542-d966b49055b9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c092742-10fe-4db2-988d-fc71948de70c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e43dfaa6-8c16-4519-b022-8792408505a4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1f1e775-1b21-454d-8d38-7c16519969e5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINXP\system32\kodurxpf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.



DDS (Ver_09-03-16.01) - NTFSx86
Run by P416User at 13:56:34.32 on Tue 05/05/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1050 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINXP\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\AOL\1150319672\ee\AOLSoftware.exe
C:\WINXP\vVX3000.exe
C:\PROGRA~1\Discover\SOAN\SOAN.exe
C:\WINXP\system32\igfxtray.exe
C:\WINXP\system32\igfxsrvc.exe
C:\WINXP\system32\igfxpers.exe
C:\WINXP\RTHDCPL.EXE
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\WINXP\system32\NOTEPAD.EXE
C:\Documents and Settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
C:\WINXP\system32\taskmgr.exe
C:\Documents and Settings\P416User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
{7ab32675-62a4-42ac-a611-461ff44c10c6}
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\winxp\system32\BhoDshop.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winxp\system32\Shdocvw.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [POINTER] point32.exe
mRun: [HostManager] c:\program files\common files\aol\1150319672\ee\AOLSoftware.exe
mRun: [VX3000] c:\winxp\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Secure Online Account Numbers] c:\progra~1\discover\soan\SOAN.exe /dontopenmycards
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\winxp\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxp\system32\hkcmd.exe
mRun: [Persistence] c:\winxp\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\documents and settings\p416user\start menu\programs\startup\CAT.EXE
StartupFolder: c:\documents and settings\all users.winxp\start menu\programs\startup\think.lgo
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\progra~1\discover\soan\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winxp\system32\Shdocvw.dll
Trusted Zone: vectorvest.com\www
DPF: Microsoft XML Parser for Java - file://c:\winxp\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.vectorvest.com/install/vvonlineus/setup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: rqRKEVPG - rqRKEVPG.dll
LSA: Authentication Packages = msv1_0 c:\winxp\system32\xxyxXRhG

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\p416user\applic~1\mozilla\firefox\profiles\c748seim.default\
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\winxp\system32\drivers\mfehidk.sys [2009-4-30 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-30 144704]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\winxp\system32\drivers\mbamswissarmy.sys [2009-5-5 38496]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\winxp\system32\drivers\mfeavfk.sys [2009-4-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\winxp\system32\drivers\mfebopk.sys [2009-4-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\winxp\system32\drivers\mfesmfk.sys [2009-4-30 40488]
S2 gupdate1c9649a30c51a13;Google Update Service (gupdate1c9649a30c51a13);c:\program files\google\update\GoogleUpdate.exe [2008-12-22 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\p416user\locals~1\temp\alsysio.sys --> c:\docume~1\p416user\locals~1\temp\ALSysIO.sys [?]
S3 DCamUSBConexant;Ezonics EZCam II;c:\winxp\system32\drivers\usbcone.sys [2005-9-3 80576]
S3 mferkdk;McAfee Inc. mferkdk;c:\winxp\system32\drivers\mferkdk.sys [2009-4-30 33832]

