Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection! (ntndis.exe!!)


  • This topic is locked This topic is locked
29 replies to this topic

#1 d.n.d.

d.n.d.

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 16 May 2009 - 03:25 PM

so a few days ago i went out for most of the evening, while leaving my computer on and connected to the internet. when i came home i found an error message saying something along the lines of ntndis.exe does not have authorized access, and all i could click was the "ok" button. i then logged in and noticed that my CPU activity was at least 50%, maybe more. something was using a lot of my CPU resources. also i have in my system tray temperatures for my computer components like my CPU cores, and both were higher than normal.

i opened task manager and the program ntndis.exe was causing this. i have never seen this before, so i did a quick search on google which revealed that this was a backdoor worm (malware) virus. after doing some more research the first thing i did was end the ntndis.exe process in task manager, then install and run spybot, while on another computer i changed all of my passwords for my online accounts.

to make a long story short, spybot detected a few trojans and the malware virus. it removed most of it, and after it prompted me with a restart and performed another scan, it removed everything. this was tuesday night. since then i have updated and run spybot everyday and it has not found anything. but i am still posting here because i want to be 100% sure that my computer is totally clean. also i took a while to post here because i had to back up a lot of data that i did not get around to backing up. but everything is backed up, and i have followed the preparation guide for using the hijack this log. also, i was sort of surprised at this mishap because i never go on unsecure websites, and anything i download i always use on-demand scan.

also, i believe my mcafee antivirus did not detect those trojans because i am using an expired version. it came with the laptop, and i found that after it expired i could still do full system scans and on-demand scans. i figured this was sufficient but as you can see i was sadly mistakened. after this cleanup i am going to either get AVG AV or renew my licence with mcafee (opinions?). below is the DDS log, and i have attached the Attach text file as well.

__________________________________________________________________



DDS (Ver_09-05-14.01) - NTFSx86
Run by Gary at 16:12:17.18 on Sat 05/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional

5.1.2600.2.1252.1.1033.18.2038.1077 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled*

{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services

Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
svchost
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page =

www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ib

d=5070901
uSearch Page =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
uSearch Bar =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
uDefault_Page_URL =

www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ib

d=5070901
mDefault_Page_URL =

hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
mStart Page =

hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext =

https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection:

{53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} -

c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object:

{ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe"

/background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search &

destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems

corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems

corp\SecureUpgrade.exe
mRun: [IntelZeroConfig] "c:\program

files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program

files\intel\wireless\bin\ifrmewrk.exe" /tf Intel

PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup]

c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [Dell QuickSet] c:\program

files\dell\quickset\Quickset.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE lebeca web camera

driver
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common

files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program

files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program

files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program

files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk -

c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk -

c:\program files\digital line detect\DLG.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk -

c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\biolsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} -

hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} -

hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -

hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab569

86.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/wuweb_site.cab?1229548228656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/muweb_site.cab?1229548205531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.c

ab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swfla

sh.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common

files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\gary\applic~1\mozilla\firefox\profiles\hhtumyeb.d

efault\
FF - prefs.js: browser.startup.homepage -

hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=o

rg.mozilla:en-GB:official

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false //

Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox

Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe

[2006-12-19 79432]
R2 McAfee HackerWatch Service;McAfee HackerWatch

Service;c:\program files\common

files\mcafee\hackerwatch\HWAPI.exe [2007-9-1 540776]
R2 McProxy;McAfee Proxy

Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe

[2007-9-1 353368]
R2 McRedirector;McAfee Redirector

Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe

[2007-9-1 256096]
R2 McShield;McAfee Real-time

Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-1

144960]
R2 McSysmon;McAfee

SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe

[2007-9-1 643664]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe

[2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys

[2006-11-2 97536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program

files\lavalys\everest ultimate edition\kerneld.wnt [2007-9-9

20856]
R3 mfeavfk;McAfee

Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-1 71496]
R3 mfebopk;McAfee

Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-1 34184]
R3 mfehidk;McAfee

Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-1

171240]
R3 mferkdk;McAfee

Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-9-1 32008]
R3 mfesmfk;McAfee

Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-9-1 37480]
S3 ggflt;SEMC USB Flash Driver

Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-7

10976]

