View Full Version : Can't get rid of jkkjk.dll jkkjk.exe
c_anthony_bailey
2008-01-05, 17:38
Definitely infected, and would appreciate help.
Symptoms:
- internet explorer randomly starting up a new window
- several processes listed twice in process viewer and second copy had a space in the name (so "dvdloader.exe" and "dvdloader .exe" both running
- suspicious jkkjk.dll and jkkjk.exe file I could not remove
Things I have already done:
- mcafee was one of the processes running twice, so i uninstalled and re-installed mcaffee
- had older versions of HJT, Spybot and combofix, went through several iterations trying to clean things up, thought I had gotten rid of most except jkkjk.dll
- tried using autoruns to stop them from loading
Realized i needed help
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:35 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 5890 bytes
c_anthony_bailey
2008-01-05, 17:43
Scan was too long so cut out most of the "restore point" infection lines
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 05, 2008 9:06:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/01/2008
Kaspersky Anti-Virus database records: 502797
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 75953
Number of viruses found: 8
Number of infected objects: 273
Number of suspicious objects: 0
Duration of the scan process: 01:20:13
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\temp\RCX3.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{7FA99DCA-4A58-42DC-9782-3078A0891E11}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bfe3a61d2d4842d756f6d012f04cbda1_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\CTDVDDET.EXE.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\CTSysVol.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\DVDLauncher.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\iaanotif.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\jkkjk.exe.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\jusched.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\mcvsshld.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\MpfTray.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\oasclnt.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\PCMService.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX32.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX33.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX34.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX35.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\RCX46.tmp.bac_a03028 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\tfswctrl.exe.bac_a02980 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\.housecall6.6\Quarantine\Yazzle1552OinAdmin.exe.vir.bac_a03028 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\history.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\key3.db Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\search.sqlite Object is locked skipped
C:\Documents and Settings\Tony Bailey\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tony Bailey\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Application Data\Mozilla\Firefox\Profiles\dmhn7120.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\History\History.IE5\MSHist012008010520080106\index.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\2008132317_mcinfo.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\RCX8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\RCXA.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\Local Settings\Temporary Internet Files\Content.IE5\PREHNCHL\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Tony Bailey\ntuser.dat Object is locked skipped
C:\Documents and Settings\Tony Bailey\ntuser.dat.LOG Object is locked skipped
C:\found.000\file0000.chk Object is locked skipped
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP820\A0052824.exe Infected: Trojan-Downloader.Win32.Osel.bx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP820\A0052827.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
[[ snip ]]
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E93B5B95-7F43-40C1-8CA4-EFB8AC538F11}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\ctfmon.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\lkfllwdk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\mcafee_YUT4duVRxcUkeo3 Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_CgrkdGwVeI1gKAP Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_FIwiHkUjJNI9Qcp Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_LSUqrUpMlyUA2Ag Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_R7PzPLckpg5EZxN Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_XTj7Rpt841cgGkk Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP840\change.log Object is locked skipped
Scan process completed.
little eagle
2008-01-11, 03:43
Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
c_anthony_bailey
2008-01-11, 07:35
I am seeing a couple symptoms at the moment
Duplicate running processes with space in name (like "TeaTimer.exe" and "TeaTimer .exe" below
Periodicly internet explorer opens to random pages
jkkjk.dll and jkkjk.exe files/registry entries that I can not get rid of
Thanks for the help.
-- new HJT log below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:32 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6410 bytes
little eagle
2008-01-11, 12:54
Try running combofix.exe
Download it from one of the links below:
Note:
It is important that it is saved directly to your desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
c_anthony_bailey
2008-01-12, 01:20
downloaded and ran combo fix, log below
ComboFix 08-01-11.1 - Tony Bailey 2008-01-11 18:09:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT -5:00]
Running from: C:\hjt\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\fimffrtl.dll
C:\WINDOWS\system32\gxmeoecx.dll
C:\WINDOWS\system32\hwbhvrxs.dll
C:\WINDOWS\system32\jkkjk-old.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\SYSTEM32\kdwllfkl.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini2
C:\WINDOWS\system32\lkfllwdk.dll
C:\WINDOWS\SYSTEM32\ltrffmif.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mvowivcs.ini
C:\WINDOWS\system32\piqciund.dll
C:\WINDOWS\system32\scviwovm.dll
C:\WINDOWS\system32\xabqwdru.dll
C:\WINDOWS\SYSTEM32\xqfbhqba.ini
<pre>
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe ---> QooBox
C:\Program Files\Intel\Intel Application Accelerator\iaanotif .exe ---> iaanotif.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\QuickTime\qttask .exe ---> QooBox
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> TeaTimer.exe
C:\WINDOWS\SYSTEM32\ctfmon .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.
