Can't get rid of jkkjk.dll jkkjk.exe

[c_anthony_bailey]

Definitely infected, and would appreciate help.

Symptoms:
- internet explorer randomly starting up a new window
- several processes listed twice in process viewer and second copy had a space in the name (so "dvdloader.exe" and "dvdloader .exe" both running
- suspicious jkkjk.dll and jkkjk.exe file I could not remove

Things I have already done:
- mcafee was one of the processes running twice, so i uninstalled and re-installed mcaffee
- had older versions of HJT, Spybot and combofix, went through several iterations trying to clean things up, thought I had gotten rid of most except jkkjk.dll
- tried using autoruns to stop them from loading

Realized i needed help

HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:35 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames...z.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/s...erSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5890 bytes

[c_anthony_bailey]

Scan was too long so cut out most of the "restore point" infection lines
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 05, 2008 9:06:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/01/2008
Kaspersky Anti-Virus database records: 502797
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 75953
Number of viruses found: 8
Number of infected objects: 273
Number of suspicious objects: 0
Duration of the scan process: 01:20:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\temp\RCX3.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{7FA99DCA-4A58-42DC-9782-3078A0891E11}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bfe3a61d2d4842d756f6d012f04cbda1_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\CTDVDDET.EXE.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\CTSysVol.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\DVDLauncher.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\iaanotif.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\jkkjk.exe.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\jusched.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\mcvsshld.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\MpfTray.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\oasclnt.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\PCMService.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX32.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX33.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX34.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX35.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX46.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\tfswctrl.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\Yazzle1552OinAdmin.exe.vir.bac_a03028 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\history.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\key3.db Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\search.sqlite Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tony Bailey\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\History\History.IE5\MSHist012008010520080106\index.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\2008132317_mcinfo.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\RCX8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\RCXA.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temporary Internet Files\Content.IE5\PREHNCHL\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Tony Bailey\ntuser.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\ntuser.dat.LOG Object is locked skipped
C:\found.000\file0000.chk Object is locked skipped
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP820\A0052824.exe Infected: Trojan-Downloader.Win32.Osel.bx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP820\A0052827.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped

[[ snip ]]

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E93B5B95-7F43-40C1-8CA4-EFB8AC538F11}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\ctfmon.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\lkfllwdk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\mcafee_YUT4duVRxcUkeo3 Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_CgrkdGwVeI1gKAP Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_FIwiHkUjJNI9Qcp Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_LSUqrUpMlyUA2Ag Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_R7PzPLckpg5EZxN Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_XTj7Rpt841cgGkk Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP840\change.log Object is locked skipped

Scan process completed.

[little eagle]

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

[c_anthony_bailey]

I am seeing a couple symptoms at the moment

• Duplicate running processes with space in name (like "TeaTimer.exe" and "TeaTimer .exe" below
• Periodicly internet explorer opens to random pages
• jkkjk.dll and jkkjk.exe files/registry entries that I can not get rid of

Thanks for the help.

-- new HJT log below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:32 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames...z.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/s...erSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6410 bytes

[little eagle]

Try running combofix.exe
Download it from one of the links below:
Note:
It is important that it is saved directly to your desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[c_anthony_bailey]

downloaded and ran combo fix, log below

ComboFix 08-01-11.1 - Tony Bailey 2008-01-11 18:09:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT -5:00]
Running from: C:\hjt\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\fimffrtl.dll
C:\WINDOWS\system32\gxmeoecx.dll
C:\WINDOWS\system32\hwbhvrxs.dll
C:\WINDOWS\system32\jkkjk-old.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\SYSTEM32\kdwllfkl.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini2
C:\WINDOWS\system32\lkfllwdk.dll
C:\WINDOWS\SYSTEM32\ltrffmif.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mvowivcs.ini
C:\WINDOWS\system32\piqciund.dll
C:\WINDOWS\system32\scviwovm.dll
C:\WINDOWS\system32\xabqwdru.dll
C:\WINDOWS\SYSTEM32\xqfbhqba.ini

Code:

