Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Micro Billing System


  • This topic is locked This topic is locked
15 replies to this topic

#1 Horse Box

Horse Box

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 February 2007 - 05:32 PM

When I start my IE7, Micro Billing System Windows jumps onto my IE7 Home Page and will not remove it's self, even if I shrink it it will place inself immediately to top left of screen. If I ctrl-alt-del and end task, it immediately refreshs itself onto screen. It has now put a 2 minute lock on the page before I can close window and that is that. I have since discovered it has placed an icon on my desktop labeled MBS Manager (this seems to be a web link to a site but its says it has problems with active-X. I have also discovered it letf a web address behind in IE7 History called auth.microbillsys(auth.microbillsys.com)

I ran jotti's virusscan and nothing turned up with the files you suggested. However I ran Virustotal.com and it reported the following NOD32v2 - NewHeur_PE virus and Prevxl Dropper.payload. I don't know if this means anything to you but I do need help with this.

I have listed below a hijackthis log for your persual hope you can help.

Logfile of HijackThis v1.99.1
Scan saved at 22:13:02, on 09/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\DOCUME~1\Finbarr\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\mbssm32.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\mbsrm32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061120
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061120
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168685891203
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Kindest regards


Horse Box
Nie ma satso

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 09 February 2007 - 06:47 PM

Hello Horse Box,

I am SifuMike and I will be helping you. :flowers:

Looks like you a new type of malware infection. :thumbsup:

Right-click an empty space on the taskbar (bottom of the screen) and select Task Manager.
Click the Processes tab and then find mbsrm32.exe and mbssm32.exe. Both of them will be running.
Highlight them indivually and press the End Process button.

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\WINDOWS\system32\mbssm32.exe to the upload and scan it.


Also do the same with this file
c:\windows\system32\mbsrm32.exe

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


*******************

Also use Virus Total: http://www.virustotal.com/flash/index_en.html and submit the C:\WINDOWS\system32\mbssm32.exe file and c:\windows\system32\mbsrm32.exe, and post the logs back here.

*******************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100


Please post back the Jotti scan log, the Virus Total log and the ComboFix log.

Edited by SifuMike, 09 February 2007 - 07:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Horse Box

Horse Box
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 February 2007 - 07:11 PM

NOD32v2 - NewHeur_PE virus
Prevxl Dropper.payload

The above were two items that were reported back from VirusTotal nothing from Jotti
Nie ma satso

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 09 February 2007 - 07:16 PM

Hi Horse Box,

Good. :thumbsup: Now run ComboFix and post the log.

Edited by SifuMike, 09 February 2007 - 07:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Horse Box

Horse Box
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 February 2007 - 07:41 PM

Thank you for coming back to me. Find below a log of which you required.

"Finbarr" - 07-02-10 0:12:08 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Finbarr\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


2007-02-09 22:09 <DIR> d-------- C:\Program Files\HijackThis
2007-02-09 20:01 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-02-09 19:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-09 19:55 <DIR> d-------- C:\DOCUME~1\Finbarr\Application Data\SUPERAntiSpyware.com
2007-02-09 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-09 19:33 94,208 --a------ C:\WINDOWS\system32\mclsp.dll
2007-02-09 19:33 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2007-02-09 19:33 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2007-02-09 19:33 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2007-02-09 19:33 <DIR> d-------- C:\WINDOWS\system32\mclsphlr
2007-02-07 18:42 1,310,720 --ah----- C:\DOCUME~1\Karen\NTUSER.DAT
2007-02-07 18:42 <DIR> d--h----- C:\DOCUME~1\Karen\Application Data\Gtek
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\You've Got Pictures Screensaver
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\Symantec
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\McAfee.com Personal Firewall
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\AOL
2007-02-06 17:30 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-02-06 17:30 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-02-06 17:30 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-02-06 17:30 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-02-06 17:30 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-02-06 17:30 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-02-06 17:30 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-02-06 17:30 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-02-06 17:30 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-02-06 17:30 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-02-06 17:30 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-02-06 17:29 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-02-06 17:29 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-02-06 17:29 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-02-06 17:29 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-02-06 17:29 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-02-06 17:29 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-02-06 17:29 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-02-06 17:29 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-02-06 17:29 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-02-05 10:56 <DIR> d-------- C:\Program Files\Xvid
2007-02-03 12:19 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
2007-02-03 12:19 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2007-02-03 12:19 780,288 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2007-02-03 12:19 778,240 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2007-02-03 12:19 764,416 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2007-02-03 12:19 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll
2007-02-03 12:19 495,104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2007-02-03 12:19 382,464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2007-02-03 12:19 312,320 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2007-02-03 12:19 249,856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2007-02-03 12:19 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-02-03 12:19 215,552 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2007-02-03 12:19 2,846,720 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll
2007-02-03 12:19 188,416 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2007-02-03 12:19 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll
2007-02-03 12:19 139,264 --a------ C:\WINDOWS\system32\viscomqtde.dll
2007-02-03 12:19 <DIR> d-------- C:\WINDOWS\system32\RMBin
2007-02-03 11:54 <DIR> d-------- C:\Program Files\Plato Video Converter
2007-02-02 17:19 <DIR> d-------- C:\Program Files\MyGlobalSearch
2007-02-02 17:19 <DIR> d-------- C:\Program Files\BearShare
2007-02-02 17:19 <DIR> d-------- C:\My Downloads
2007-02-01 20:51 <DIR> d-------- C:\DOCUME~1\Finbarr\Application Data\MSNInstaller
2007-01-28 21:54 91,648 --ah----- C:\WINDOWS\system32\mbsrm32.exe
2007-01-28 21:54 576,512 --a------ C:\WINDOWS\system32\mbssm32.exe
2007-01-28 21:15 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-14 15:20 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-13 11:15 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-01-13 10:42 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-11 23:59 <DIR> d-------- C:\WINDOWS\ie7updates