=============== Created Last 30 ================

2009-05-16 02:11 359,883 a-------

c:\temp\dds.scr
2009-05-12 21:29 <DIR> --d----- c:\program

files\Spybot - Search & Destroy
2009-05-12 21:29 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 18:34 <DIR> --d-----

c:\windows\system32\lowsec
2009-04-28 00:37 24,576 a-------

c:\windows\system32\stu2.exe
2009-04-18 12:00 401,408 --------

c:\windows\system32\dllcache\rpcss.dll
2009-04-18 12:00 284,160 --------

c:\windows\system32\dllcache\pdh.dll
2009-04-18 12:00 110,592 --------

c:\windows\system32\dllcache\services.exe
2009-04-18 12:00 60,416 --------

c:\windows\system32\dllcache\colbact.dll
2009-04-18 12:00 35,328 --------

c:\windows\system32\dllcache\sc.exe
2009-04-18 12:00 715,264 --------

c:\windows\system32\dllcache\ntdll.dll
2009-04-18 12:00 617,984 --------

c:\windows\system32\dllcache\advapi32.dll
2009-04-18 12:00 473,088 --------

c:\windows\system32\dllcache\fastprox.dll
2009-04-18 12:00 227,840 --------

c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 11:59 215,552 --------

c:\windows\system32\dllcache\wordpad.exe
2009-04-18 11:56 1,089,601 --------

c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-04-28 00:37 14,848 a-------

c:\windows\system32\userinit.exe
2009-03-21 10:18 986,112 --------

c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a-------

c:\windows\system32\deploytk.dll
2009-03-06 10:00 284,160 a-------

c:\windows\system32\pdh.dll
2009-03-02 19:52 1,495,552 --------

c:\windows\system32\dllcache\shdocvw.dll
2009-02-19 05:58 18,432 --------

c:\windows\system32\dllcache\iedw.exe

============= FINISH: 16:12:46.60 ===============

Attached Files


Edited by d.n.d., 16 May 2009 - 03:26 PM.


BC AdBot (Login to Remove)

 


#2 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 16 May 2009 - 04:05 PM

just wanted to add, i was reading another thread here about disabling the script blocking but i did not know if it was enabled or not on my laptop. i ran DDS without disabling anything above. the log below is with everything disabled as required:

________________________________________________


DDS (Ver_09-05-14.01) - NTFSx86
Run by Gary at 16:47:15.93 on Sat 05/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional

5.1.2600.2.1252.1.1033.18.2038.1171 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Outdated)

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled*

{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services

Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
svchost
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page =

www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ib

d=5070901
uSearch Page =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
uSearch Bar =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
uDefault_Page_URL =

www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ib

d=5070901
mDefault_Page_URL =

hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
mStart Page =

hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext =

https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection:

{53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} -

c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object:

{ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe"

/background
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems

corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems

corp\SecureUpgrade.exe
mRun: [IntelZeroConfig] "c:\program

files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program

files\intel\wireless\bin\ifrmewrk.exe" /tf Intel

PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup]

c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [Dell QuickSet] c:\program

files\dell\quickset\Quickset.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE lebeca web camera

driver
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common

files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program

files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program

files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program

files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk -

c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk -

c:\program files\digital line detect\DLG.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk -

c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\biolsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} -

hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} -

hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -

hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab569

86.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/wuweb_site.cab?1229548228656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/muweb_site.cab?1229548205531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.c

ab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swfla

sh.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common

files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\gary\applic~1\mozilla\firefox\profiles\hhtumyeb.d

efault\
FF - prefs.js: browser.startup.homepage -

hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=o

rg.mozilla:en-GB:official

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false //

Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee Real-time

Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-1

144960]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox

Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe

[2006-12-19 79432]
R2 McAfee HackerWatch Service;McAfee HackerWatch

Service;c:\program files\common

files\mcafee\hackerwatch\HWAPI.exe [2007-9-1 540776]
R2 McProxy;McAfee Proxy

Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe

[2007-9-1 353368]
R2 McRedirector;McAfee Redirector

Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe

[2007-9-1 256096]
R2 McSysmon;McAfee

SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe

[2007-9-1 643664]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe

[2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys

[2006-11-2 97536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program

files\lavalys\everest ultimate edition\kerneld.wnt [2007-9-9

20856]
R3 mfeavfk;McAfee

Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-1 71496]
R3 mfebopk;McAfee

Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-1 34184]
R3 mfehidk;McAfee

Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-1

171240]
R3 mferkdk;McAfee

Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-9-1 32008]
R3 mfesmfk;McAfee

Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-9-1 37480]
S3 ggflt;SEMC USB Flash Driver

Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-7

10976]

=============== Created Last 30 ================

2009-05-16 02:11 359,883 a-------

c:\temp\dds.scr
2009-05-12 21:29 <DIR> --d----- c:\program

files\Spybot - Search & Destroy
2009-05-12 21:29 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 18:34 <DIR> --d-----

c:\windows\system32\lowsec
2009-04-28 00:37 24,576 a-------

c:\windows\system32\stu2.exe
2009-04-18 12:00 401,408 --------

c:\windows\system32\dllcache\rpcss.dll
2009-04-18 12:00 284,160 --------

c:\windows\system32\dllcache\pdh.dll
2009-04-18 12:00 110,592 --------

c:\windows\system32\dllcache\services.exe
2009-04-18 12:00 60,416 --------

c:\windows\system32\dllcache\colbact.dll
2009-04-18 12:00 35,328 --------

c:\windows\system32\dllcache\sc.exe
2009-04-18 12:00 715,264 --------

c:\windows\system32\dllcache\ntdll.dll
2009-04-18 12:00 617,984 --------

c:\windows\system32\dllcache\advapi32.dll
2009-04-18 12:00 473,088 --------

c:\windows\system32\dllcache\fastprox.dll
2009-04-18 12:00 227,840 --------

c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 11:59 215,552 --------

c:\windows\system32\dllcache\wordpad.exe
2009-04-18 11:56 1,089,601 --------

c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-04-28 00:37 14,848 a-------

c:\windows\system32\userinit.exe
2009-03-21 10:18 986,112 --------

c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a-------

c:\windows\system32\deploytk.dll
2009-03-06 10:00 284,160 a-------

c:\windows\system32\pdh.dll
2009-03-02 19:52 1,495,552 --------

c:\windows\system32\dllcache\shdocvw.dll
2009-02-19 05:58 18,432 --------

c:\windows\system32\dllcache\iedw.exe

============= FINISH: 16:47:34.75 ===============

Attached Files



#3 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 16 May 2009 - 07:01 PM

anyone? :thumbup2:
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 16 May 2009 - 07:58 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:55 AM

Posted 30 May 2009 - 01:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 31 May 2009 - 05:46 PM

as mentioned in my first post, my problem was a malware virus that somehow got into my computer and started executing itself when i was away from my computer (refer to first post for entire story). i ran spybot and it removed a few trojans and one or two malware viruses. since then it has not detected anything at all after updating and scanning daily. the only problem now is i do not access any personal or important websites because i am unsure if my computer is 100% clean and malware free or not. i would just like a confirmation from someone here that my computer is totally clean. and if possible i would still like some opinion on whether i should continue to use mcafee (after renewing subscription) or going with something like AVG AV. below is the most up to date DDS log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Gary at 18:33:10.46 on Sun 05/31/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional

5.1.2600.2.1252.1.1033.18.2038.1390 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled*

{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services

Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\temp\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page =

www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ib

d=5070901
uSearch Page =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
uSearch Bar =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
uDefault_Page_URL =

www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ib

d=5070901
mDefault_Page_URL =

hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
mStart Page =

hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext =

https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =

hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel

=ca
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection:

{53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} -

c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object:

{ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe"

/background
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems

corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems

corp\SecureUpgrade.exe
mRun: [IntelZeroConfig] "c:\program

files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program

files\intel\wireless\bin\ifrmewrk.exe" /tf Intel

PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup]

c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common

files\installshield\updateservice\issch.exe" -start
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [Dell QuickSet] c:\program

files\dell\quickset\Quickset.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE lebeca web camera

driver
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common

files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program

files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program

files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program

files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk -

c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk -

c:\program files\digital line detect\DLG.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk -

c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\biolsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} -

hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} -

hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} -

hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab569

86.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/wuweb_site.cab?1229548228656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/muweb_site.cab?1229548205531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -

hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.c

ab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i5

86.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i5

86.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swfla

sh.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common

files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\gary\applic~1\mozilla\firefox\profiles\hhtumyeb.d

