View Full Version : Virmundo/Advertising Pop Ups/Slow Comp---HELP ME
My computer has been running really slow for a about a month..Spybot def. helped but I now have advertising pop ups when i have my browser open...Every time i run the Spybot I have noticed Virmundo keeps popping up and I cant get rid of it.
yesterday i read the posts on here, I ran the VundoFix and I thought everything was gone but the advertising popups for malware keep on popping up> Please HELP!!!!
here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:52 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\vhost.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=17706&affid=105-57
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [LoghDriver] vhost.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\SecretStub.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [7870f969] rundll32.exe "C:\WINDOWS\system32\ygqylwit.dll",b
O4 - HKLM\..\Run: [BM7b43caf5] Rundll32.exe "C:\WINDOWS\system32\qmupbjuc.dll",s
O4 - HKLM\..\RunServices: [LoghDriver] vhost.exe
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{FC053~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{FC053~1\reboot.ini
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1\482\log30C.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1\482.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1\482\g2a30D.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1\482.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1M9WRINL\AFFLAN~3.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\62CYPZNT\GOTOAS~1.SH! C:\DOCUME~1\Cindy\Cookies\CI2047~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\42DL9SU3\NONVOI~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1SXVCM07\AIM_UA~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1SXVCM07\OPTN_6~3.SH! C:\DOCUME~1\Cindy\Cookies\CI27F8~1.SH! C:\DOCUME~1\Cindy\Cookies\CI7492~1.SH! C:\DOCUME~1\Cindy\Cookies\CIB847~1.SH! C:\DOC
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: McAfee Application Installer Cleanup (0245021200488309) (0245021200488309mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\024502~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11657 bytes
AND Kaspersky log:
I have it completed but didnt fit!
Simon V.
2008-01-19, 23:39
Hello, and welcome to the forum.
My name is Simon V., and I'll be glad to help you with your computer problems.
Step 1
Please download and install CCleaner (http://www.ccleaner.com/download/builds/downloading-slim).
Open CCleaner. On the Windows tab, leave the default options alone.
On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
When the cleaner has completed, click Tools in the Left Pane.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save, then exit Ccleaner.
Step 2
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt).
Thanks for the help SimonV.....I already noticed a huge difference with the internet browser its way faster and so far 10 mins w/o a pop up ad....here are the logs:
Combo fix:
ComboFix 08-01-20.1 - Cindy 2008-01-20 7:31:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.116 [GMT -5:00]
Running from: C:\Documents and Settings\Cindy\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Cindy\Application Data\inst.exe
C:\Program Files\ecurit~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\icroso~1.net
C:\WINDOWS\system32\abeuqulw.dll
C:\WINDOWS\system32\arfjavkb.dll
C:\WINDOWS\system32\aryrdbyn.dllbox
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\bdeeg.tmp
C:\WINDOWS\system32\bkphfpex.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\buqobipm.dll
C:\WINDOWS\system32\egprpsyf.dllbox
C:\WINDOWS\system32\elcpuwef.dll
C:\WINDOWS\system32\etjhybbs.dll
C:\WINDOWS\system32\fewupcle.ini
C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\fhhkj.ini2
C:\WINDOWS\system32\fijeoage.dllbox
C:\WINDOWS\system32\gisgwvlw.dll
C:\WINDOWS\system32\gkrrqjqx.dll
C:\WINDOWS\system32\hqedydbj.dll
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqpyqaqe.dll
C:\WINDOWS\system32\qkurdvjn.dll
C:\WINDOWS\system32\tqywtrpr.dllbox
C:\WINDOWS\system32\wlvwgsig.ini
C:\WINDOWS\system32\xepfhpkb.dll
C:\WINDOWS\system32\xwiikqjx.dll
C:\WINDOWS\system32\ymtvetpd.dll
C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini2
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- Unknown downloads made by BITS: ----
http://www.dellsupportcenter.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\nm
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.