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-09 19:44 -------- d-------- C:\Program Files\java
2007-02-09 19:33 -------- d-------- C:\Program Files\mcafee.com
2007-02-09 19:08 1272 --a------ C:\DOCUME~1\Finbarr\Application Data\wklnhst.dat
2007-01-31 19:08 50557 --a------ C:\DOCUME~1\Finbarr\Application Data\patchupdate_hp_counterreport_update_hpsu.log
2007-01-31 19:07 2099 --a------ C:\DOCUME~1\Finbarr\Application Data\hpsu_48bitscanupdate.log
2007-01-31 19:06 354 --a------ C:\DOCUME~1\Finbarr\Application Data\helpfilesupdatepatch_printhelpwrapper.log
2007-01-31 19:06 2843 --a------ C:\DOCUME~1\Finbarr\Application Data\patchupdate_instantsharejpg.log
2007-01-31 19:06 0 --a------ C:\DOCUME~1\Finbarr\Application Data\helpfilesupdatepatch_helpfilereplace.log
2007-01-31 19:05 3654 --a------ C:\DOCUME~1\Finbarr\Application Data\patchupdate_izclosingdiscerror.log
2007-01-31 19:03 46525 --a------ C:\DOCUME~1\Finbarr\Application Data\update_hp_redboxhprblog_hpsu.log
2007-01-31 19:03 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-01-28 21:15 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\mozilla
2007-01-27 19:37 -------- d--h----- C:\Program Files\installshield installation information
2007-01-27 19:37 -------- d-------- C:\Program Files\Common Files\sonic shared
2007-01-26 20:10 1786 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-26 20:10 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\corel
2007-01-14 15:29 -------- d-------- C:\Program Files\pacificpoker
2007-01-09 20:26 -------- d-------- C:\Program Files\paddy power poker
2007-01-09 20:16 -------- d-------- C:\Program Files\webcybercoach
2006-12-28 23:45 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\hp
2006-12-28 23:28 89669 --a------ C:\WINDOWS\hpoins06.dat
2006-12-28 23:27 -------- d-------- C:\Program Files\hp
2006-12-28 23:26 -------- d-------- C:\Program Files\Common Files\hp
2006-12-28 23:25 -------- d-------- C:\Program Files\hewlett-packard
2006-12-28 23:24 -------- d-------- C:\Program Files\Common Files\hewlett-packard
2006-12-27 13:42 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\creative
2006-12-20 23:39 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\knifebar
2006-12-18 01:14 -------- d-------- C:\Program Files\dell
2006-12-18 00:38 -------- d-------- C:\Program Files\windows media connect 2
2006-12-17 22:33 -------- d-------- C:\Program Files\google
2006-12-17 20:20 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\drivecleaner 2006 free
2006-12-14 21:32 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\google
2006-11-20 10:46 335 --a------ C:\WINDOWS\nsreg.dat
2006-11-20 10:43 40 --a------ C:\WINDOWS\system32\mes2046.dll
2006-11-20 10:20 49152 --a------ C:\WINDOWS\setpwrcg.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"MBMon"="Rundll32 CTMBHA.DLL,MBMon"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"VoiceCenter"="\"C:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe\" /tray"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"mbssm32"="C:\\WINDOWS\\system32\\mbssm32.exe"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Snapfire Plus\\Corel Photo Downloader.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HPpromotions journeysoftware.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (D890PL2J-Finbarr).job
C:\WINDOWS\tasks\MP Scheduled Scan.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-10 0:13:26



