Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This log and other problem


  • Please log in to reply
11 replies to this topic

#1 Daddys_Jewel

Daddys_Jewel

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 July 2009 - 06:42 PM

I woke up this morning to find ou that I probably had a virus. I got the NT Authority thing that shut down my computer. Somehow I was able to reboot. I went to Microsoft and did their Live OneCare scan as my McAfee didn't find anything. Microsoft found the following problems:

Backdoor:WinNT/Rustock.gen!B
PWS:Win32/zbot.gen!R
VirTool:Win32/obfuscator.ET

I opted to have them removed, which it said it successfully did. But when I rebooted, I got an error message for every program that tried to open. Here is a sample of the message (I got this one by opening Irfanview so I could show you).

Posted Image

I get this message every time something tries to execute. (This problem kept me from running the DDS Tool this forum recommended.)

I was able to download Hijack This and get a log report that I'm posting below.

I have Windows XP Professional, version 2002, SP3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:46 PM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070223
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpppta] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" /ICON
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.davidrumsey.com
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.1)) - file://D:\Julie\Health\ltocx12n.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215548044421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14042 bytes

Any advice would be greatly appreciated. I'm not very computer savvy, but I'll do my best to follow instructions posted. Thank you in advance.

BC AdBot (Login to Remove)

 


#2 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 July 2009 - 09:39 PM

I read some other posts made by other users with similar problems. I ran Malwarebytes and got the following log:

Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

I had it remove the infections, and it said it successfully removed them. Apparently it didn't get the real culprit because when I rebooted I still got the same "invalid Windows image" error box.

Any suggestions? Thank you.

Edited by Daddys_Jewel, 03 July 2009 - 09:40 PM.


#3 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 03 July 2009 - 09:55 PM

Gosh, I had to X out the "image error" box the full time I was doing the DDS scan, but I finally got it. I hope I'm doing this right. I'm posting the one log, and saved the other one that I will attach if asked.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Julie Pickett at 20:49:24.51 on Fri 07/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.507 [GMT -6:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Julie Pickett\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6173\SiteAdv.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6173\SiteAdv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] "c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [hpppta] "c:\program files\hewlett-packard\hp precisionscan\precisionscan pro\hpppta.exe" /ICON
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [SiteAdvisor] c:\program files\siteadvisor\6173\SiteAdv.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: davidrumsey.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file://d:\julie\health\ltocx12n.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\super mah jong solitaire\images\stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215548044421
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\super mah jong solitaire\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.7.0.752.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6173\SiteAdv.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 wvauth
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-21 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-22 213768]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-3-22 14144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2009-3-22 540776]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2009-3-22 175704]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2007-3-9 23200]
R3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-3-22 144704]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2009-3-22 79880]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2009-3-22 35272]
RUnknown vebkz;vebkz; [x]
S2 tiwpudcrdwslp;tiwpudcrdwslp;\??\c:\windows\system32\drivers\drujm.sys --> c:\windows\system32\drivers\drujm.sys [?]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2007-3-13 18864]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-27 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-27 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-27 81288]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2009-3-22 34216]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-27 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-27 1079176]

=============== Created Last 30 ================

2009-07-03 17:19 <DIR> --d----- c:\program files\Trend Micro
2009-06-15 20:08 20 a------- c:\windows\HP PrecisionScan Pro.INI