=============== Created Last 30 ================

2009-05-05 13:31 <DIR> --d----- c:\docume~1\p416user\applic~1\Malwarebytes
2009-05-05 13:30 15,504 a------- c:\winxp\system32\drivers\mbam.sys
2009-05-05 13:30 38,496 a------- c:\winxp\system32\drivers\mbamswissarmy.sys
2009-05-05 13:30 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-05-05 13:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-30 22:17 8,775 a------- c:\winxp\system32\Config.MPF
2009-04-30 22:15 33,832 a------- c:\winxp\system32\drivers\mferkdk.sys
2009-04-30 22:15 201,320 a------- c:\winxp\system32\drivers\mfehidk.sys
2009-04-30 22:15 79,304 a------- c:\winxp\system32\drivers\mfeavfk.sys
2009-04-30 22:15 40,488 a------- c:\winxp\system32\drivers\mfesmfk.sys
2009-04-30 22:15 35,240 a------- c:\winxp\system32\drivers\mfebopk.sys
2009-04-30 22:15 113,952 a------- c:\winxp\system32\drivers\Mpfp.sys
2009-04-30 22:14 <DIR> --d----- c:\program files\common files\McAfee
2009-04-30 22:14 <DIR> --d----- c:\program files\McAfee
2009-04-16 03:51 473,600 -c------ c:\winxp\system32\dllcache\fastprox.dll
2009-04-16 03:51 401,408 -c------ c:\winxp\system32\dllcache\rpcss.dll
2009-04-16 03:51 284,160 -c------ c:\winxp\system32\dllcache\pdh.dll
2009-04-16 03:51 227,840 -c------ c:\winxp\system32\dllcache\wmiprvse.exe
2009-04-16 03:51 110,592 -c------ c:\winxp\system32\dllcache\services.exe
2009-04-16 03:51 729,088 -c------ c:\winxp\system32\dllcache\lsasrv.dll
2009-04-16 03:51 714,752 -c------ c:\winxp\system32\dllcache\ntdll.dll
2009-04-16 03:51 617,472 -c------ c:\winxp\system32\dllcache\advapi32.dll
2009-04-16 03:51 453,120 -c------ c:\winxp\system32\dllcache\wmiprvsd.dll
2009-04-16 03:48 2,560 -------- c:\winxp\system32\xpsp4res.dll
2009-04-16 03:48 1,203,922 -c------ c:\winxp\system32\dllcache\sysmain.sdb
2009-04-16 03:48 215,552 -c------ c:\winxp\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-25 17:42 499,712 a------- c:\winxp\system32\msvcp71.dll
2009-03-25 17:42 348,160 a------- c:\winxp\system32\msvcr71.dll
2009-03-09 05:19 410,984 a------- c:\winxp\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\winxp\system32\pdh.dll
2009-02-20 01:10 666,112 a------- c:\winxp\system32\wininet.dll
2009-02-20 01:10 81,920 a------- c:\winxp\system32\ieencode.dll
2009-02-19 11:52 21,280 a------- c:\docume~1\p416user\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 05:10 729,088 a------- c:\winxp\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\winxp\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\winxp\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\winxp\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\winxp\system32\win32k.sys
2009-02-06 04:11 110,592 a------- c:\winxp\system32\services.exe
2009-02-06 04:06 2,145,280 a------- c:\winxp\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\winxp\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\winxp\system32\ntkrnlpa.exe
2007-12-25 12:42 32 a------- c:\docume~1\alluse~1.win\applic~1\ezsid.dat
2001-08-22 13:15 245,760 a------- c:\winxp\inf\i386\viceo.dll
2001-08-22 13:13 32,768 a------- c:\winxp\inf\i386\Pmicro.dll
2001-08-22 13:13 61,440 a------- c:\winxp\inf\i386\gl.dll
2001-08-03 18:29 13,824 a------- c:\winxp\inf\i386\Usbscan.sys
2001-04-19 08:00 15,716 a------- c:\winxp\inf\i386\Pmxscan.sys
1998-09-24 13:32 11,079 a---h--- c:\program files\folder.htt
1998-09-24 13:32 266 ---sh--- c:\program files\desktop.ini
2008-06-15 20:50 1,475 a--sh--- c:\winxp\system32\GhRXxyxx.ini2

============= FINISH: 13:57:10.71 ===============

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 AM

Posted 05 May 2009 - 05:53 PM

Hello texan16,

Your very welcome. :thumbup2:

I can see your still infected so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee SecurityCenter before running ComboFix, as it will prevent it from running.

To disable McAfee SecurityCenter

Double-click the taskbar icon to open the Security Center
Click Advanced Menu (lower left)
Click Configure (left)
Click Computer & Files (upper left)
VirusScan can be disabled on the right.