 <pre>
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe ---> QooBox
C:\Program Files\Intel\Intel Application Accelerator\iaanotif  .exe ---> iaanotif.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\QuickTime\qttask  .exe ---> QooBox
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> TeaTimer.exe
C:\WINDOWS\SYSTEM32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 18:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 12:21 . 2008-01-08 12:21 294 --ahs---- C:\WINDOWS\SYSTEM32\tsilpikp.ini
2008-01-06 09:16 . 2008-01-06 09:16 75,840 --a------ C:\WINDOWS\SYSTEM32\gdlsaufa.dll
2008-01-06 09:10 . 2008-01-06 09:10 294 --ahs---- C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
2008-01-06 09:01 . 2008-01-06 09:01 75,840 --a------ C:\WINDOWS\SYSTEM32\gcvlwivg.dll
2008-01-05 00:03 . 2008-01-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-04 01:34 . 2008-01-04 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-04 00:50 . 2008-01-04 00:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-03 23:26 . 2008-01-11 18:14 6,500 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-01-03 23:25 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-01-03 23:24 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-01-03 23:24 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-01-03 23:24 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-01-03 23:24 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-01-03 23:23 . 2008-01-03 23:23 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-03 23:23 . 2008-01-04 00:56 <DIR> d-------- C:\Program Files\McAfee
2008-01-03 23:23 . 2008-01-03 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-03 23:08 . 2008-01-03 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 22:13 . 2008-01-03 22:14 <DIR> d-------- C:\pebuilder3110a
2008-01-03 21:58 . 2008-01-03 21:58 <DIR> d-------- C:\Program Files\Compaq
2007-12-31 22:49 . 2007-12-31 22:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 15:34 . 2008-01-04 20:30 <DIR> d-------- C:\Program Files\Sony
2007-12-30 08:51 . 2008-01-02 18:54 778,318 --a------ C:\WINDOWS\SYSTEM32\wltray .exe
2007-12-30 02:07 . 2007-12-30 02:07 <DIR> d-------- C:\Documents and Settings\Tony Bailey\Application Data\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:52 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks
2008-01-10 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-01-05 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:08 --------- d-----w C:\Program Files\eGames
2008-01-04 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-03 02:38 --------- d-----w C:\Program Files\Real
2008-01-03 02:38 --------- d-----w C:\Program Files\Logitech
2008-01-03 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-03 02:24 --------- d-----w C:\Program Files\Dell
2007-12-29 05:31 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\BitTorrent
2007-12-20 02:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 01:07 --------- d-----w C:\Program Files\UltimateBuddy
2007-12-07 19:53 --------- d-----w C:\Program Files\Neoteris
2007-12-04 03:01 --------- d-----w C:\Program Files\UltimateBet
2007-12-01 00:03 --------- d-----w C:\Program Files\Microsoft Money 2005
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 16:53 360,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.

Code:

<pre>
----a-w           131,072 2008-01-04 04:05:18  C:\Documents and Settings\Tony Bailey\Local Settings\Temp\20081323125_mcappins .exe
----a-w           110,592 2008-01-03 00:21:10  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w            45,056 2008-01-03 00:21:10  C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
----a-w            57,344 2008-01-03 00:21:08  C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
----a-w           778,318 2008-01-02 23:54:19  C:\WINDOWS\SYSTEM32\wltray .exe
----a-w           122,939 2008-01-03 02:33:50  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7F479D-20F9-4E47-8FB0-D41748AA9047}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3816723A-A215-47E7-876D-1E89B6D4C1A3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A74041A-7DFF-4A56-BEC8-350E17D98BC4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB32074-A829-419C-BD31-8CB209408672}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-11 17:50 1460560]
"Cache Cleaner"="C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [ ]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [ ]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 06:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-29 20:08:38]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 04:23:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-04 04:23:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 18:14:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 18:16:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 23:15:57
.
2008-01-09 13:07:16 --- E O F ---

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

Code:

RenV::
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\20081323125_mcappins .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
C:\WINDOWS\SYSTEM32\wltray .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7F479D-20F9-4E47-8FB0-D41748AA9047}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3816723A-A215-47E7-876D-1E89B6D4C1A3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A74041A-7DFF-4A56-BEC8-350E17D98BC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB32074-A829-419C-BD31-8CB209408672}]


