Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Neverending Popups


  • This topic is locked This topic is locked
10 replies to this topic

#1 grymwish

grymwish

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 27 June 2007 - 10:00 PM

Popups constantly whenever IE runs and also some bizarre random streaming audio streams not necessarily when IE runs. have tried all standard spyware/virus scans when in safe mode, deleted all cookies, etc.

Here is HijackThis log. Thanks all in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:56 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=9i...lnXcOiUXZKHEb7g
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Clip and Edit - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Subscribe to Feed - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...059/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xgmqsqjq.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:13 AM

Posted 28 June 2007 - 07:51 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 grymwish

grymwish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 28 June 2007 - 08:22 AM

Thank you very much, I will follow your instructions... I will reply this evening...

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:13 AM

Posted 28 June 2007 - 09:07 AM

Ok, I read your reply later.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 grymwish

grymwish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 28 June 2007 - 09:46 PM

OK posting logs as instructed. Thanks again in advance.

***

ComboFix.txt

***

"Colo" - 2007-06-28 22:27:21 - ComboFix 07-06-27.7 - Service Pack 2 NTFS [SAFE MODE]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MSN Gaming Zone\rtene.html


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))


2007-06-28 21:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 21:40 128,576 --a------ C:\WINDOWS\system32\mcinleks.dll
2007-06-27 23:27 66,112 --a------ C:\WINDOWS\system32\iulobiiq.dll
2007-06-27 23:24 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-27 23:23 1,396 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-27 23:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-27 23:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-27 21:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-27 15:30 <DIR> d-------- C:\DOCUME~1\Jess\APPLIC~1\SiteAdvisor
2007-06-26 21:13 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\RTPlayer
2007-06-25 05:58 4,672 --a------ C:\WINDOWS\system32\gcntsnwq.exe
2007-06-24 22:26 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-06-24 22:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-06-24 22:26 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\SiteAdvisor
2007-06-24 22:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-06-24 22:25 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-06-24 22:25 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-06-24 22:25 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-06-24 22:25 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-06-24 22:25 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-06-24 22:25 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-06-24 22:25 <DIR> d-------- C:\Program Files\McAfee.com
2007-06-24 22:25 <DIR> d-------- C:\Program Files\McAfee
2007-06-24 22:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-06-24 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-06-24 21:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-24 21:48 <DIR> d-------- C:\Program Files\TweakXP 2
2007-06-24 21:46 <DIR> d-------- C:\Program Files\Common Files\SystemDoctor
2007-06-24 21:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free
2007-06-24 20:38 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-06-24 18:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-24 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-24 18:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 18:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-24 17:48 192,622 --a------ C:\WINDOWS\system32\owinlndt.exe
2007-06-24 17:48 <DIR> d-------- C:\WINDOWS\system32\H5
2007-06-24 17:48 <DIR> d-------- C:\WINDOWS\system32\H4
2007-06-24 17:48 <DIR> d-------- C:\WINDOWS\system32\H3
2007-06-24 17:48 <DIR> d-------- C:\WINDOWS\system32\H2
2007-06-24 17:48 <DIR> d-------- C:\WINDOWS\system32\H1
2007-06-24 08:14 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-19 21:30 <DIR> d-------- C:\WINDOWS\system32\Logs
2007-06-19 21:30 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\tunebite
2007-06-19 21:29 <DIR> d-------- C:\Program Files\Tunebite
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-10-28 12:14:20 -------- d-----w C:\Program Files\QuickTime
2007-10-28 02:34:49 -------- d-----w C:\Program Files\iTunes
2007-10-28 02:34:39 -------- d-----w C:\Program Files\iPod
2007-10-28 02:33:48 -------- d-----w C:\DOCUME~1\Colo\APPLIC~1\DivX
2007-10-28 02:00:46 -------- d-----w C:\Program Files\Replay Media Catcher
2007-10-28 01:59:52 -------- d-----w C:\Program Files\WMR11
2007-10-27 02:25:46 -------- d-----w C:\Program Files\DivX
2007-10-25 02:40:59 -------- d-----w C:\Program Files\Veoh Networks
2007-06-29 02:31:31 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-28 00:58:38 -------- d-----w C:\Program Files\IGN
2007-06-11 02:45:26 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-11 02:45:23 88 --sh--r C:\WINDOWS\system32\E692F7D589.sys
2007-06-05 01:44:24 -------- d-----w C:\Program Files\Napster
2007-05-17 02:10:57 -------- d-----w C:\DOCUME~1\Colo\APPLIC~1\JetBrains
2007-05-17 02:10:54 -------- d-----w C:\Program Files\JetBrains
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 14:01:54 -------- d-----w C:\Program Files\Digital Camera
2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-04-23 00:15:24 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2004-08-04 09:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 09:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 09:00:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 09:00:00 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 09:00:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 09:00:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 09:00:00 553,472 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 09:00:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 09:00:00 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 11:41]
{09628AAA-66AD-4FA2-82E2-698185B66463}=C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll [2007-02-02 13:19]
{58E5FDE5-EF44-4715-9D09-E19ABBF8C2F1}=C:\Program Files\Windows Media Player\mesocido43855.dll [2007-06-14 07:54]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 05:20]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 16:02]
{BCFB5507-581B-4677-A4C3-8F184CB4F9CC}=C:\Program Files\Windows Media Player\mesocido83122.dll [2007-06-18 14:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtene.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Control Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Control Utility.lnk
backup=C:\WINDOWS\pss\Dell Control Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 5100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 5100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 5100 series) - 1.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadMSvcmm]
"C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
C:\DOCUME~1\Colo\LOCALS~1\Temp\MBDownloader_876919.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
"C:\Program Files\Pando Networks\Pando\Pando.exe" /Automation