Do the same via Internet & Network for Firewall Plus.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 05 May 2009 - 07:52 PM

ComboFix log for your review. Hope this takes care of it, and again, my thanks!
ComboFix 09-05-05.03 - P416User 05/05/2009 17:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1165 [GMT -7:00]
Running from: c:\documents and settings\P416User\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winxp\system32\ATHPRXY(2).DLL
c:\winxp\system32\GhRXxyxx.ini
c:\winxp\system32\GhRXxyxx.ini2
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 20:31 . 2009-05-05 20:31 -------- d-----w c:\documents and settings\P416User\Application Data\Malwarebytes
2009-05-05 20:30 . 2009-04-06 22:32 15504 ----a-w c:\winxp\system32\drivers\mbam.sys
2009-05-05 20:30 . 2009-04-06 22:32 38496 ----a-w c:\winxp\system32\drivers\mbamswissarmy.sys
2009-05-05 20:30 . 2009-05-05 20:30 -------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2009-05-05 20:30 . 2009-05-05 20:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:22 . 2009-05-03 22:06 -------- d-----w c:\program files\RegCure
2009-05-01 05:15 . 2007-11-22 13:44 33832 ----a-w c:\winxp\system32\drivers\mferkdk.sys
2009-05-01 05:15 . 2007-12-02 19:51 40488 ----a-w c:\winxp\system32\drivers\mfesmfk.sys
2009-05-01 05:15 . 2007-11-22 13:44 35240 ----a-w c:\winxp\system32\drivers\mfebopk.sys
2009-05-01 05:15 . 2007-11-22 13:44 79304 ----a-w c:\winxp\system32\drivers\mfeavfk.sys
2009-05-01 05:15 . 2007-11-22 13:44 201320 ----a-w c:\winxp\system32\drivers\mfehidk.sys
2009-05-01 05:15 . 2007-07-13 13:20 113952 ----a-w c:\winxp\system32\drivers\Mpfp.sys
2009-05-01 05:14 . 2009-05-01 05:15 -------- d-----w c:\program files\Common Files\McAfee
2009-05-01 05:14 . 2009-05-02 21:05 -------- d-----w c:\program files\McAfee
2009-04-16 10:51 . 2009-03-06 14:22 284160 -c----w c:\winxp\system32\dllcache\pdh.dll
2009-04-16 10:51 . 2009-02-09 12:10 401408 -c----w c:\winxp\system32\dllcache\rpcss.dll
2009-04-16 10:51 . 2009-02-06 11:11 110592 -c----w c:\winxp\system32\dllcache\services.exe
2009-04-16 10:51 . 2009-02-09 12:10 473600 -c----w c:\winxp\system32\dllcache\fastprox.dll
2009-04-16 10:51 . 2009-02-06 10:10 227840 -c----w c:\winxp\system32\dllcache\wmiprvse.exe
2009-04-16 10:51 . 2009-02-09 12:10 453120 -c----w c:\winxp\system32\dllcache\wmiprvsd.dll
2009-04-16 10:51 . 2009-02-09 12:10 729088 -c----w c:\winxp\system32\dllcache\lsasrv.dll
2009-04-16 10:51 . 2009-02-09 12:10 617472 -c----w c:\winxp\system32\dllcache\advapi32.dll
2009-04-16 10:51 . 2009-02-09 12:10 714752 -c----w c:\winxp\system32\dllcache\ntdll.dll
2009-04-16 10:48 . 2008-05-03 11:55 2560 ------w c:\winxp\system32\xpsp4res.dll
2009-04-16 10:48 . 2008-04-21 12:08 215552 -c----w c:\winxp\system32\dllcache\wordpad.exe
2009-04-09 01:25 . 2009-04-11 03:39 -------- d-----w c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 20:05 . 2006-09-02 06:02 -------- d-----w c:\program files\Java
2009-05-01 05:14 . 2004-11-24 19:44 -------- d-----w c:\program files\McAfee.com
2009-04-11 03:38 . 2006-09-02 14:28 -------- d-----w c:\program files\Google
2009-03-26 00:42 . 2005-09-03 22:18 499712 ----a-w c:\winxp\system32\msvcp71.dll
2009-03-26 00:42 . 2005-09-03 22:18 348160 ----a-w c:\winxp\system32\msvcr71.dll
2009-03-09 12:19 . 2008-12-25 22:54 410984 ----a-w c:\winxp\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\winxp\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\winxp\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\winxp\system32\ieencode.dll
2009-02-19 18:52 . 2006-02-15 01:08 21280 ----a-w c:\documents and settings\P416User\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\winxp\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\winxp\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\winxp\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\winxp\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\winxp\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\winxp\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\winxp\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\winxp\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\winxp\system32\ntkrnlpa.exe
1998-09-24 20:32 . 1998-09-24 20:32 266 --sh--w c:\program files\desktop.ini
1998-09-24 20:32 . 1998-09-24 20:32 11079 ---ha-w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"ctfmon.exe"="c:\winxp\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-24 143360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-03 98304]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-04-11 83544]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"HostManager"="c:\program files\Common Files\AOL\1150319672\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000"="c:\winxp\vVX3000.exe" [2006-10-14 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-14 277296]
"Secure Online Account Numbers"="c:\progra~1\Discover\SOAN\SOAN.exe" [2007-02-03 233472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\winxp\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\winxp\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\winxp\system32\igfxpers.exe" [2007-12-19 131072]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2008-12-09 4289280]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-12-09 58112]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 198160]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\winxp\RTHDCPL.EXE [2008-10-01 16864768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\P416User\Start Menu\Programs\Startup\
CAT.EXE [1999-10-14 307200]

