Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have the Antivirus 2009


  • This topic is locked This topic is locked
7 replies to this topic

#1 latinageek

latinageek

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 18 June 2009 - 02:08 PM

My computer started to freeze after it finished loading the desktop icons. I ran Ad-Aware in safe mode and it detected about 70 objects. I also ran Hijack This and saw 2 HOSTS entries with the Antivirus 2009 and deleted them. I restarted the computer and am now able to work in normal mode without freezing anymore. I was able to connect to my wireless lan so that I could jump on your forum. However, at this point I am completely lost.

DDS (Ver_09-05-14.01) - NTFSx86
Run by imelda leal at 13:58:47.10 on 2009-06-18
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2308 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dldoserv.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Event Agent\bin\spoolsv .exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\120560~1\EE\AOLHOS~1.EXE
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\COMMON~1\AOL\120560~1\EE\AOLServiceHost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Event Agent\bin\services .exe
C:\WINDOWS\system32\Event Agent\lsass .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Documents and Settings\imelda leal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://memorial.mcallenisd.org/
uInternet Settings,ProxyOverride = *.local
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WeatherDPA] "c:\program files\zango\bin\10.3.75.0\Weather.exe" -auto
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\imelda~1\locals~1\temp\hsperf~1.sh! c:\docume~1\imelda~1\locals~1\tempor~1\content.ie5\7ntocn70\pb_1_~1.sh! c:\docume~1\imelda~1\locals~1\tempor~1\content.ie5\kx2e23m7\extern~2.sh! c:\docume~1\imelda~1\locals~1\tempor~1\content.ie5\kx2e23m7\INDEX_~2.SH!
uRun: [system tool] c:\windows\sysguard.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [HostManager] c:\program files\common files\aol\1205605828\ee\AOLHostManager.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [dldomon.exe] "c:\program files\dell 968 aio printer\dldomon.exe"
mRun: [MemoryCardManager] "c:\program files\dell 968 aio printer\memcard.exe"
mRun: [Dell 968 AIO Printer Fax Server] "c:\program files\dell 968 aio printer\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SanaSafeConnect] "c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnect.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\imelda~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\the print shop 23\Remind.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: Event Agent - CustomEvents.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-11 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-15 214024]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2007-10-5 99568]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-15 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-15 144704]
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\trustedid\identity theft protection\agent\bin\SanaAgent.exe [2008-3-21 4937240]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnectWatcher.exe [2008-3-21 539160]
R2 System Event Agent;System Event Agent;c:\windows\system32\event agent\bin\spoolsv .exe [2007-12-8 102400]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-15 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-15 40552]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-3-15 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-3-15 7424]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectDriver.sys [2008-3-21 161304]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectFilter.sys [2008-3-21 29720]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectShim.sys [2008-3-21 27376]
R3 WOEM_3_2a;WinPcap Packet Driver (WOEM_3_2a);c:\windows\system32\drivers\woem_3_2a.sys --> c:\windows\system32\drivers\WOEM_3_2a.sys [?]
S?4 podmenadrv;podmenadrv;\??\c:\program files\podmena\podmena.sys --> c:\program files\podmena\podmena.sys [?]
S2 gupdate1c9945ba99dd3fc;Google Update Service (gupdate1c9945ba99dd3fc);c:\program files\google\update\GoogleUpdate.exe [2009-2-21 133104]
S2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [2004-8-11 14336]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-7-30 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-7-30 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-7-30 52309]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-15 34216]

=============== Created Last 30 ================

2009-06-17 22:47 90,112 a------- c:\windows\system32\WOEM_3_2awoem.tmp
2009-06-11 21:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-11 20:51 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-11 20:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-09 23:43 2 ----h--- c:\windows\ro122390.dat
2009-06-09 23:43 <DIR> --d----- c:\program files\podmena
2009-06-09 23:43 2 ----h--- c:\windows\ro122366.dat
2009-06-09 23:43 2 ----h--- c:\windows\ro122458.dat
2009-06-09 23:43 193 a------- C:\d45.bat
2009-06-07 14:23 <DIR> --d----- c:\docume~1\imelda~1\applic~1\Octoshape
2009-06-06 12:45 <DIR> --d----- c:\program files\iPod
2009-06-06 12:45 <DIR> --d----- c:\program files\iTunes
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-23 02:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