efault\
FF - prefs.js: browser.startup.homepage -

hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=o

rg.mozilla:en-GB:official

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false //

Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee Real-time

Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-1

144960]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox

Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe

[2006-12-19 79432]
R2 McAfee HackerWatch Service;McAfee HackerWatch

Service;c:\program files\common

files\mcafee\hackerwatch\HWAPI.exe [2007-9-1 540776]
R2 McProxy;McAfee Proxy

Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe

[2007-9-1 353368]
R2 McRedirector;McAfee Redirector

Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe

[2007-9-1 256096]
R2 McSysmon;McAfee

SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe

[2007-9-1 643664]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe

[2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys

[2006-11-2 97536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program

files\lavalys\everest ultimate edition\kerneld.wnt [2007-9-9

20856]
R3 mfeavfk;McAfee

Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-1 71496]
R3 mfebopk;McAfee

Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-1 34184]
R3 mfehidk;McAfee

Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-1

171240]
R3 mfesmfk;McAfee

Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-9-1 37480]
S3 ggflt;SEMC USB Flash Driver

Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-7

10976]
S3 mferkdk;McAfee

Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-9-1 32008]

=============== Created Last 30 ================

2009-05-31 17:49 359,893 a-------

c:\temp\dds(2).scr
2009-05-18 22:22 5,632 a-------

c:\windows\system32\ptpusb.dll
2009-05-18 22:22 159,232 a-------

c:\windows\system32\ptpusd.dll
2009-05-12 21:29 <DIR> --d----- c:\program

files\Spybot - Search & Destroy
2009-05-12 21:29 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 18:34 <DIR> --d-----

c:\windows\system32\lowsec

==================== Find3M ====================

2009-04-28 00:37 14,848 a-------

c:\windows\system32\userinit.exe
2009-03-21 10:18 986,112 --------

c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a-------

c:\windows\system32\deploytk.dll
2009-03-06 10:00 284,160 a-------

c:\windows\system32\pdh.dll
2009-03-06 10:00 284,160 --------

c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:52 1,495,552 --------

c:\windows\system32\dllcache\shdocvw.dll

============= FINISH: 18:33:29.93 ===============

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:55 AM

Posted 01 June 2009 - 08:57 PM

Hello, d.n.d. :thumbup2:
WordWrap has destroyed your log. Please run DDS again, but disable wordwrap in notepad before copy/pasting it in here.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 02 June 2009 - 01:25 PM

oops sorry about that. here is the DDS log once again:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Gary at 13:51:15.79 on Tue 06/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1355 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070901
uSearch Page = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070901
mDefault_Page_URL = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE lebeca web camera driver
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\biolsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} - hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229548228656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229548205531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gary\applic~1\mozilla\firefox\profiles\hhtumyeb.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-1 144960]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-9-1 540776]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-9-1 353368]
R2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-9-1 256096]
R2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-1 643664]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest ultimate edition\kerneld.wnt [2007-9-9 20856]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-1 71496]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-1 34184]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-1 171240]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-9-1 37480]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-7 10976]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-9-1 32008]

=============== Created Last 30 ================

2009-06-02 13:24 359,893 a------- c:\temp\dds.scr
2009-05-18 22:22 5,632 a------- c:\windows\system32\ptpusb.dll
2009-05-18 22:22 159,232 a------- c:\windows\system32\ptpusd.dll
2009-05-12 21:29 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-12 21:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 18:34 <DIR> --d----- c:\windows\system32\lowsec

==================== Find3M ====================

2009-04-28 00:37 14,848 a------- c:\windows\system32\userinit.exe
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:00 284,160 -------- c:\windows\system32\dllcache\pdh.dll

============= FINISH: 13:51:52.46 ===============

Attached Files



#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:55 AM

Posted 03 June 2009 - 11:40 PM

Hello, d.n.d. :thumbup2:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A new DDS.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 04 June 2009 - 06:22 PM

i have updated my JRE, and here are the logs as requested:

ESET log:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinIRCBotauf.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Gary\My Documents\Other stuff\CardTricks143.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\userinit.exe Win32/TrojanDownloader.FakeAlert.TG trojan unable to clean
C:\WINDOWS\system32\wbem\proquota.exe Win32/TrojanDownloader.Bredolab.AA trojan cleaned by deleting - quarantined

DDS Log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Gary at 18:55:50.93 on Thu 06/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1351 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\sol.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070901
uSearch Page = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070901
mDefault_Page_URL = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE lebeca web camera driver
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\biolsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} - hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229548228656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229548205531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gary\applic~1\mozilla\firefox\profiles\hhtumyeb.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-1 144960]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-9-1 540776]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-9-1 353368]
R2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-9-1 256096]
R2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-1 643664]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest ultimate edition\kerneld.wnt [2007-9-9 20856]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-1 71496]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-1 34184]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-1 171240]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-9-1 37480]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-7 10976]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-9-1 32008]