c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
think.lgo [2005-9-4 0]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINXP\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150319672\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 gupdate1c9649a30c51a13;Google Update Service (gupdate1c9649a30c51a13);c:\program files\Google\Update\GoogleUpdate.exe [12/22/2008 6:02 PM 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys [?]
S3 DCamUSBConexant;Ezonics EZCam II;c:\winxp\system32\drivers\usbcone.sys [9/3/2005 7:54 PM 80576]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\winxp\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-23 01:02]

2009-05-01 c:\winxp\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-01 20:32]

2009-05-01 c:\winxp\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-01 20:32]

2009-05-06 c:\winxp\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-05-03 c:\winxp\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7AB32675-62A4-42AC-A611-461FF44C10C6} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-POINTER - point32.exe
Notify-rqRKEVPG - rqRKEVPG.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: vectorvest.com\www
DPF: Microsoft XML Parser for Java - file://c:\winxp\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\P416User\Application Data\Mozilla\Firefox\Profiles\c748seim.default\
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 17:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\winxp\system32\igfxsrvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\documents and settings\P416User\Start Menu\Programs\Startup\CAT.EXE
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\winxp\wanmpsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\winxp\system32\wscntfy.exe
c:\program files\BOINC\boinc.exe
c:\documents and settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
c:\documents and settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
c:\documents and settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
c:\documents and settings\All Users.WINXP\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.03_windows_intelx86
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-05-06 17:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 00:36

Pre-Run: 48,471,658,496 bytes free
Post-Run: 48,552,398,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINXP
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINXP="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

210 --- E O F --- 2009-04-18 10:03


Thanks and thanks!

#6 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 05 May 2009 - 08:23 PM

Mike, I don't know if this bit of information would be helpful (and you may have it from posted logs), but after running the ComboFix scan, I was able to access the internet through Internet Explorer, but still had the blank pages and still unable to use links. After I had closed all windows I opened task manager and iexplore.exe was listed using 29,880 K memory. Don't know if this means anything! Unfortunately that is sorta the sum total of my tech knowledge! And, I did reactivate McAfee. I appreciate your patience and expertise!

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 AM

Posted 05 May 2009 - 09:04 PM

Hello texan16,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\documents and settings\P416User\Start Menu\Programs\Startup\
      CAT.EXE
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.



You need to disable your McAfee SecurityCenter before running ComboFix, as it will prevent it from running.

to disable McAfee SecurityCenter
Double-click the taskbar icon to open the Security Center
Click Advanced Menu (lower left)
Click Configure (left)
Click Computer & Files (upper left)
VirusScan can be disabled on the right.