Jotti Scan Log
Scan taken on 10 Feb 2007 00:16:25 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Service load: 0% 100%

File: mbsrm32.exe
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 afbd3f7aa39ad33095bba3d6eeecbc74
Packers detected: -

Scanner results
Scan taken on 10 Feb 2007 00:18:21 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing


VIRUSTOTAL
Complete scanning result of "mbssm32.exe", received in VirusTotal at 02.10.2007, 01:24:31 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.36 02.09.2007 no virus found
Authentium 4.93.8 02.09.2007 no virus found
Avast 4.7.936.0 02.09.2007 no virus found
AVG 386 02.09.2007 no virus found
BitDefender 7.2 02.10.2007 no virus found
CAT-QuickHeal 9.00 02.09.2007 no virus found
ClamAV devel-20060426 02.09.2007 no virus found
DrWeb 4.33 02.09.2007 no virus found
eSafe 7.0.14.0 02.09.2007 no virus found
eTrust-Vet 30.4.3384 02.10.2007 no virus found
Ewido 4.0 02.09.2007 no virus found
Fortinet 2.85.0.0 02.09.2007 no virus found
F-Prot 4.2.1.29 02.09.2007 no virus found
F-Secure 6.70.13030.0 02.10.2007 no virus found
Ikarus T3.1.0.31 02.09.2007 no virus found
Kaspersky 4.0.2.24 02.10.2007 no virus found
McAfee 4960 02.09.2007 no virus found
Microsoft 1.2204 02.10.2007 no virus found
NOD32v2 2048 02.09.2007 probably unknown NewHeur_PE virus
Norman 5.80.02 02.09.2007 no virus found
Panda 9.0.0.4 02.09.2007 no virus found
Prevx1 V2 02.10.2007 Dropper.Payload
Sophos 4.13.0 02.08.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 no virus found
Symantec 10 02.09.2007 no virus found
TheHacker 6.1.6.055 02.09.2007 no virus found
UNA 1.83 02.09.2007 no virus found
VBA32 3.11.2 02.09.2007 no virus found
VirusBuster 4.3.19:9 02.09.2007 no virus found


Aditional Information
File size: 576512 bytes
MD5: 2d2c56f61320a5aacd2040be7faaccce
SHA1: 8bd26602d66c288fcea58f2debafce4d0102fb47
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=02ea65349284

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas




VBA32 Found nothing


2nd Check on virustotal was slow to down load so I have posted this for now.

P.S. I have not determined at what stage this malware becomes effective.
ie. once per day or every time IE7 is booted.
Nie ma satso

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 09 February 2007 - 07:55 PM

Hi Horse Box,

Looks like you have had this infection on your computer for over a week. :thumbsup:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

Download KillBox to the desktop. Do not run it yet!.

*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe

If you did not add or want Paddy Power Poker and PacificPoker, then "fix" it.
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe



Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next in the Code box (do not include the word Code)

C:\WINDOWS\system32\mbssm32.exe
c:\windows\system32\mbsrm32.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Finally, reboot to the Normal Mode , post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 09 February 2007 - 07:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Horse Box

Horse Box
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 February 2007 - 08:59 PM

Find below a log as requested.

Horse Box is exhausted and going to bed. Ishall not know for a couple of days to see if this MBS comes back again but I will let you know one way or the other. It seems that it has stopped but i need to monitor to see if it is smart and written itself into the FAT32 area and then re-written back to IE7. I have been led to believe that Virus software or malsoftware can lodge itsself into memory area to protect itself against detection so it can re infect when computer is even fdisk /m or format with /u

Who knows but I will watch carefully.


Many thanks and I will be in touch. :thumbsup: :flowers: :huh:
Nie ma satso

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 09 February 2007 - 09:05 PM

Find below a log as requested.


You forgot to post the log. :thumbsup: We are not done yet.

Run ComboFix again and post the log.