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-02 18:41 66,201 a------- c:\windows\system32\nvModes.dat
2009-05-22 22:45 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-22 22:44 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-12 21:18 621,151 a------- c:\program files\Belkin.zip
2009-05-10 07:52 545,936 a------- c:\program files\TaskswitchPowertoySetup.exe
2009-05-10 07:50 526,448 a------- c:\program files\MagnifierPowertoySetup.exe
2009-05-10 07:39 532,616 a------- c:\program files\ImageResizerPowertoySetup.exe
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 09:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 22:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 22:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 22:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 22:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 22:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 22:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 22:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 22:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 22:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 22:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 22:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 03:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 03:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 23:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 23:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-21 09:03 614 a------- c:\documents and settings\julie pickett\jobq.dat
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 06:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-22 18:37 1,687,360 a------- c:\program files\TOPSBDM.exe
2009-03-21 00:31 37,452,296 a------- c:\program files\Ad-AwareAE.exe
2009-03-01 08:48 26,404,188 a------- c:\program files\FSIndexing_Setup.exe
2009-02-03 10:42 2,058,849 a------- c:\program files\ieSpellSetup251106.exe
2008-11-28 06:47 7,508,624 a------- c:\program files\Firefox Setup 3.0.4.exe
2008-09-13 14:34 76,576,104 a------- c:\program files\Zoombrowser 6.1.exe
2008-09-12 20:47 20,989,952 a------- c:\program files\Family archive viewer.exe
2008-08-21 09:23 299,294,000 a------- c:\program files\ADBEDRWVCS3_WWE.exe
2008-08-21 00:17 7,281,152 a------- c:\program files\irfanview_plugins_420_setup.exe
2008-08-21 00:05 1,305,600 a------- c:\program files\iview420_setup.exe
2008-08-19 20:40 17,950,304 a------- c:\program files\gimp-2.4.6-i686-setup.exe
2008-08-16 20:30 9,132,408 a------- c:\program files\bookcollectorsetup_10077703.exe
2008-08-09 14:21 9,627,504 a------- c:\program files\yahoo_bejeweled2_tm6-2.exe
2008-08-09 11:14 9,627,504 a------- c:\program files\yahoo_bejeweled2_tm6-2b.exe
2008-08-08 00:17 63,530,280 a------- c:\program files\iTunesSetup.exe
2008-07-21 23:34 39,910 a------- c:\program files\gzip.exe
2008-07-11 21:56 34,130,184 a------- c:\program files\GoogleSketchUpWEN.exe
2008-07-08 13:22 1,077,448 a------- c:\program files\RegCureSetup_1501_CB.exe
2008-06-11 16:45 10,091,750 a------- c:\program files\PAF5EnglishSetup.exe
2008-06-07 00:05 6,039,048 a------- c:\program files\Firefox Setup 2.0.0.14.exe
2008-05-11 00:02 23,510,720 a------- c:\program files\dotnetfx.exe
2008-05-10 22:58 33,364,256 a------- c:\program files\ArcGISExplorerDownload.exe
2008-02-12 21:00 25,685,128 a------- c:\program files\wordview_en-us.exe
2007-12-28 13:20 57,344 a------- c:\documents and settings\julie pickett\iSetupNI.dll
2007-10-27 19:58 779,312 a------- c:\program files\MoveMediaPlayer_07074039.exe
2007-10-24 21:01 13,411,824 a------- c:\program files\Google_Earth_BZXV.exe
2007-03-21 15:36 10,857 a------- c:\program files\Dreamweaver CS3 Read Me.html
2005-05-26 15:35 1,422 a------- c:\program files\ReadMe.txt
2009-02-27 07:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022720090228\index.dat

============= FINISH: 20:51:38.54 ===============

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:43 PM

Posted 04 July 2009 - 04:33 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.


Extra note... I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 July 2009 - 11:59 AM

Thank you so much. The scan found tons of stuff, and it removed the virus that was giving me the pop up boxes when any program tried to execute.

One bad thing - I think I have already been attacked by another trojan. I had to remove McAfee instead of disabling it, because the disable function had disappeared and I could not find any way to shut it down besides removing it. I went online to re-download it and got attacked. I'm not sure if I got infected, but I've got pop ups everywhere telling me I'm infected. After I post this message I will download McAfee again and run a scan. I'll post back later.

Here's the log from the first scan (I hope it's okay that I copy and pasted the log):

ComboFix 09-07-03.03 - Julie Pickett 07/04/2009 10:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.685 [GMT -6:00]
Running from: c:\documents and settings\Julie Pickett\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1e951.msi
c:\windows\Installer\35355a.msi
c:\windows\Installer\6d56347.msi
c:\windows\system32\_003244_.tmp.dll
c:\windows\system32\_003245_.tmp.dll
c:\windows\system32\_003246_.tmp.dll
c:\windows\system32\_003247_.tmp.dll
c:\windows\system32\_003254_.tmp.dll
c:\windows\system32\_003256_.tmp.dll
c:\windows\system32\_003257_.tmp.dll
c:\windows\system32\_003259_.tmp.dll
c:\windows\system32\_003260_.tmp.dll
c:\windows\system32\_003261_.tmp.dll
c:\windows\system32\_003263_.tmp.dll
c:\windows\system32\_003264_.tmp.dll
c:\windows\system32\_003266_.tmp.dll
c:\windows\system32\_003267_.tmp.dll
c:\windows\system32\_003268_.tmp.dll
c:\windows\system32\_003270_.tmp.dll
c:\windows\system32\_003273_.tmp.dll
c:\windows\system32\_003274_.tmp.dll
c:\windows\system32\_003278_.tmp.dll
c:\windows\system32\_003279_.tmp.dll
c:\windows\system32\_003281_.tmp.dll
c:\windows\system32\_003283_.tmp.dll
c:\windows\system32\_003284_.tmp.dll
c:\windows\system32\_003286_.tmp.dll
c:\windows\system32\_003288_.tmp.dll
c:\windows\system32\_003289_.tmp.dll
c:\windows\system32\_003290_.tmp.dll
c:\windows\system32\_003293_.tmp.dll
c:\windows\system32\_003294_.tmp.dll
c:\windows\system32\_003295_.tmp.dll
c:\windows\system32\_003296_.tmp.dll
c:\windows\system32\_003297_.tmp.dll
c:\windows\system32\_003302_.tmp.dll
c:\windows\system32\_003304_.tmp.dll
c:\windows\system32\_003305_.tmp.dll
c:\windows\system32\drivers\hjgruivxdeplvt.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\hjgruifdxbqhxk.dll
c:\windows\system32\hjgruifhfuxjng.dat
c:\windows\system32\hjgruihxyxtuwk.dll
c:\windows\system32\hjgruilfaswwbw.dat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiltewfxoq
-------\Legacy_NTOSNH.SYS