Do the same via Internet & Network for Firewall Plus.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
ALSysIO


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 06 May 2009 - 05:53 PM

I'm working on your last instructions and have run into a problem. I do NOT have a ComboFix icon on my desktop, although it was there yesterday. I hope I got the right file "CAT.EXE". I will post that result here for your review. I did the CFScript.txt and have that icon on my desktop. I will await your instruction. Thanks so much.

File::
c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver::
ALSysIOFile::
c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver::
ALSysIO

#9 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 06 May 2009 - 06:12 PM

Trying again with the CAT.EXE from Clipboard:

Language


Server load
Server Load
VirSCAN
Suspicious files to scan
1, You can UPLOAD any files, but there is 10Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 10 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.





Current Position:
Current Scanner:
Last Scanned:
Suspicious degree:
File Name:
File Size:
File Type:
MD5:
SHA1:
Compressed:
Current Position: 0 / (0%)
Elapsed time: 0
Est Time Left: 0
Est Speed: 0

Main Menu
HOME About VirSCAN Report Help VirSCAN Submit Bugs Contact us


File information
File Name : CAT.EXE
File Size : 307200 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0e4baee67e1dce71c1a334e22e50380e
SHA1 : 6eb1cb1d94a00daf1fb91218b050fdcba8436c03

Scanner results
Scanner results : 18% Scanner(7/38) found malware!
Time : 2009/05/06 15:59:03 (PDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.32 20090507000335 2009-05-07
-
1.877
AhnLab V3 2009.05.07.00 2009.05.07 2009-05-07
Win-AppCare/Xema.307200
0.611
AntiVir 7.9.0.160 7.1.3.164 2009-05-06
-
2.042
Antiy 2.0.18 20090506.2357764 2009-05-06
-
0.118
Arcavir 2009 200905061805 2009-05-06
Joke.Jeprus
0.043
Authentium 5.1.1 200905061850 2009-05-06
-
1.384
AVAST! 4.7.4 090505-0 2009-05-05
-
0.034
AVG 8.5.286 270.12.21/2101 2009-05-07
-
3.940
BitDefender 7.81008.2902066 7.25241 2009-05-07
-
2.710
CA (VET) 9.0.0.143 31.6.6492 2009-05-07
-
13.749
ClamAV 0.95 9332 2009-05-06
-
0.059
Comodo 3.8 1154 2009-05-06
ApplicUnsaf.Win32.Joke.ScreenMate
0.678
CP Secure 1.1.0.715 2009.05.07 2009-05-07
-
8.901
Dr.Web 4.44.0.9170 2009.05.06 2009-05-06
-
4.522
F-Prot 4.4.4.56 20090506 2009-05-06
-
1.341
F-Secure 5.51.6100 2009.05.06.11 2009-05-06
-
0.089
Fortinet 2.81-3.117 10.358 2009-05-06
-
0.583
GData 19.5069/19.322 20090506 2009-05-06
-
3.945
Ikarus T3.1.01.49 2009.05.06.72678 2009-05-06
-
2.782
JiangMin 11.0.706 2009.05.06 2009-05-06
-
5.012
Kaspersky 5.5.10 2009.05.06 2009-05-06
-
0.076
KingSoft 2009.2.5.15 2009.5.6.22 2009-05-06
Win32.Joke.ScreenMate.307318
0.425
McAfee 5.3.00 5607 2009-05-06
-
2.866
Microsoft 1.4602 2009.05.06 2009-05-06
-
4.521
mks_vir 2.01 2009.05.06 2009-05-06
Joke.Jeprus
2.667
Norman 6.01.05 6.01.00 2009-05-06
-
4.008
nProtect 20090506.01 3583152 2009-05-06
Joke/W32.Screenmates.307200
5.133
Panda 9.05.01 2009.05.04 2009-05-04
-
4.553
Quick Heal 10.00 2009.05.06 2009-05-06
Trojan.Agent.ATV
2.385
Rising 20.0 21.28.22.00 2009-05-06
-
1.227
Sophos 2.86.0 4.41 2009-05-07
-
2.237
Sunbelt 5124 5124 2009-05-06
-
5.731
Symantec 1.3.0.24 20090506.002 2009-05-06
-
0.243
The Hacker 6.3.4.1 v00319 2009-05-05
-
0.577
Trend Micro 8.700-1004 6.112.08 2009-05-06
-
0.022
VBA32 3.12.10.4 20090505.1100 2009-05-05
-
1.929
ViRobot 20090506 2009.05.06 2009-05-06
-
0.525
VirusBuster 4.5.11.10 10.105.17/1328820 2009-05-06
-
1.715
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.
Copy to clipboard