2008-01-11 18:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 12:21 . 2008-01-08 12:21 294 --ahs---- C:\WINDOWS\SYSTEM32\tsilpikp.ini
2008-01-06 09:16 . 2008-01-06 09:16 75,840 --a------ C:\WINDOWS\SYSTEM32\gdlsaufa.dll
2008-01-06 09:10 . 2008-01-06 09:10 294 --ahs---- C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
2008-01-06 09:01 . 2008-01-06 09:01 75,840 --a------ C:\WINDOWS\SYSTEM32\gcvlwivg.dll
2008-01-05 00:03 . 2008-01-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-04 01:34 . 2008-01-04 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-04 00:50 . 2008-01-04 00:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-03 23:26 . 2008-01-11 18:14 6,500 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-01-03 23:25 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-01-03 23:24 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-01-03 23:24 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-01-03 23:24 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-01-03 23:24 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-01-03 23:23 . 2008-01-03 23:23 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-03 23:23 . 2008-01-04 00:56 <DIR> d-------- C:\Program Files\McAfee
2008-01-03 23:23 . 2008-01-03 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-03 23:08 . 2008-01-03 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 22:13 . 2008-01-03 22:14 <DIR> d-------- C:\pebuilder3110a
2008-01-03 21:58 . 2008-01-03 21:58 <DIR> d-------- C:\Program Files\Compaq
2007-12-31 22:49 . 2007-12-31 22:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 15:34 . 2008-01-04 20:30 <DIR> d-------- C:\Program Files\Sony
2007-12-30 08:51 . 2008-01-02 18:54 778,318 --a------ C:\WINDOWS\SYSTEM32\wltray .exe
2007-12-30 02:07 . 2007-12-30 02:07 <DIR> d-------- C:\Documents and Settings\Tony Bailey\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:52 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks
2008-01-10 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-01-05 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:08 --------- d-----w C:\Program Files\eGames
2008-01-04 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-03 02:38 --------- d-----w C:\Program Files\Real
2008-01-03 02:38 --------- d-----w C:\Program Files\Logitech
2008-01-03 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-03 02:24 --------- d-----w C:\Program Files\Dell
2007-12-29 05:31 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\BitTorrent
2007-12-20 02:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 01:07 --------- d-----w C:\Program Files\UltimateBuddy
2007-12-07 19:53 --------- d-----w C:\Program Files\Neoteris
2007-12-04 03:01 --------- d-----w C:\Program Files\UltimateBet
2007-12-01 00:03 --------- d-----w C:\Program Files\Microsoft Money 2005
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 16:53 360,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.
<pre>
----a-w 131,072 2008-01-04 04:05:18 C:\Documents and Settings\Tony Bailey\Local Settings\Temp\20081323125_mcappins .exe
----a-w 110,592 2008-01-03 00:21:10 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 45,056 2008-01-03 00:21:10 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
----a-w 57,344 2008-01-03 00:21:08 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
----a-w 778,318 2008-01-02 23:54:19 C:\WINDOWS\SYSTEM32\wltray .exe
----a-w 122,939 2008-01-03 02:33:50 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7F479D-20F9-4E47-8FB0-D41748AA9047}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3816723A-A215-47E7-876D-1E89B6D4C1A3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A74041A-7DFF-4A56-BEC8-350E17D98BC4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB32074-A829-419C-BD31-8CB209408672}]
C:\WINDOWS\system32\jkkjk.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-11 17:50 1460560]
"Cache Cleaner"="C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [ ]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [ ]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 06:00 388608]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-29 20:08:38]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 04:23:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-04 04:23:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 18:14:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-11 18:16:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 23:15:57
.
2008-01-09 13:07:16 --- E O F ---
little eagle
2008-01-13, 16:18
Open notepad and copy/paste the text in the codebox below into it:
RenV::
C:\Documents and Settings\Tony Bailey\Local Settings\Temp\20081323125_mcappins .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET .EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol .exe
C:\WINDOWS\SYSTEM32\wltray .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D7F479D-20F9-4E47-8FB0-D41748AA9047}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3816723A-A215-47E7-876D-1E89B6D4C1A3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A74041A-7DFF-4A56-BEC8-350E17D98BC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EB32074-A829-419C-BD31-8CB209408672}]
File::
C:\WINDOWS\system32\jkkjk.dll
Save this as Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Then post the results log and a new HijackThis log.