==================== Find3M ====================

2009-06-04 23:38 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-26 20:16 0 a------- c:\docume~1\imelda~1\applic~1\wklnhst.dat
2008-09-19 13:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 13:59:17.69 ===============

Your help is appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 24 June 2009 - 08:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 latinageek

latinageek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 25 June 2009 - 01:23 PM

My laptop was freezing everytime I restarted. I ran the HijackThis on safemode and deleted two entries HOSTS that referenced Antivirus 2009. I restarted my laptop and it did not freeze again. I know I did not take care of the problem permanently and need your help. Here is the result of DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by imelda leal at 13:14:51.46 on 2009-06-25
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2241 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dldoserv.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Event Agent\bin\spoolsv .exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Event Agent\bin\services .exe
C:\WINDOWS\system32\Event Agent\lsass .exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\120560~1\EE\AOLHOS~1.EXE
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\PROGRA~1\COMMON~1\AOL\120560~1\EE\AOLServiceHost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TrustedID\Identity Theft Protection\agent\bin\SanaMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\imelda leal\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://memorial.mcallenisd.org/
uInternet Settings,ProxyOverride = *.local
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WeatherDPA] "c:\program files\zango\bin\10.3.75.0\Weather.exe" -auto
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\imelda~1\locals~1\temp\hsperf~1.sh! c:\docume~1\imelda~1\locals~1\tempor~1\content.ie5\7ntocn70\pb_1_~1.sh! c:\docume~1\imelda~1\locals~1\tempor~1\content.ie5\kx2e23m7\extern~2.sh! c:\docume~1\imelda~1\locals~1\tempor~1\content.ie5\kx2e23m7\INDEX_~2.SH!
uRun: [system tool] c:\windows\sysguard.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [HostManager] c:\program files\common files\aol\1205605828\ee\AOLHostManager.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [dldomon.exe] "c:\program files\dell 968 aio printer\dldomon.exe"
mRun: [MemoryCardManager] "c:\program files\dell 968 aio printer\memcard.exe"
mRun: [Dell 968 AIO Printer Fax Server] "c:\program files\dell 968 aio printer\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SanaSafeConnect] "c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnect.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\imelda~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\the print shop 23\Remind.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: Event Agent - CustomEvents.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\imelda~1\applic~1\mozilla\firefox\profiles\1iaqq5tq.default\
FF - plugin: c:\documents and settings\imelda leal\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-11 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-15 214024]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2007-10-5 99568]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-15 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-15 144704]
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\trustedid\identity theft protection\agent\bin\SanaAgent.exe [2008-3-21 4937240]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\trustedid\identity theft protection\agent\bin\SanaSafeConnectWatcher.exe [2008-3-21 539160]
R2 System Event Agent;System Event Agent;c:\windows\system32\event agent\bin\spoolsv .exe [2007-12-8 102400]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-15 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-15 40552]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-3-15 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-3-15 7424]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectDriver.sys [2008-3-21 161304]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectFilter.sys [2008-3-21 29720]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\trustedid\identity theft protection\agent\driver\platform_xp\SafeConnectShim.sys [2008-3-21 27376]
R3 WOEM_3_2a;WinPcap Packet Driver (WOEM_3_2a);c:\windows\system32\drivers\woem_3_2a.sys --> c:\windows\system32\drivers\WOEM_3_2a.sys [?]
S2 gupdate1c9945ba99dd3fc;Google Update Service (gupdate1c9945ba99dd3fc);c:\program files\google\update\GoogleUpdate.exe [2009-2-21 133104]
S2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [2004-8-11 14336]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-7-30 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-7-30 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-7-30 52309]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-15 34216]