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\Tunebite\tunebite.exe -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USDR6cw]
C:\Program Files\Common Files\SystemDoctor\USDR6cw.exe -c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{45-5D-D3-37-ZN}]
c:\windows\system32\mkdsregs.exe SKY003


Contents of the 'Scheduled Tasks' folder
2007-06-25 02:25:35 C:\WINDOWS\tasks\McDefragTask.job
2007-06-25 02:25:34 C:\WINDOWS\tasks\McQcTask.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 22:31:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-28 22:31:51
C:\ComboFix-quarantined-files.txt ... 2007-06-28 22:31

--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MSN Gaming Zone\rtene.html


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MSN Gaming Zone\rtene.html


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))

***

hijackthis.log

***

Logfile of HijackThis v1.99.1
Scan saved at 22:36, on 2007-06-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\catchme.cfexe
C:\ComboFix\catchme.cfexe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=9i...lnXcOiUXZKHEb7g
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O2 - BHO: (no name) - {58E5FDE5-EF44-4715-9D09-E19ABBF8C2F1} - C:\Program Files\Windows Media Player\mesocido43855.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {BCFB5507-581B-4677-A4C3-8F184CB4F9CC} - C:\Program Files\Windows Media Player\mesocido83122.dll
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Clip and Edit - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Subscribe to Feed - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...059/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:13 AM

Posted 29 June 2007 - 04:48 AM

Hello,

Combofix was still running while you posted the log, so next time, wait until the log opens automatically.
Do next please...

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\MSN Gaming Zone\rtene.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mcinleks.dll
C:\WINDOWS\system32\iulobiiq.dll
C:\Program Files\Windows Media Player\mesocido83122.dll
C:\Program Files\Windows Media Player\mesocido43855.dll
C:\WINDOWS\system32\gcntsnwq.exe
C:\WINDOWS\system32\owinlndt.exe

Folder::
C:\Program Files\Common Files\SystemDoctor
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free
C:\WINDOWS\system32\H5
C:\WINDOWS\system32\H4
C:\WINDOWS\system32\H3
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\H1

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58E5FDE5-EF44-4715-9D09-E19ABBF8C2F1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BCFB5507-581B-4677-A4C3-8F184CB4F9CC}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=-
"NoLogoff"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USDR6cw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{45-5D-D3-37-ZN}]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 grymwish

grymwish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 30 June 2007 - 06:07 AM

As instructed - thanksa again for your advice.

---
ComboFix
---

"Colo" - 2007-06-30 7:00:34 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Colo\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\SystemDoctor Free
C:\Program Files\Common Files\SystemDoctor
C:\Program Files\Common Files\SystemDoctor\err.log
C:\Program Files\Windows Media Player\mesocido43855.dll
C:\Program Files\Windows Media Player\mesocido83122.dll
C:\WINDOWS\system32\gcntsnwq.exe
C:\WINDOWS\system32\H1
C:\WINDOWS\system32\H1\wbb22.exe
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\H3
C:\WINDOWS\system32\H4
C:\WINDOWS\system32\H4\mwspasrt83122.exe
C:\WINDOWS\system32\H5
C:\WINDOWS\system32\iulobiiq.dll
C:\WINDOWS\system32\mcinleks.dll
C:\WINDOWS\system32\owinlndt.exe