c_anthony_bailey
2008-01-13, 22:19
Combofix logs after running with above CFScript.txt:
ComboFix 08-01-11.1 - Tony Bailey 2008-01-13 15:10:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.693 [GMT -5:00]
Running from: C:\hjt\ComboFix.exe
Command switches used :: C:\hjt\CFScript.txt C:\hjt\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\jkkjk.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-12 12:28 . 2008-01-12 12:28 102,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-11 18:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 12:21 . 2008-01-08 12:21 294 --ahs---- C:\WINDOWS\SYSTEM32\tsilpikp.ini
2008-01-06 09:16 . 2008-01-06 09:16 75,840 --a------ C:\WINDOWS\SYSTEM32\gdlsaufa.dll
2008-01-06 09:10 . 2008-01-06 09:10 294 --ahs---- C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
2008-01-06 09:01 . 2008-01-06 09:01 75,840 --a------ C:\WINDOWS\SYSTEM32\gcvlwivg.dll
2008-01-05 00:03 . 2008-01-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-04 01:34 . 2008-01-04 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-04 00:50 . 2008-01-04 00:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-03 23:26 . 2008-01-12 12:01 6,500 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-01-03 23:25 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-01-03 23:24 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-01-03 23:24 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-01-03 23:24 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-01-03 23:24 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-01-03 23:23 . 2008-01-03 23:23 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-03 23:23 . 2008-01-04 00:56 <DIR> d-------- C:\Program Files\McAfee
2008-01-03 23:23 . 2008-01-03 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-03 23:08 . 2008-01-03 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 22:13 . 2008-01-03 22:14 <DIR> d-------- C:\pebuilder3110a
2008-01-03 21:58 . 2008-01-03 21:58 <DIR> d-------- C:\Program Files\Compaq
2007-12-31 22:49 . 2007-12-31 22:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 15:34 . 2008-01-04 20:30 <DIR> d-------- C:\Program Files\Sony
2007-12-30 08:51 . 2008-01-02 18:54 778,318 --a------ C:\WINDOWS\SYSTEM32\wltray.exe
2007-12-30 02:07 . 2007-12-30 02:07 <DIR> d-------- C:\Documents and Settings\Tony Bailey\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:52 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks
2008-01-10 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-01-05 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:08 --------- d-----w C:\Program Files\eGames
2008-01-04 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-03 02:38 --------- d-----w C:\Program Files\Real
2008-01-03 02:38 --------- d-----w C:\Program Files\Logitech
2008-01-03 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-03 02:24 --------- d-----w C:\Program Files\Dell
2007-12-29 05:31 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\BitTorrent
2007-12-20 02:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 01:07 --------- d-----w C:\Program Files\UltimateBuddy
2007-12-07 19:53 --------- d-----w C:\Program Files\Neoteris
2007-12-04 03:01 --------- d-----w C:\Program Files\UltimateBet
2007-12-01 00:03 --------- d-----w C:\Program Files\Microsoft Money 2005
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 16:53 360,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-11_18.15.40.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 23:08:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 20:09:56 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 20:09:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 23:08:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-13 20:09:56 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 20:09:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 23:08:58 5,722,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 20:09:57 5,726,208 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-11 23:08:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 20:09:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-03 02:33:50 122,939 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
- 2008-01-11 22:54:24 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-01-12 17:04:43 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-01-11 22:54:24 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-01-12 17:04:43 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-11 17:50 1460560]
"Cache Cleaner"="C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2008-01-02 19:21 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2008-01-02 19:21 57344]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2008-01-02 18:54 778318]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-29 20:08:38]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 04:23:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-04 04:23:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 15:12:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-13 15:13:48
ComboFix-quarantined-files.txt 2008-01-13 20:13:26
ComboFix2.txt 2008-01-11 23:16:06
.
2008-01-09 13:07:16 --- E O F ---
c_anthony_bailey
2008-01-13, 22:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:32 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6410 bytes
little eagle
2008-01-13, 22:50
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\SYSTEM32\tsilpikp.ini
C:\WINDOWS\SYSTEM32\gdlsaufa.dll
C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
C:\WINDOWS\SYSTEM32\gcvlwivg.dll
Save this as Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Then post the results log.