=============== Created Last 30 ================

2009-06-24 18:58 90,112 a------- c:\windows\system32\WOEM_3_2awoem.tmp
2009-06-24 12:12 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-11 21:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-11 20:51 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-11 20:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-09 23:43 2 ----h--- c:\windows\ro122390.dat
2009-06-09 23:43 <DIR> --d----- c:\program files\podmena
2009-06-09 23:43 2 ----h--- c:\windows\ro122366.dat
2009-06-09 23:43 2 ----h--- c:\windows\ro122458.dat
2009-06-09 23:43 193 a------- C:\d45.bat
2009-06-07 14:23 <DIR> --d----- c:\docume~1\imelda~1\applic~1\Octoshape
2009-06-06 12:45 <DIR> --d----- c:\program files\iPod
2009-06-06 12:45 <DIR> --d----- c:\program files\iTunes
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-21 22:44 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2008-10-26 20:16 0 a------- c:\docume~1\imelda~1\applic~1\wklnhst.dat
2008-09-19 13:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 13:17:01.04 ===============

Thank you for your help.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 PM

Posted 26 June 2009 - 03:40 PM

Hi latinageek,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your computer is still infected.

Note that ComboFix should be run just once as I want to see the log of the first run. Only if it didn't run change the name of ComboFix you have downloaded to lat.exe and run it.
  • I see Browser Address Error Redirector is installed. This is usually preinstalled on Dell computer without the consent of the user. You may uninstall it via Add/Remove programs. If you decide to uninstall it also remove the following folder: C:\Program Files\BAE

  • If you don't use a Dial-up connection you may uninstall the following program:

    NetWaiting

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 latinageek

latinageek
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 27 June 2009 - 02:36 PM

I followed the instructions for combo fix and below is my log:

ComboFix 09-06-26.02 - imelda leal 2009-06-27 14:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2594 [GMT -5:00]
Running from: c:\documents and settings\imelda leal\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\imelda leal\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\podmena
c:\windows\ro122366.dat
c:\windows\ro122390.dat
c:\windows\ro122458.dat
c:\windows\system32\drivers\SKYNETujnapsnj.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\SKYNETbwykvvem.dll
c:\windows\system32\SKYNETkbknyjit.dat
c:\windows\system32\SKYNETtntyygfy.dat
c:\windows\system32\SKYNETxfeelkft.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PODMENA
-------\Legacy_PODMENADRV
-------\Service_podmena