Edited by SifuMike, 09 February 2007 - 10:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Horse Box

Horse Box
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 February 2007 - 05:30 AM

Find detailed below Combofix.exe log

"Finbarr" - 07-02-10 10:25:54 Service Pack 2
ComboFix 07-02-10 - Running from: "C:\Documents and Settings\Finbarr\My Documents\Downloaded Program Updates"

((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


2007-02-10 01:39 <DIR> d-------- C:\Program Files\CCleaner
2007-02-10 01:28 <DIR> d-------- C:\!KillBox
2007-02-09 22:09 <DIR> d-------- C:\Program Files\HijackThis
2007-02-09 20:01 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-02-09 19:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-09 19:55 <DIR> d-------- C:\DOCUME~1\Finbarr\Application Data\SUPERAntiSpyware.com
2007-02-09 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-09 19:33 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2007-02-09 19:33 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2007-02-09 19:33 131,072 --a------ C:\WINDOWS\system32\mclsp.dll
2007-02-09 19:33 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2007-02-09 19:33 <DIR> d-------- C:\WINDOWS\system32\mclsphlr
2007-02-07 18:42 1,310,720 --ah----- C:\DOCUME~1\Karen\NTUSER.DAT
2007-02-07 18:42 <DIR> d--h----- C:\DOCUME~1\Karen\Application Data\Gtek
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\You've Got Pictures Screensaver
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\Symantec
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\McAfee.com Personal Firewall
2007-02-07 18:42 <DIR> d-------- C:\DOCUME~1\Karen\Application Data\AOL
2007-02-06 17:30 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-02-06 17:30 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-02-06 17:30 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-02-06 17:30 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-02-06 17:30 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-02-06 17:30 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-02-06 17:30 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-02-06 17:30 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-02-06 17:30 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-02-06 17:30 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-02-06 17:30 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-02-06 17:30 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-02-06 17:29 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-02-06 17:29 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-02-06 17:29 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-02-06 17:29 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-02-06 17:29 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-02-06 17:29 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-02-06 17:29 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-02-06 17:29 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-02-06 17:29 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-02-05 10:56 <DIR> d-------- C:\Program Files\Xvid
2007-02-03 12:19 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll
2007-02-03 12:19 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2007-02-03 12:19 780,288 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll
2007-02-03 12:19 778,240 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll
2007-02-03 12:19 764,416 --a------ C:\WINDOWS\system32\NCTRMFile.dll
2007-02-03 12:19 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll
2007-02-03 12:19 495,104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll
2007-02-03 12:19 382,464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll
2007-02-03 12:19 312,320 --a------ C:\WINDOWS\system32\NCTVideoView.dll
2007-02-03 12:19 249,856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll
2007-02-03 12:19 237,568 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-02-03 12:19 215,552 --a------ C:\WINDOWS\system32\NCTWMVFile.dll
2007-02-03 12:19 2,846,720 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll
2007-02-03 12:19 188,416 --a------ C:\WINDOWS\system32\NCTVideoFile.dll
2007-02-03 12:19 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll
2007-02-03 12:19 139,264 --a------ C:\WINDOWS\system32\viscomqtde.dll
2007-02-03 12:19 <DIR> d-------- C:\WINDOWS\system32\RMBin
2007-02-03 11:54 <DIR> d-------- C:\Program Files\Plato Video Converter
2007-02-02 17:19 <DIR> d-------- C:\Program Files\MyGlobalSearch
2007-02-02 17:19 <DIR> d-------- C:\Program Files\BearShare
2007-02-02 17:19 <DIR> d-------- C:\My Downloads
2007-02-01 20:51 <DIR> d-------- C:\DOCUME~1\Finbarr\Application Data\MSNInstaller
2007-01-28 21:54 91,648 --ah----- C:\WINDOWS\system32\mbsrm32.exe
2007-01-28 21:54 576,512 --a------ C:\WINDOWS\system32\mbssm32.exe
2007-01-28 21:15 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-14 15:20 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-13 11:15 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-01-13 10:42 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-11 23:59 <DIR> d-------- C:\WINDOWS\ie7updates