c_anthony_bailey
2008-01-13, 23:09
Combo fix log from above CFScript.txt file
ComboFix 08-01-11.1 - Tony Bailey 2008-01-13 16:02:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.645 [GMT -5:00]
Running from: C:\hjt\ComboFix.exe
Command switches used :: C:\hjt\CFScript.txt C:\hjt\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\SYSTEM32\gdlsaufa.dll
C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
C:\WINDOWS\SYSTEM32\tsilpikp.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\gdlsaufa.dll
C:\WINDOWS\SYSTEM32\jhrkhoyt.ini
C:\WINDOWS\SYSTEM32\tsilpikp.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-12 12:28 . 2008-01-12 12:28 102,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-11 18:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 09:01 . 2008-01-06 09:01 75,840 --a------ C:\WINDOWS\SYSTEM32\gcvlwivg.dll
2008-01-05 00:03 . 2008-01-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-04 23:58 . 2008-01-04 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-04 01:34 . 2008-01-04 01:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-04 00:50 . 2008-01-04 00:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-03 23:26 . 2008-01-12 12:01 6,500 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-01-03 23:25 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-01-03 23:24 . 2007-06-25 10:57 171,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-01-03 23:24 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-01-03 23:24 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-01-03 23:24 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-01-03 23:24 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-01-03 23:23 . 2008-01-03 23:23 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-03 23:23 . 2008-01-04 00:56 <DIR> d-------- C:\Program Files\McAfee
2008-01-03 23:23 . 2008-01-03 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-03 23:08 . 2008-01-03 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 22:13 . 2008-01-03 22:14 <DIR> d-------- C:\pebuilder3110a
2008-01-03 21:58 . 2008-01-03 21:58 <DIR> d-------- C:\Program Files\Compaq
2007-12-31 22:49 . 2007-12-31 22:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 15:34 . 2008-01-04 20:30 <DIR> d-------- C:\Program Files\Sony
2007-12-30 08:51 . 2008-01-02 18:54 778,318 --a------ C:\WINDOWS\SYSTEM32\wltray.exe
2007-12-30 02:07 . 2007-12-30 02:07 <DIR> d-------- C:\Documents and Settings\Tony Bailey\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-11 22:52 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks
2008-01-10 01:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-01-05 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 07:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 05:08 --------- d-----w C:\Program Files\eGames
2008-01-04 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-03 02:38 --------- d-----w C:\Program Files\Real
2008-01-03 02:38 --------- d-----w C:\Program Files\Logitech
2008-01-03 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-03 02:24 --------- d-----w C:\Program Files\Dell
2007-12-29 05:31 --------- d-----w C:\Documents and Settings\Tony Bailey\Application Data\BitTorrent
2007-12-20 02:20 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 01:07 --------- d-----w C:\Program Files\UltimateBuddy
2007-12-07 19:53 --------- d-----w C:\Program Files\Neoteris
2007-12-04 03:01 --------- d-----w C:\Program Files\UltimateBet
2007-12-01 00:03 --------- d-----w C:\Program Files\Microsoft Money 2005
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 16:53 360,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-11_18.15.40.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 23:08:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 21:01:58 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 21:01:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 23:08:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-13 21:01:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-11 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 21:01:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 23:08:58 5,722,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 21:01:58 5,726,208 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-11 23:08:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 21:01:58 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-03 02:33:50 122,939 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
- 2008-01-11 22:54:24 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-01-12 17:04:43 41,624 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-01-11 22:54:24 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-01-12 17:04:43 316,158 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-11 17:50 1460560]
"Cache Cleaner"="C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 14:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 14:29 7561216]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2008-01-02 19:21 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2008-01-02 19:21 57344]
"nwiz"="nwiz.exe" [2006-03-09 14:29 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2008-01-02 18:54 778318]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-29 20:08:38]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 04:23:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-04 04:23:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:03:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-13 16:03:56
ComboFix-quarantined-files.txt 2008-01-13 21:03:41
ComboFix2.txt 2008-01-13 20:13:49
ComboFix3.txt 2008-01-11 23:16:06
.
2008-01-09 13:07:16 --- E O F ---
c_anthony_bailey
2008-01-13, 23:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:10 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Tony Bailey\Application Data\Juniper Networks\Cache Cleaner 5.5.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://cam3.kfbserv.com:1738/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myvpn.ford.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6537 bytes
little eagle
2008-01-13, 23:13
Run this online scan from ESET (http://www.eset.eu/online-scanner)
You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan
When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt
c_anthony_bailey
2008-01-14, 02:55
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2788 (20080113)
# vers_arch_module=1.061 (20080110)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ef3065292516aa4f965f46b85fcf4121
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-01-13 10:36:10
# local_time=2008-01-13 05:36:10 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=447657
# found=5
# scan_time=4416
C:\QooBox\Quarantine\C\Program Files\Intel\Intel Application Accelerator\iaanotif .exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Spybot - Search & Destroy\TeaTimer.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fimffrtl.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lkfllwdk.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\scviwovm.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
little eagle
2008-01-14, 03:01
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.
--------------------------------------
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)
-------------------------------------
One of the best features of Windows XP is the System Restore option, however if a virus or spyware infection.
There can be backups made in the System Restore folder.
Therefore, clearing the restore points is necessary after a virus or spyware removal.
To reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
c_anthony_bailey
2008-01-14, 03:42
Ran OTMoveit and rebooted
Ran ATF-Cleaner
Turned off System restore, rebooted
Turned system restore back on.
Looks to be clean? Do you need any additional logs?
little eagle
2008-01-14, 03:46
Looks to be clean how is the PC running? :police:
c_anthony_bailey
2008-01-14, 04:05
Looks good, no symptoms at all currently.
Thanks ever so much!