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 02:44 . 2009-07-04 02:44 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-07-04 02:44 . 2009-07-04 02:44 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-07-04 02:44 . 2009-07-04 02:44 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-07-04 02:44 . 2009-07-04 02:44 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-07-04 02:44 . 2009-07-04 02:44 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-07-04 02:44 . 2009-07-04 02:44 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-07-04 02:44 . 2009-07-04 02:44 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-07-04 02:44 . 2009-07-04 02:44 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-07-04 02:43 . 2009-07-04 02:43 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-07-04 02:43 . 2009-07-04 02:43 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-07-04 02:43 . 2009-07-04 02:43 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-07-04 02:43 . 2009-07-04 02:43 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-07-04 02:43 . 2009-07-04 02:43 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-07-04 02:43 . 2009-07-04 02:43 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-07-04 02:43 . 2009-07-04 02:43 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-07-04 02:43 . 2009-07-04 02:43 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-07-04 02:43 . 2009-07-04 02:43 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-07-04 02:43 . 2009-07-04 02:43 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-07-03 23:19 . 2009-07-03 23:19 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 16:10 . 2009-03-22 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-04 16:10 . 2009-03-22 22:22 -------- d-----w- c:\program files\McAfee
2009-07-04 15:22 . 2009-03-22 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-04 06:00 . 2008-03-19 01:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-04 05:59 . 2008-03-19 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 01:14 . 2008-10-29 06:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 01:11 . 2009-02-10 15:38 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-03 19:20 . 2009-03-26 04:03 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-03 18:01 . 2007-10-25 01:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-03 16:43 . 2007-04-04 02:24 6736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-07-03 16:23 . 2007-06-24 03:53 -------- d-----w- c:\documents and settings\Julie Pickett\Application Data\U3
2009-07-03 15:31 . 2008-10-28 04:52 -------- d-----w- c:\program files\Spyware Doctor
2009-06-17 17:27 . 2008-10-29 06:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 17:27 . 2008-10-29 06:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 02:08 . 2008-06-29 04:47 1080 ----a-w- c:\windows\AUTOLNCH.REG
2009-06-15 03:16 . 2009-02-18 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-03 00:41 . 2007-02-24 02:42 66201 ----a-w- c:\windows\system32\nvModes.dat
2009-05-23 04:45 . 2009-03-21 16:24 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-23 04:44 . 2009-05-23 04:44 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-23 04:44 . 2009-03-21 06:37 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-13 03:18 . 2009-05-13 03:18 621151 ----a-w- c:\program files\Belkin.zip
2009-05-10 13:52 . 2009-05-10 13:52 545936 ----a-w- c:\program files\TaskswitchPowertoySetup.exe
2009-05-10 13:50 . 2009-05-10 13:50 526448 ----a-w- c:\program files\MagnifierPowertoySetup.exe
2009-05-10 13:39 . 2009-05-10 13:39 532616 ----a-w- c:\program files\ImageResizerPowertoySetup.exe