=============== Created Last 30 ================

2009-06-04 17:23 359,893 a------- c:\temp\dds.scr
2009-05-18 22:22 5,632 a------- c:\windows\system32\ptpusb.dll
2009-05-18 22:22 159,232 a------- c:\windows\system32\ptpusd.dll
2009-05-12 21:29 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-12 21:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-12 18:34 <DIR> --d----- c:\windows\system32\lowsec

==================== Find3M ====================

2009-06-04 15:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-28 00:37 14,848 a------- c:\windows\system32\userinit.exe
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll

============= FINISH: 18:56:27.53 ===============

Attached Files



#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:55 AM

Posted 06 June 2009 - 03:00 AM

Hello, d.n.d. :thumbup2:
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 06 June 2009 - 10:02 PM

before i post the combofix log, i need to mention a few peculiar things that happened to my computer when i tried to run combofix. first, i disabled my mcafee AV and spybot exactly as the instructions indicated in this link. i proceeded to run combofix and it gave me a message telling me that it detected mcafee virus scan was still running. so i double checked my mcafee again, and confirmed that i disabled the virus scan etc. as instructed in that link. i hit ok and got to the prompt where i had to click either yes or no in agreement to the warranty disclaimer. well at this point mcafee restarted itself for some odd reason.

i proceeded to open mcafee again, and hit no in the combofix window which exited the program. after a long wait mcafee opened, and everything that i disabled was enabled once again. so once again i disabled everything that i was supposed to, and ran combofix. this time when i got to the yes/no warranty disclaimer window, mcafee restarted itself again but it did not change any settings that i changed. everything was still disabled. so i hit yes and continued, installing the microsoft windows recovery console. the install went smoothly.

when the scan began, after about a minute mcafee gave me a message saying it blocked the program EICAR (i think) from running, thinking it was a virus. the scan continued and everything went as expected. if i need to run combofix again thats fine, but if theres any way to definitely disable mcafee please let me know. again i followed the instructions to disabling everything exactly in that link.

combofix log:

ComboFix 09-06-06.01 - Gary 06/06/2009 22:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1409 [GMT -4:00]
Running from: c:\temp\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://www.apexsearchgroup.info
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\stu2.exe

c:\windows\system32\proquota.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-06 22:57 . 2009-06-06 22:58 3018834 ----a-r- c:\temp\ComboFix.exe
2009-05-19 02:22 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-05-19 02:22 . 2004-08-04 04:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-05-13 01:29 . 2009-05-13 01:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-13 01:29 . 2009-05-13 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 23:53 . 2007-09-08 04:43 -------- d-----w- c:\documents and settings\Gary\Application Data\Wave Systems Corp
2009-06-04 19:04 . 2009-01-13 06:42 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-04 19:04 . 2007-09-01 17:01 -------- d-----w- c:\program files\Java
2009-06-03 05:49 . 2007-09-09 12:44 -------- d-----w- c:\documents and settings\Gary\Application Data\U3
2009-05-03 04:19 . 2009-01-07 16:10 -------- d-----w- c:\documents and settings\Gary\Application Data\uTorrent
2009-04-30 05:29 . 2007-09-09 12:56 -------- d-----w- c:\program files\Winamp
2009-04-18 16:04 . 2007-09-09 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-05 15:35 . 2009-04-05 15:35 152576 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-30 13:15 . 2007-09-01 17:26 73544 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-19 17:45 . 2007-09-09 13:16 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 17:45 . 2007-09-09 13:16 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 17:45 . 2007-09-09 13:16 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 17:45 . 2007-09-09 13:16 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 17:45 . 2007-09-09 13:16 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-22 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-04 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-1 50688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-6 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=c:\documents and settings\Gary\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=c:\windows\pss\AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Gary\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=
"c:\\sysreset\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\bossundying\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Documents and Settings\\Gary\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\Psiloc\\WirelessPresenter\\PsilocWirelessPresenterDesktop.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [9/9/2007 9:04 AM 20856]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12/7/2008 9:17 PM 10976]
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-01 18:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-01 18:32]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070901
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\hhtumyeb.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 22:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(5580)
c:\program files\McAfee\MSK\mskoeplg.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Memeo\AutoBackup\MemeoService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\McAfee\VIRUSS~1\mcods.exe
c:\progra~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\stacsv.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
.
**************************************************************************
.
Completion time: 2009-06-07 22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 02:10

Pre-Run: 93,802,913,792 bytes free
Post-Run: 93,799,600,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

240 --- E O F --- 2008-09-10 18:05

Edited by d.n.d., 06 June 2009 - 10:06 PM.