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-10 01:08 -------- d-------- C:\Program Files\java
2007-02-09 19:33 -------- d-------- C:\Program Files\mcafee.com
2007-02-09 19:08 1272 --a------ C:\DOCUME~1\Finbarr\Application Data\wklnhst.dat
2007-01-31 19:08 50557 --a------ C:\DOCUME~1\Finbarr\Application Data\patchupdate_hp_counterreport_update_hpsu.log
2007-01-31 19:07 2099 --a------ C:\DOCUME~1\Finbarr\Application Data\hpsu_48bitscanupdate.log
2007-01-31 19:06 354 --a------ C:\DOCUME~1\Finbarr\Application Data\helpfilesupdatepatch_printhelpwrapper.log
2007-01-31 19:06 2843 --a------ C:\DOCUME~1\Finbarr\Application Data\patchupdate_instantsharejpg.log
2007-01-31 19:06 0 --a------ C:\DOCUME~1\Finbarr\Application Data\helpfilesupdatepatch_helpfilereplace.log
2007-01-31 19:05 3654 --a------ C:\DOCUME~1\Finbarr\Application Data\patchupdate_izclosingdiscerror.log
2007-01-31 19:03 46525 --a------ C:\DOCUME~1\Finbarr\Application Data\update_hp_redboxhprblog_hpsu.log
2007-01-31 19:03 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-01-28 21:15 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\mozilla
2007-01-27 19:37 -------- d--h----- C:\Program Files\installshield installation information
2007-01-27 19:37 -------- d-------- C:\Program Files\Common Files\sonic shared
2007-01-26 20:10 1786 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-26 20:10 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\corel
2007-01-14 15:29 -------- d-------- C:\Program Files\pacificpoker
2007-01-09 20:26 -------- d-------- C:\Program Files\paddy power poker
2007-01-09 20:16 -------- d-------- C:\Program Files\webcybercoach
2006-12-28 23:45 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\hp
2006-12-28 23:28 89669 --a------ C:\WINDOWS\hpoins06.dat
2006-12-28 23:27 -------- d-------- C:\Program Files\hp
2006-12-28 23:26 -------- d-------- C:\Program Files\Common Files\hp
2006-12-28 23:25 -------- d-------- C:\Program Files\hewlett-packard
2006-12-28 23:24 -------- d-------- C:\Program Files\Common Files\hewlett-packard
2006-12-27 13:42 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\creative
2006-12-20 23:39 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\knifebar
2006-12-18 01:14 -------- d-------- C:\Program Files\dell
2006-12-18 00:38 -------- d-------- C:\Program Files\windows media connect 2
2006-12-17 22:33 -------- d-------- C:\Program Files\google
2006-12-17 20:20 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\drivecleaner 2006 free
2006-12-14 21:32 -------- d-------- C:\DOCUME~1\Finbarr\Application Data\google
2006-11-20 10:46 335 --a------ C:\WINDOWS\nsreg.dat
2006-11-20 10:43 40 --a------ C:\WINDOWS\system32\mes2046.dll
2006-11-20 10:20 49152 --a------ C:\WINDOWS\setpwrcg.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"MBMon"="Rundll32 CTMBHA.DLL,MBMon"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"VoiceCenter"="\"C:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe\" /tray"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Snapfire Plus\\Corel Photo Downloader.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Shell\AutoRun\command E:\setup.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HPpromotions journeysoftware.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (D890PL2J-Finbarr).job
C:\WINDOWS\tasks\MP Scheduled Scan.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-10 10:27:25
C:\ComboFix2.txt ... 07-02-10 00:30
:flowers: :thumbsup:
Nie ma satso

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 10 February 2007 - 08:53 AM

Hi Horse Box,


You forgot to post the Hijackthis log.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Using Windows Explorer, please do a file search for these two files:
C:\WINDOWS\system32\mbsrm32.exe
C:\WINDOWS\system32\mbssm32.exe


Let me know what you find.

Edited by SifuMike, 10 February 2007 - 09:58 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Horse Box

Horse Box
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 February 2007 - 12:17 PM

Hello Sifu,

Find below Hijackthis log as requested.

Logfile of HijackThis v1.99.1
Scan saved at 17:14:19, on 10/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\DOCUME~1\Finbarr\LOCALS~1\Temp\clclean.0001
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061120
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Paddy Power Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\PADDYP~1\client.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168685891203
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Nie ma satso

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 10 February 2007 - 12:33 PM

Hi Horse Box,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Horse Box

Horse Box
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 February 2007 - 05:07 PM

No such tab for System Restore :thumbsup:
Nie ma satso

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 14 February 2007 - 10:49 PM

Sorry for being late in answering. This one slipped through the cracks.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Edited by SifuMike, 14 February 2007 - 10:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:54 PM

Posted 15 February 2007 - 01:29 PM

I need you to delete the version of ComboFix you downloaded (if you have not done so already). There is a bug in it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users