2009-05-07 15:32 . 2008-07-08 21:05 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 02:45 . 2007-10-09 20:38 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-05-01 00:41 . 2007-02-24 03:08 451472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 04:56 . 2004-08-11 23:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-21 15:03 . 2009-03-01 14:52 614 ----a-w- c:\documents and settings\Julie Pickett\jobq.dat
2009-04-17 12:26 . 2008-07-08 21:05 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-11 23:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-23 00:37 . 2009-03-22 22:22 1687360 ----a-w- c:\program files\TOPSBDM.exe
2009-03-21 06:31 . 2009-03-21 06:30 37452296 ----a-w- c:\program files\Ad-AwareAE.exe
2009-03-01 14:48 . 2009-03-01 14:48 26404188 ----a-w- c:\program files\FSIndexing_Setup.exe
2009-02-03 16:42 . 2009-02-03 16:42 2058849 ----a-w- c:\program files\ieSpellSetup251106.exe
2008-11-28 12:47 . 2008-11-28 12:47 7508624 ----a-w- c:\program files\Firefox Setup 3.0.4.exe
2008-09-13 20:34 . 2008-09-13 20:32 76576104 ----a-w- c:\program files\Zoombrowser 6.1.exe
2008-09-13 02:47 . 2008-09-13 02:44 20989952 ----a-w- c:\program files\Family archive viewer.exe
2008-08-21 15:23 . 2008-08-21 15:15 299294000 ----a-w- c:\program files\ADBEDRWVCS3_WWE.exe
2008-08-21 06:17 . 2008-08-21 06:11 7281152 ----a-w- c:\program files\irfanview_plugins_420_setup.exe
2008-08-21 06:05 . 2008-08-21 06:05 1305600 ----a-w- c:\program files\iview420_setup.exe
2008-08-20 02:40 . 2008-08-20 02:36 17950304 ----a-w- c:\program files\gimp-2.4.6-i686-setup.exe
2008-08-17 02:30 . 2008-08-17 02:30 9132408 ----a-w- c:\program files\bookcollectorsetup_10077703.exe
2008-08-09 20:21 . 2008-08-09 20:13 9627504 ----a-w- c:\program files\yahoo_bejeweled2_tm6-2.exe
2008-08-09 17:14 . 2008-08-09 17:14 9627504 ----a-w- c:\program files\yahoo_bejeweled2_tm6-2b.exe
2008-08-08 06:17 . 2008-08-08 06:14 63530280 ----a-w- c:\program files\iTunesSetup.exe
2008-07-22 05:34 . 2008-07-22 05:34 39910 ----a-w- c:\program files\gzip.exe
2008-07-12 03:56 . 2008-07-12 03:55 34130184 ----a-w- c:\program files\GoogleSketchUpWEN.exe
2008-07-08 19:22 . 2008-07-08 19:14 1077448 ----a-w- c:\program files\RegCureSetup_1501_CB.exe
2008-06-11 22:45 . 2008-06-11 22:45 10091750 ----a-w- c:\program files\PAF5EnglishSetup.exe
2008-06-07 06:05 . 2008-06-07 06:05 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
2008-05-11 06:02 . 2008-05-11 06:02 23510720 ----a-w- c:\program files\dotnetfx.exe
2008-05-11 04:58 . 2008-05-11 04:51 33364256 ----a-w- c:\program files\ArcGISExplorerDownload.exe
2008-02-13 03:00 . 2008-02-13 02:50 25685128 ----a-w- c:\program files\wordview_en-us.exe
2007-10-28 01:58 . 2007-10-28 01:58 779312 ----a-w- c:\program files\MoveMediaPlayer_07074039.exe
2007-10-25 03:01 . 2007-10-25 02:48 13411824 ----a-w- c:\program files\Google_Earth_BZXV.exe
2007-03-21 21:36 . 2008-08-21 15:26 10857 ----a-w- c:\program files\Dreamweaver CS3 Read Me.html
2005-05-26 21:35 . 2007-11-22 02:41 1422 ----a-w- c:\program files\ReadMe.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"hpppta"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" [2000-06-02 86016]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-04 520024]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-01-19 73728]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-3-18 972064]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2007-11-21 270336]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BrowseBlast Web Accelerator.lnk]
backup=c:\windows\pss\BrowseBlast Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Julie Pickett^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Julie Pickett^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Julie Pickett\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup