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:55 AM

Posted 08 June 2009 - 08:21 PM

Hello, d.n.d. :thumbup2:
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    srpeek::
    c:\windows\system32\proquota.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 12 June 2009 - 10:22 PM

ComboFix 09-06-11.06 - Gary 06/12/2009 23:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1398 [GMT -4:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-05-19 02:22 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-05-19 02:22 . 2004-08-04 04:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 23:51 . 2007-09-08 04:43 -------- d-----w- c:\documents and settings\Gary\Application Data\Wave Systems Corp
2009-06-08 14:58 . 2009-01-13 06:42 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-08 14:58 . 2007-09-01 17:01 -------- d-----w- c:\program files\Java
2009-06-03 05:49 . 2007-09-09 12:44 -------- d-----w- c:\documents and settings\Gary\Application Data\U3
2009-05-13 01:33 . 2009-05-13 01:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-13 01:33 . 2009-05-13 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 04:19 . 2009-01-07 16:10 -------- d-----w- c:\documents and settings\Gary\Application Data\uTorrent
2009-04-30 05:29 . 2007-09-09 12:56 -------- d-----w- c:\program files\Winamp
2009-04-18 16:04 . 2007-09-09 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-05 15:35 . 2009-04-05 15:35 152576 ----a-w- c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-30 13:15 . 2007-09-01 17:26 73544 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-19 17:45 . 2007-09-09 13:16 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 17:45 . 2007-09-09 13:16 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 17:45 . 2007-09-09 13:16 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 17:45 . 2007-09-09 13:16 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 17:45 . 2007-09-09 13:16 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\wbem\proquota.exe [x]
[-] E8EB17836FC7FC0493089B0D7AD0F193 25088 \RP508\A0060583.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-07_02.07.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-12 23:48 . 2009-06-12 23:48 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2009-06-07 05:34 . 2009-06-12 23:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-08 04:36 . 2009-06-07 01:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-08 04:36 . 2009-06-12 23:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-08 04:36 . 2009-06-12 23:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-09-08 04:36 . 2009-06-07 01:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-08 14:58 . 2009-06-08 14:58 148888 c:\windows\system32\javaws.exe
- 2009-06-04 19:04 . 2009-06-04 19:04 148888 c:\windows\system32\javaws.exe
+ 2009-06-08 14:58 . 2009-06-08 14:58 144792 c:\windows\system32\javaw.exe
- 2009-06-04 19:04 . 2009-06-04 19:04 144792 c:\windows\system32\javaw.exe
+ 2009-06-08 14:58 . 2009-06-08 14:58 144792 c:\windows\system32\java.exe
- 2009-06-04 19:04 . 2009-06-04 19:04 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-05-14 1191936]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-22 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-08 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-1 50688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-6 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^AutoBackup Launcher.lnk]
path=c:\documents and settings\Gary\Start Menu\Programs\Startup\AutoBackup Launcher.lnk
backup=c:\windows\pss\AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Gary\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=
"c:\\sysreset\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\bossundying\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Documents and Settings\\Gary\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\Psiloc\\WirelessPresenter\\PsilocWirelessPresenterDesktop.exe"=

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [9/9/2007 9:04 AM 20856]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [12/7/2008 9:17 PM 10976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVERESTDRIVER
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-01 18:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-01 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=5070901
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 23:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\wxvault.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\wxvault.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(5156)
c:\program files\McAfee\MSK\mskoeplg.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-13 23:14
ComboFix-quarantined-files.txt 2009-06-13 03:14

Pre-Run: 93,197,058,048 bytes free
Post-Run: 93,157,548,032 bytes free

199 --- E O F --- 2008-09-10 18:05

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:55 AM

Posted 14 June 2009 - 12:23 AM

An important windows file is missing from your system. Do you have a windows installation media available?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 d.n.d.

d.n.d.
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 14 June 2009 - 11:53 PM

erm you mean like a recovery disc correct? if so then yes it came with my laptop.

is it safe to use it? i dont think my computer restarted after running combofix again but i would rather not assume things.

Edited by d.n.d., 14 June 2009 - 11:55 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users