About VirSCAN | Privacy policy | Contact us | Help VirSCAN
Translated by Vit Rusych, Ukraine

Powered By CentOS

Sorry about that previous post! Obviously I was focused on the missing ComboFix icon. Thanks for your patience!

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 AM

Posted 06 May 2009 - 09:54 PM

Hi texan16,

No problem, we will bring the icon back. :thumbup2:

Delete the version of Combofix you have on your desktop,
then download a new version and install on your desktop.

Run ComboFix and post the log it produces.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 07 May 2009 - 02:16 PM

Hi Sifumike, I cannot delete ComboFix.exe because I cannot find it. I have checked Add/Remove Programs. I do have ComboFix.txt on C drive. FYI, yesterday McAfee "detected and quarantined ""Artimis! 0207932B63B6 Trojan Location: C:\Documents and Settings\P416User|Desktop|ComboFix.exe". You have previously stated that there would/could be a conflict between McAfee and ComboFix. Does that apply here? Also I have disabled McAfee on the problem CPU and turned it off. I am now using a laptop, and will put the problem CPU online only to execute your instructions. Question: After completing a set of your instructions, should I check results by trying Internet Explorer or wait for advice from you? I wish I knew more about how this works, and I really appreciate your help!!

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 AM

Posted 07 May 2009 - 06:26 PM

Hi texan16,

I cannot delete ComboFix.exe because I cannot find it. I have checked Add/Remove Programs. I do have ComboFix.txt on C drive. FYI, yesterday McAfee "detected and quarantined ""Artimis! 0207932B63B6 Trojan Location: C:\Documents and Settings\P416User|Desktop|ComboFix.exe". You have previously stated that there would/could be a conflict between McAfee and ComboFix. Does that apply here?


Combofix is not in the Add/Revove program, so dont bother looking there.

ComboFix created a log file and it is at will be at C:\ComboFix.txt. No need to post it.

FYI, yesterday McAfee "detected and quarantined ""Artimis! 0207932B63B6 Trojan Location: C:\Documents and Settings\P416User|Desktop|ComboFix.exe". .



Thats the reason you can find it. McAfee deleted it from your desktop :thumbup2:
Apparently you enabled the McAfee Antivirus and ran a scan and deleted it


Let uninstall ComboFix.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTMoveIt3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know when you have done the above.

Edited by SifuMike, 07 May 2009 - 06:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 07 May 2009 - 08:56 PM

Very sorry about the McAfee complication. Unfortunately, it appears that I should also have disabled E-mail and IM. I have now done so and I do have a white "x" in the red box in the task bar where McAfee usually scans.














































































Very sorry about the McAfee complication. I apologize for my mistake. I did not disable E-mail and IM as obviously I should have. I have now done so and there is the white X in the red box where McAfee usually scans.





I have just tried the uninstall as you directed. typed ComboFix /u in Run then hit enter and got this message: "Windows cannot find "ComboFix. Make sure you typed the name correctly and then try again. To search for a file, click the Start button, then click Search." I did try again with the same result. I then tried "Search" with this result: Search result: 2 files found
ComboFix.txt Folder C:\ and ComboFix-quarantined-files.txt Folder C\Qoobox

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:04 AM

Posted 07 May 2009 - 10:02 PM

2 files found
ComboFix.txt Folder C:\ and ComboFix-quarantined-files.txt Folder C\Qoobox


Delete those two folders.