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-26 14:31 . 2009-06-26 14:31 49 ---h--w- C:\POPMENU.BAT
2009-06-26 14:30 . 2009-06-26 14:31 -------- d--h--w- c:\windows\system32\Event Agent
2009-06-25 23:49 . 2009-06-25 23:49 488960 ----a-w- c:\documents and settings\imelda leal\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-06-25 23:49 . 2009-06-25 23:49 319488 ----a-w- c:\documents and settings\imelda leal\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-06-19 01:52 . 2009-06-19 01:52 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-19 01:52 . 2009-06-19 01:52 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-19 01:52 . 2009-06-19 01:52 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-19 01:52 . 2009-06-19 01:52 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-19 01:52 . 2009-06-19 01:52 296800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-19 01:52 . 2009-06-19 01:52 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-19 01:52 . 2009-06-19 01:52 72704 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-19 01:52 . 2009-06-19 01:52 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-19 01:52 . 2009-06-19 01:52 561016 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-19 01:51 . 2009-06-19 01:51 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-19 01:51 . 2009-06-19 01:51 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-19 01:51 . 2009-06-19 01:51 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-19 01:51 . 2009-06-19 01:51 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-19 01:51 . 2009-06-19 01:51 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-18 03:12 . 2009-06-18 03:12 -------- d-----w- c:\documents and settings\abel leal\Local Settings\Application Data\Powercinema
2009-06-12 02:04 . 2009-06-12 01:51 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-12 01:51 . 2009-06-12 01:51 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-12 01:51 . 2009-06-12 01:51 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-12 01:51 . 2009-06-12 01:51 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-12 01:51 . 2009-06-12 01:51 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-12 01:51 . 2009-06-12 01:51 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-12 01:51 . 2009-06-12 01:51 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-12 01:48 . 2009-06-12 01:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-12 01:48 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-10 04:43 . 2009-06-10 04:43 193 ----a-w- C:\d45.bat
2009-06-07 19:25 . 2009-05-28 12:20 655872 ----a-w- c:\documents and settings\imelda leal\Application Data\Octoshape\Octoshape Streaming Services\pmv304-0905281-0-libOctoshapeClient.dll
2009-06-07 19:23 . 2009-06-07 19:23 120088 ----a-w- c:\documents and settings\imelda leal\Application Data\Mozilla\Plugins\npoctoshape.dll
2009-06-07 19:23 . 2009-06-04 10:03 120088 ----a-w- c:\documents and settings\imelda leal\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-npoctoshape.dll
2009-06-07 19:23 . 2009-01-08 13:44 70936 ----a-w- c:\documents and settings\imelda leal\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2009-06-07 19:23 . 2009-06-07 19:23 -------- d-----w- c:\documents and settings\imelda leal\Application Data\Octoshape
2009-06-07 19:23 . 2009-06-04 10:03 396288 ----a-w- c:\documents and settings\imelda leal\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-libOctoshapeClient.dll
2009-06-07 19:23 . 2009-06-04 10:03 124184 ----a-w- c:\documents and settings\imelda leal\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-apoctoshape.dll
2009-06-06 17:45 . 2009-06-06 17:45 -------- d-----w- c:\program files\iPod
2009-06-06 17:45 . 2009-06-06 17:45 -------- d-----w- c:\program files\iTunes
2009-06-06 17:42 . 2009-06-24 19:18 -------- d-----w- c:\program files\QuickTime
2009-06-06 17:36 . 2009-06-06 17:36 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 19:15 . 2009-06-27 19:15 90112 ----a-w- c:\windows\system32\WOEM_3_2awoem.tmp
2009-06-27 19:02 . 2008-09-08 04:31 -------- d-----w- c:\program files\SealedMedia
2009-06-27 19:02 . 2009-02-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-27 15:17 . 2008-03-15 18:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 15:06 . 2008-03-15 18:13 -------- d-----w- c:\program files\Dell
2009-06-27 00:15 . 2008-03-15 18:21 -------- d-----w- c:\program files\Google
2009-06-24 03:50 . 2009-03-03 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-22 03:44 . 2008-04-02 12:28 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-22 03:03 . 2008-04-02 12:28 -------- d-----w- c:\documents and settings\imelda leal\Application Data\Corel
2009-06-22 02:55 . 2008-04-02 12:28 88 --sh--r- c:\windows\system32\1016B4E3C7.sys
2009-06-21 06:18 . 2009-06-21 06:18 2443968 ----a-w- c:\documents and settings\All Users\SPL77A.tmp
2009-06-18 03:12 . 2008-04-12 03:00 -------- d-----w- c:\documents and settings\abel leal\Application Data\CyberLink
2009-06-12 01:48 . 2008-12-10 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-10 10:24 . 2009-05-02 19:39 -------- d-----w- c:\program files\Web Publish
2009-06-06 17:45 . 2009-03-03 04:59 -------- d-----w- c:\program files\Common Files\Apple
2009-05-30 15:10 . 2008-04-03 04:53 -------- d-----w- c:\documents and settings\imelda leal\Application Data\U3
2009-05-29 18:36 . 2009-04-04 04:50 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 18:36 . 2009-03-03 04:59 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-23 07:36 . 2009-05-23 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-23 07:26 . 2009-04-04 04:41 -------- d-----w- c:\program files\Safari
2009-05-11 04:15 . 2009-05-11 01:53 -------- d-----w- c:\program files\Garmin
2009-05-11 04:14 . 2009-05-11 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2009-05-11 04:14 . 2009-05-11 01:54 -------- d-----w- c:\documents and settings\imelda leal\Application Data\GARMIN
2009-05-11 04:06 . 2009-05-11 02:15 -------- d-----w- c:\documents and settings\imelda leal\Application Data\Download Manager
2009-05-11 01:53 . 2009-05-11 01:53 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-05-11 01:53 . 2009-05-11 01:53 -------- d-----w- c:\program files\DIFX
2009-05-11 01:28 . 2009-05-11 01:28 -------- d-----w- c:\program files\TrustedID
2009-05-11 01:27 . 2009-05-11 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-05-07 04:25 . 2008-07-02 11:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-02 19:46 . 2008-03-15 18:35 366544 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 19:46 . 2009-05-02 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Broderbund Software
2009-05-02 19:46 . 2009-05-02 19:35 -------- d-----w- c:\program files\The Print Shop 23
2009-05-02 19:37 . 2009-05-02 19:35 -------- d-----w- c:\program files\Common Files\Broderbund
2009-04-15 22:57 . 2009-04-15 22:57 17666877 ----a-w- c:\documents and settings\All Users\SPL6B1.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-07 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"HostManager"="c:\program files\Common Files\AOL\1205605828\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-02 1529856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"SanaSafeConnect"="c:\program files\TrustedID\Identity Theft Protection\agent\bin\SanaSafeConnect.exe" [2008-03-21 1378840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-19 518488]
"Event Agent"="c:\windows\system32\Event Agent\bin\smss .exe" [2009-04-22 323652]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-07-10 405504]