File::
C:\WINDOWS\system32\jkkjk.dll

Save this as Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

[c_anthony_bailey]

Combofix logs after running with above CFScript.txt:

ComboFix 08-01-11.1 - Tony Bailey 2008-01-13 15:10:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.693 [GMT -5:00]
Running from: C:\hjt\ComboFix.exe
Command switches used :: C:\hjt\CFScript.txt C:\hjt\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\jkkjk.dll
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 12:28 . 2008-01-12 12:28 102,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-11 18:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 12:21 . 2008-01-08 12:21 294 --ahs---- C:\WINDOWS\SYSTEM32\tsilpikp.ini
2008-01-06 09:16 . 2008-01-06 09:16 75,840 --a------ C:\WINDOWS\SYSTEM32\gdlsaufa.dll
2008-01-06 09:10 . 2008-01-06 09:10 294 --ahs---- C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
2008-01-06 09:01 . 2008-01-06 09:01 75,840 --a------ C:\WINDOWS\SYSTEM32\gcvlwivg.dll
2008-01-05 00:03 . 2008-01-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-04 01:34 . 2008-01-04 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-04 00:50 . 2008-01-04 00:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-03 23:26 . 2008-01-12 12:01 6,500 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-01-03 23:25 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-01-03 23:24 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-01-03 23:24 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-01-03 23:24 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-01-03 23:24 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-01-03 23:23 . 2008-01-03 23:23 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-03 23:23 . 2008-01-04 00:56 <DIR> d-------- C:\Program Files\McAfee
2008-01-03 23:23 . 2008-01-03 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-03 23:08 . 2008-01-03 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 22:13 . 2008-01-03 22:14 <DIR> d-------- C:\pebuilder3110a
2008-01-03 21:58 . 2008-01-03 21:58 <DIR> d-------- C:\Program Files\Compaq
2007-12-31 22:49 . 2007-12-31 22:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 15:34 . 2008-01-04 20:30 <DIR> d-------- C:\Program Files\Sony
2007-12-30 08:51 . 2008-01-02 18:54 778,318 --a------ C:\WINDOWS\SYSTEM32\wltray.exe
2007-12-30 02:07 . 2007-12-30 02:07 <DIR> d-------- C:\Documents and Settings\Tony Bailey\Application Data\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:52 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks
2008-01-10 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-01-05 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:08 --------- d-----w C:\Program Files\eGames
2008-01-04 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-03 02:38 --------- d-----w C:\Program Files\Real
2008-01-03 02:38 --------- d-----w C:\Program Files\Logitech
2008-01-03 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-03 02:24 --------- d-----w C:\Program Files\Dell
2007-12-29 05:31 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\BitTorrent
2007-12-20 02:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 01:07 --------- d-----w C:\Program Files\UltimateBuddy
2007-12-07 19:53 --------- d-----w C:\Program Files\Neoteris
2007-12-04 03:01 --------- d-----w C:\Program Files\UltimateBet
2007-12-01 00:03 --------- d-----w C:\Program Files\Microsoft Money 2005
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 16:53 360,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-11_18.15.40.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 23:08:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 20:09:56 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 20:09:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 23:08:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-13 20:09:56 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 20:09:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 23:08:58 5,722,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 20:09:57 5,726,208 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-11 23:08:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 20:09:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-03 02:33:50 122,939 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
- 2008-01-11 22:54:24 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-01-12 17:04:43 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-01-11 22:54:24 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-01-12 17:04:43 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-11 17:50 1460560]
"Cache Cleaner"="C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2008-01-02 19:21 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2008-01-02 19:21 57344]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2008-01-02 18:54 778318]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-29 20:08:38]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 04:23:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-04 04:23:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 15:12:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 15:13:48
ComboFix-quarantined-files.txt 2008-01-13 20:13:26
ComboFix2.txt 2008-01-11 23:16:06
.
2008-01-09 13:07:16 --- E O F ---

[c_anthony_bailey]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:32 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames...z.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/s...erSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6410 bytes

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\SYSTEM32\tsilpikp.ini
C:\WINDOWS\SYSTEM32\gdlsaufa.dll
C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
C:\WINDOWS\SYSTEM32\gcvlwivg.dll

Save this as Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log.