Then download and run Combofix after you disable McAfee SecurityCenter. Post the log it produces.

Edited by SifuMike, 07 May 2009 - 10:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 texan16

texan16
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 08 May 2009 - 08:49 PM

Hello Sifumike, I hope I get this right this time.

ComboFix 09-05-08.03 - P416User 05/08/2009 18:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1107 [GMT -7:00]
Running from: c:\documents and settings\P416User\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-05 20:31 . 2009-05-05 20:31 -------- d-----w c:\documents and settings\P416User\Application Data\Malwarebytes
2009-05-05 20:30 . 2009-04-06 22:32 15504 ----a-w c:\winxp\system32\drivers\mbam.sys
2009-05-05 20:30 . 2009-04-06 22:32 38496 ----a-w c:\winxp\system32\drivers\mbamswissarmy.sys
2009-05-05 20:30 . 2009-05-05 20:30 -------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2009-05-05 20:30 . 2009-05-05 20:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:22 . 2009-05-03 22:06 -------- d-----w c:\program files\RegCure
2009-05-01 05:15 . 2007-11-22 13:44 33832 ----a-w c:\winxp\system32\drivers\mferkdk.sys
2009-05-01 05:15 . 2007-12-02 19:51 40488 ----a-w c:\winxp\system32\drivers\mfesmfk.sys
2009-05-01 05:15 . 2007-11-22 13:44 35240 ----a-w c:\winxp\system32\drivers\mfebopk.sys
2009-05-01 05:15 . 2007-11-22 13:44 79304 ----a-w c:\winxp\system32\drivers\mfeavfk.sys
2009-05-01 05:15 . 2007-11-22 13:44 201320 ----a-w c:\winxp\system32\drivers\mfehidk.sys
2009-05-01 05:15 . 2007-07-13 13:20 113952 ----a-w c:\winxp\system32\drivers\Mpfp.sys
2009-05-01 05:14 . 2009-05-01 05:15 -------- d-----w c:\program files\Common Files\McAfee
2009-05-01 05:14 . 2009-05-02 21:05 -------- d-----w c:\program files\McAfee
2009-04-16 10:51 . 2009-03-06 14:22 284160 -c----w c:\winxp\system32\dllcache\pdh.dll
2009-04-16 10:51 . 2009-02-09 12:10 401408 -c----w c:\winxp\system32\dllcache\rpcss.dll
2009-04-16 10:51 . 2009-02-06 11:11 110592 -c----w c:\winxp\system32\dllcache\services.exe
2009-04-16 10:51 . 2009-02-09 12:10 473600 -c----w c:\winxp\system32\dllcache\fastprox.dll
2009-04-16 10:51 . 2009-02-06 10:10 227840 -c----w c:\winxp\system32\dllcache\wmiprvse.exe
2009-04-16 10:51 . 2009-02-09 12:10 453120 -c----w c:\winxp\system32\dllcache\wmiprvsd.dll
2009-04-16 10:51 . 2009-02-09 12:10 729088 -c----w c:\winxp\system32\dllcache\lsasrv.dll
2009-04-16 10:51 . 2009-02-09 12:10 617472 -c----w c:\winxp\system32\dllcache\advapi32.dll
2009-04-16 10:51 . 2009-02-09 12:10 714752 -c----w c:\winxp\system32\dllcache\ntdll.dll
2009-04-16 10:48 . 2008-05-03 11:55 2560 ------w c:\winxp\system32\xpsp4res.dll
2009-04-16 10:48 . 2008-04-21 12:08 215552 -c----w c:\winxp\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 23:59 . 2005-09-03 20:46 21280 ----a-w c:\documents and settings\P416User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-05 20:05 . 2006-09-02 06:02 -------- d-----w c:\program files\Java
2009-05-01 05:14 . 2004-11-24 19:44 -------- d-----w c:\program files\McAfee.com
2009-04-11 03:39 . 2009-04-09 01:25 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-11 03:38 . 2006-09-02 14:28 -------- d-----w c:\program files\Google
2009-03-26 00:42 . 2005-09-03 22:18 499712 ----a-w c:\winxp\system32\msvcp71.dll
2009-03-26 00:42 . 2005-09-03 22:18 348160 ----a-w c:\winxp\system32\msvcr71.dll
2009-03-09 12:19 . 2008-12-25 22:54 410984 ----a-w c:\winxp\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\winxp\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\winxp\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\winxp\system32\ieencode.dll
2009-02-19 18:52 . 2006-02-15 01:08 21280 ----a-w c:\documents and settings\P416User\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\winxp\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\winxp\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\winxp\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\winxp\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\winxp\system32\win32k.sys
1998-09-24 20:32 . 1998-09-24 20:32 266 --sh--w c:\program files\desktop.ini
1998-09-24 20:32 . 1998-09-24 20:32 11079 ---ha-w c:\program files\folder.htt
.