[HKLM\~\startupfolder\C:^DOCUME~1^JULIEP~1^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\The Print Shop 22\\PMW.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/21/2009 12:37 AM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1029456]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [3/9/2007 9:48 AM 23200]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [3/13/2007 5:49 PM 18864]
S2 tiwpudcrdwslp;tiwpudcrdwslp;\??\c:\windows\system32\drivers\drujm.sys --> c:\windows\system32\drivers\drujm.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/27/2008 10:52 PM 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 02:43]

2009-07-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-05-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-07-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: davidrumsey.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file://d:\julie\Health\ltocx12n.cab
FF - ProfilePath - c:\documents and settings\Julie Pickett\Application Data\Mozilla\Firefox\Profiles\apkdepkg.default\
FF - prefs.js: browser.search.selectedEngine - Babylon
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 10:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-04 10:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 16:32

Pre-Run: 30,605,348,864 bytes free
Post-Run: 30,769,803,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

344 --- E O F --- 2009-07-03 18:41

Edited by Daddys_Jewel, 04 July 2009 - 01:48 PM.


#6 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 July 2009 - 06:58 PM

I was right. I did pick up more viruses while downloading McAfee. :thumbup2: Below is the Malwarebytes log report. I will next run Hijack This next and post the results.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/4/2009 5:54:19 PM
mbam-log-2009-07-04 (17-54-19).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 217416
Time elapsed: 1 hour(s), 29 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3113c6d7-d1bf-4096-94fe-5df265ac881d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3113c6d7-d1bf-4096-94fe-5df265ac881d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3113c6d7-d1bf-4096-94fe-5df265ac881d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpprotect (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\documents and settings\Julie Pickett\XP Deluxe Protector (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gdi32lib.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\documents and settings\Julie Pickett\Start Menu\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\documents and settings\Julie Pickett\Desktop\XP Deluxe Protector.LNK (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\documents and settings\Julie Pickett\Local Settings\temp\defender32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#7 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 04 July 2009 - 07:11 PM

Everything is acting okay after running the Malwarebytes. Here is the Hijack This log. Please let me know if you see anything wrong. Do you think I should run the ComboFix again just to make absolutely sure I'm clean? Thanks so much for your help!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:00 PM, on 7/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070223
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpppta] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" /ICON
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.davidrumsey.com
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.1)) - file://D:\Julie\Health\ltocx12n.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215548044421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13698 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:43 PM

Posted 04 July 2009 - 09:00 PM

Hi,

Go to start > run and copy and paste: sc delete tiwpudcrdwsl
Hit enter

Then,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 05 July 2009 - 03:01 PM

Okay, I have a couple of problems. I was able to do your first instruction about "sc delete tiwpudcrdwsl," but I can't uninstall ComboFix because I cannot for the life of me disable McAfee Total Protection Service. I've posted a question in another forum asking how to do this. I've also emailed McAfee. So that's on hold until I disable it, but then I'll do it.

BUT, in the meantime, I took my laptop to my office where I use dial-up instead of high speed and I'm getting redirected on all of my searches. I don't have this problem on my high speed connection at home. This has been a problem for months that none of the spyware, malware, antivirus software has been able to take care of. I was hoping it was fixed when you had me do the ComboFix. Apparently it isn't. I just ran another Hijack This scan while I'm on the dialup. I was hoping you might see what's going on and make some recommendations.

Thanks for all of your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:46 PM, on 7/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks 2007\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070223
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] "C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpppta] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" /ICON
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.davidrumsey.com
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.1)) - file://D:\Julie\Health\ltocx12n.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\stg_drm.ocx
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1215548044421
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Super Mah Jong Solitaire\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3038A4F-26C2-4A1C-814E-59A98464F304}: NameServer = 85.255.115.157 85.255.112.14
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13781 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:43 PM

Posted 06 July 2009 - 01:22 AM

Hi,

I took my laptop to my office where I use dial-up instead of high speed and I'm getting redirected on all of my searches. I don't have this problem on my high speed connection at home.

Well, it's clearly here that its not your computer but the dialup at the office causing this.

Is above HijackThislog created when after you connected in the office?
This because this entry is present - bad DNS set:

O17 - HKLM\System\CCS\Services\Tcpip\..\{A3038A4F-26C2-4A1C-814E-59A98464F304}: NameServer = 85.255.115.157 85.255.112.14

Please check and fix above entry in HijackThis and replace the DNS with OpenDNS:
https://www.opendns.com/start/computer/

You'll see instructions on above link to do that.
Then contact the network admin at your office and ask to reset the router/modem and passwordprotect it.

To uninstall Combofix, you can do it from Windows safe mode - then you don't have to disable McAfee since it's not active in safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Daddys_Jewel

Daddys_Jewel
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 06 July 2009 - 08:43 AM

Thank you! Yes, the log was run while I was on the dialup. I was hoping the scan would pick up what was wrong while on the dialup.

I am leaving on a 6 day vacation right now.

I'll do what you suggested immediately upon my return and will let you know the outcome. It's my own business, so I am the "network admin" (isn't that scary?!), thus I'll have to reset the router/modem. I don't know what that means, but I will research the topic when I return.

Thanks again!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:43 PM

Posted 06 July 2009 - 08:47 AM

Ok, just let me know :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users