c:\documents and settings\abel leal\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\imelda leal\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-15 50688]
Event Reminder.lnk - c:\program files\The Print Shop 23\Remind.exe [2008-7-16 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Event Agent]
2007-09-25 04:27 53248 ----a-w- c:\windows\system32\CustomEvents.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1205605828\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\Wireless\\dldowpss.exe"=
"c:\\WINDOWS\\system32\\dldocfg.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldowbgw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\DLDOFax.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\Event Agent\\bin\\services .exe"=
"c:\\WINDOWS\\system32\\Event Agent\\bin\\spoolsv .exe"=
"c:\\WINDOWS\\system32\\Event Agent\\lite.exe"=
"c:\\WINDOWS\\system32\\Event Agent\\bin\\smss .exe"=
"c:\\WINDOWS\\system32\\Event Agent\\bin\\EventAgentRegistry.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8085:TCP"= 8085:TCP:podmena

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-06-11 64160]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2007-10-05 99568]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 1003344]
R2 SanaSafeConnectAgent;SanaSafeConnectAgent;c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaAgent.exe [2008-03-21 4937240]
R2 SanaSafeConnectWatcher;SanaSafeConnectWatcher;c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaSafeConnectWatcher.exe [2008-03-21 539160]
R2 System Event Agent;System Event Agent;c:\windows\system32\Event Agent\Bin\spoolsv .exe [2007-12-08 102400]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-03-15 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-03-15 7424]
R3 SanaSafeConnectDriver;SanaSafeConnectDriver;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectDriver.sys [2008-03-21 161304]
R3 SanaSafeConnectFilter;SanaSafeConnectFilter;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectFilter.sys [2008-03-21 29720]
R3 SanaSafeConnectShim;SanaSafeConnectShim;c:\program files\TrustedID\Identity Theft Protection\agent\driver\platform_XP\SafeConnectShim.sys [2008-03-21 27376]
R3 WOEM_3_2a;WinPcap Packet Driver (WOEM_3_2a);c:\windows\system32\drivers\WOEM_3_2a.sys --> c:\windows\system32\drivers\WOEM_3_2a.sys [?]
S2 gupdate1c9945ba99dd3fc;Google Update Service (gupdate1c9945ba99dd3fc);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 133104]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-07-30 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-07-30 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-07-30 52309]
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:51]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-06-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 15:13]

2009-06-27 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 19:36]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-15 15:53]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-15 15:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://memorial.mcallenisd.org/
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\imelda leal\Application Data\Mozilla\Firefox\Profiles\1iaqq5tq.default\
FF - plugin: c:\documents and settings\imelda leal\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 14:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\jabovazo.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\CustomEvents.dll

- - - - - - - > 'explorer.exe'(3624)
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\dldocoms.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PSIService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Event Agent\Bin\services .exe
c:\windows\system32\Event Agent\lsass .exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\COMMON~1\AOL\120560~1\EE\AOLServiceHost.exe
c:\program files\TrustedID\Identity Theft Protection\agent\Bin\SanaMonitor.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-27 14:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 19:31
ComboFix2.txt 2008-12-20 21:47

Pre-Run: 196,874,760,192 bytes free
Post-Run: 197,276,078,080 bytes free

343 --- E O F --- 2008-12-24 09:00

Thanks again for your assistance.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 PM

Posted 27 June 2009 - 06:38 PM

Well done. :thumbup2:

ComboFix is run twice before, but it has done what was expected to do.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    File::
    c:\windows\system32\jabovazo.dll
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}]
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "8085:TCP"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 PM

Posted 03 July 2009 - 11:14 AM

Are you still there?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:26 PM

Posted 04 July 2009 - 05:49 PM

This thread will now be closed due to lack of activity.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users