((((((((((((((((((((((((((((( SnapShot@2009-05-06_00.33.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-08 23:57 . 2009-05-08 23:57 16384 c:\winxp\Temp\Perflib_Perfdata_878.dat
- 2005-09-03 22:13 . 2009-05-05 20:25 32768 c:\winxp\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-09-03 22:13 . 2009-05-09 00:03 32768 c:\winxp\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-09-03 22:13 . 2009-05-05 20:25 32768 c:\winxp\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-03 22:13 . 2009-05-09 00:03 32768 c:\winxp\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-03 22:13 . 2009-05-09 00:03 32768 c:\winxp\system32\config\systemprofile\Cookies\index.dat
- 2005-09-03 22:13 . 2009-05-05 20:25 32768 c:\winxp\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-06 17:42 . 2009-05-06 00:56 295606 c:\winxp\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
- 2008-11-06 17:42 . 2008-11-06 17:42 295606 c:\winxp\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2008-10-15 08:42 . 2008-10-15 08:42 13219184 c:\winxp\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"ctfmon.exe"="c:\winxp\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-24 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-03 98304]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-04-11 83544]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"HostManager"="c:\program files\Common Files\AOL\1150319672\ee\AOLSoftware.exe" [2007-10-08 41824]
"VX3000"="c:\winxp\vVX3000.exe" [2006-10-14 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-14 277296]
"Secure Online Account Numbers"="c:\progra~1\Discover\SOAN\SOAN.exe" [2007-02-03 233472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\winxp\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\winxp\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\winxp\system32\igfxpers.exe" [2007-12-19 131072]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2008-12-09 4289280]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-12-09 58112]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 198160]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\winxp\RTHDCPL.EXE [2008-10-01 16864768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\P416User\Start Menu\Programs\Startup\
CAT.EXE [1999-10-14 307200]

c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
think.lgo [2005-9-4 0]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINXP\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Common Files\\AOL\\1150319672\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 gupdate1c9649a30c51a13;Google Update Service (gupdate1c9649a30c51a13);c:\program files\Google\Update\GoogleUpdate.exe [12/22/2008 6:02 PM 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\P416User\LOCALS~1\Temp\ALSysIO.sys [?]
S3 DCamUSBConexant;Ezonics EZCam II;c:\winxp\system32\drivers\usbcone.sys [9/3/2005 7:54 PM 80576]
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\winxp\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-23 01:02]

2009-05-01 c:\winxp\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-01 20:32]

2009-05-01 c:\winxp\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-01 20:32]

2009-05-09 c:\winxp\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-05-03 c:\winxp\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: vectorvest.com\www
DPF: Microsoft XML Parser for Java - file://c:\winxp\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\P416User\Application Data\Mozilla\Firefox\Profiles\c748seim.default\
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-09 18:36
ComboFix-quarantined-files.txt 2009-05-09 01:36

Pre-Run: 48,638,898,176 bytes free
Post-Run: 48,626,544,640 bytes free

169 --- E O F --- 2009-04-18 10:03


As always, thanks for your help!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users