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-28 21:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 23:24 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-27 23:23 1,396 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-27 23:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-27 23:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-27 21:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-27 15:30 <DIR> d-------- C:\DOCUME~1\Jess\APPLIC~1\SiteAdvisor
2007-06-26 21:13 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\RTPlayer
2007-06-24 22:26 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-06-24 22:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-06-24 22:26 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\SiteAdvisor
2007-06-24 22:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-06-24 22:25 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-06-24 22:25 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-06-24 22:25 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-06-24 22:25 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-06-24 22:25 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-06-24 22:25 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-06-24 22:25 <DIR> d-------- C:\Program Files\McAfee.com
2007-06-24 22:25 <DIR> d-------- C:\Program Files\McAfee
2007-06-24 22:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-06-24 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-06-24 21:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-24 21:48 <DIR> d-------- C:\Program Files\TweakXP 2
2007-06-24 20:38 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-06-24 18:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-24 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-24 18:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 18:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-24 08:14 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-19 21:30 <DIR> d-------- C:\WINDOWS\system32\Logs
2007-06-19 21:30 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\tunebite
2007-06-19 21:29 <DIR> d-------- C:\Program Files\Tunebite
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-20 21:29 <DIR> d-------- C:\Program Files\DivX
2007-05-16 22:10 <DIR> d-------- C:\Program Files\JetBrains
2007-05-16 22:10 <DIR> d-------- C:\DOCUME~1\Colo\APPLIC~1\JetBrains
2007-05-16 10:01 8,192 --a------ C:\WINDOWS\system32\CoachWrp.dll
2007-05-16 10:01 5,632 --a------ C:\WINDOWS\system32\CoachSti.dll
2007-05-16 10:01 46,944 --a------ C:\WINDOWS\system32\drivers\CoachUsb.sys
2007-05-16 10:01 44,256 --a------ C:\WINDOWS\system32\drivers\CoachVc.sys
2007-05-16 10:01 16,896 --a------ C:\WINDOWS\system32\CoachDlg.dll
2007-05-16 10:01 114,688 --a------ C:\WINDOWS\system32\JpegCode.dll
2007-05-16 09:57 <DIR> d-------- C:\Program Files\Digital Camera
2007-05-11 13:54 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740,442 --a------ C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-10-28 12:14:20 -------- d-----w C:\Program Files\QuickTime
2007-10-28 02:34:49 -------- d-----w C:\Program Files\iTunes
2007-10-28 02:34:39 -------- d-----w C:\Program Files\iPod
2007-10-28 02:33:48 -------- d-----w C:\DOCUME~1\Colo\APPLIC~1\DivX
2007-10-28 02:00:46 -------- d-----w C:\Program Files\Replay Media Catcher
2007-10-28 01:59:52 -------- d-----w C:\Program Files\WMR11
2007-10-25 02:40:59 -------- d-----w C:\Program Files\Veoh Networks
2007-06-30 10:55:32 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-28 00:58:38 -------- d-----w C:\Program Files\IGN
2007-06-11 02:45:26 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-11 02:45:23 88 --sh--r C:\WINDOWS\system32\E692F7D589.sys
2007-06-05 01:44:24 -------- d-----w C:\Program Files\Napster
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-04-23 00:15:24 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2004-08-04 09:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 09:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 09:00:00 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 09:00:00 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 09:00:00 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 09:00:00 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 09:00:00 553,472 --sha-w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 09:00:00 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 09:00:00 11,776 --sha-w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 11:41]
{09628AAA-66AD-4FA2-82E2-698185B66463}=C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll [2007-02-02 13:19]
{58E5FDE5-EF44-4715-9D09-E19ABBF8C2F1}=C:\Program Files\Windows Media Player\mesocido43855.dll []
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 05:20]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 16:02]
{BCFB5507-581B-4677-A4C3-8F184CB4F9CC}=C:\Program Files\Windows Media Player\mesocido83122.dll []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Control Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Control Utility.lnk
backup=C:\WINDOWS\pss\Dell Control Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 5100 series) - 1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 5100 series) - 1.lnk
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet 5100 series) - 1.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadMSvcmm]
"C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
"C:\Program Files\Pando Networks\Pando\Pando.exe" /Automation

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\Tunebite\tunebite.exe -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe


Contents of the 'Scheduled Tasks' folder
2007-06-25 02:25:35 C:\WINDOWS\tasks\McDefragTask.job
2007-06-25 02:25:34 C:\WINDOWS\tasks\McQcTask.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 07:04:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-30 7:04:28
C:\ComboFix-quarantined-files.txt ... 2007-06-30 07:04
C:\ComboFix2.txt ... 2007-06-28 22:33

--- E O F ---



---
HijackThis
---

Logfile of HijackThis v1.99.1
Scan saved at 07:06, on 2007-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=9i...lnXcOiUXZKHEb7g
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Clip and Edit - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Subscribe to Feed - res://C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...059/mcfscan.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:13 AM

Posted 30 June 2007 - 08:12 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=9i...lnXcOiUXZKHEb7g$ <== check this if you didn't set this.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <== check this if you're not aware that there are restrictions present in the Internet Explorer options
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/insta...easeInstall.cab

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next folder: C:\Qoobox

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.

Edited by miekiemoes, 30 June 2007 - 08:13 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 grymwish

grymwish
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 30 June 2007 - 10:43 PM

Things are definitely much much better - no more random popups no more random streaming audio. You definitely cured the malware issue.

You are the coolest - thank you so much. Everything seems to be smooth running, 5 by 5.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:13 AM

Posted 01 July 2007 - 03:48 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:13 AM

Posted 03 July 2007 - 05:57 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users