2008-01-20 07:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-20 07:30 . 2005-11-29 15:24 209 --a------ C:\Boot.bak
2008-01-20 07:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 07:02 . 2008-01-20 07:02 <DIR> d-------- C:\Program Files\CCleaner
2008-01-16 17:23 . 2008-01-17 16:05 1,065,955 --ahs---- C:\WINDOWS\system32\lkxwarvw.ini
2008-01-16 10:00 . 2008-01-16 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 20:02 . 2008-01-15 20:02 <DIR> d-------- C:\VundoFix Backups
2008-01-15 17:21 . 2008-01-15 19:53 1,061,376 --ahs---- C:\WINDOWS\system32\hqptwrur.ini
2008-01-14 16:06 . 2008-01-14 18:01 474 --ahs---- C:\WINDOWS\system32\unrxynam.ini
2008-01-13 16:03 . 2008-01-14 16:04 354 --ahs---- C:\WINDOWS\system32\ddnfbsjq.ini
2008-01-12 16:07 . 2008-01-12 20:43 294 --ahs---- C:\WINDOWS\system32\jithwjvt.ini
2008-01-12 15:59 . 2008-01-19 17:17 15,565 --a------ C:\WINDOWS\BM7b43caf5.xml
2008-01-12 15:58 . 2008-01-19 17:22 22 --a------ C:\WINDOWS\pskt.ini
2008-01-10 07:50 . 2008-01-10 07:50 294 --ahs---- C:\WINDOWS\system32\sxdwrpfv.ini
2008-01-06 18:02 . 2008-01-06 18:02 294 --ahs---- C:\WINDOWS\system32\ebavwcre.ini
2008-01-05 18:02 . 2008-01-05 18:02 294 --ahs---- C:\WINDOWS\system32\wodfjmnm.ini
2008-01-04 18:02 . 2008-01-04 18:02 294 --ahs---- C:\WINDOWS\system32\osbexgoq.ini
2008-01-03 18:34 . 2008-01-03 18:35 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-03 18:34 . 2008-01-03 18:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-03 18:01 . 2008-01-03 18:01 294 --ahs---- C:\WINDOWS\system32\xbamivqk.ini
2007-12-27 21:26 . 2007-12-27 21:26 294 --ahs---- C:\WINDOWS\system32\tcwrlren.ini
2007-12-26 21:24 . 2007-12-26 21:24 294 --ahs---- C:\WINDOWS\system32\jgwavxvj.ini
2007-12-25 21:24 . 2007-12-25 21:24 294 --ahs---- C:\WINDOWS\system32\exgibhvw.ini
2007-12-24 21:23 . 2007-12-24 21:23 294 --ahs---- C:\WINDOWS\system32\rhlqyfos.ini
2007-12-22 17:52 . 2007-12-22 17:52 474 --ahs---- C:\WINDOWS\system32\efipxnmn.ini
2007-12-21 17:16 . 2007-12-22 17:49 414 --ahs---- C:\WINDOWS\system32\ffhcjxie.ini
2007-12-21 15:54 . 2007-12-21 15:55 <DIR> d-------- C:\Program Files\Whale Communications
2007-12-20 17:13 . 2007-12-21 15:02 294 --ahs---- C:\WINDOWS\system32\pkmkikdi.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 19:46 --------- d-----w C:\Documents and Settings\Cindy\Application Data\LimeWire
2008-01-18 10:12 --------- d-----w C:\Program Files\McAfee
2008-01-05 12:55 --------- d-----w C:\Documents and Settings\Cindy\Application Data\SiteAdvisor
2008-01-03 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-17 21:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-10 01:55 --------- d-----w C:\Program Files\QuickTime
2007-12-10 01:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 01:47 --------- d-----w C:\Program Files\SanDisk
2007-12-06 16:01 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-06 16:00 --------- d-----w C:\Documents and Settings\Cindy\Application Data\WholeSecurity
2007-12-02 03:51 --------- d-----w C:\Documents and Settings\Cindy\Application Data\InstallShield
2007-11-29 13:03 --------- d-----w C:\Documents and Settings\Cindy\Application Data\Snapfish
2007-11-20 14:15 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-15 13:03 7,126 -c--a-w C:\Documents and Settings\Cindy\Application Data\wklnhst.dat
2007-08-16 23:38 47,360 -c--a-w C:\Documents and Settings\Cindy\Application Data\pcouffin.sys
2006-10-28 22:48 65,016 -c--a-w C:\Documents and Settings\Cindy\Application Data\GDIPFONTCACHEV1.DAT
2007-06-13 10:23 1,719,808 --sha-r C:\WINDOWS\SecretStub.exe
2006-07-15 07:28 56 -csh--r C:\WINDOWS\system32\B9CA2D43D9.sys
2006-07-15 07:28 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-13 10:23 1,719,808 --sha-r C:\WINDOWS\system32\vhost.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442C0694-274B-487B-80FD-080849F06CB5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B300418-C10B-4C3A-AB10-53021F444EF9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527BE0E5-BDD1-4FA3-A8DC-91BD364C2AC5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4C0719D-4EB0-4303-83D7-BEC173B6947E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46C383E-0240-40EF-9444-404DA9A5B1C7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40DB9D6-CE17-4A32-9E92-3B70B08D10EF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D675866E-251F-49FD-82F4-A73076628D58}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA0E66E-D62C-4F6A-ABEB-4128235722DB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF8F48FB-BD2C-4880-A694-D6FC62FABEC2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA084DF6-E63C-475D-969C-9ECC8DD7A867}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-07-25 15:10 111904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46 8192]
"HostManager"="C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-07 04:13 282624]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"LoghDriver"="vhost.exe" [2007-06-13 05:23 1719808 C:\WINDOWS\system32\vhost.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 13:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"Windows Update"="C:\WINDOWS\SecretStub.exe" [2007-06-13 05:23 1719808]
"7870f969"="C:\WINDOWS\system32\ygqylwit.dll" [ ]
"BM7b43caf5"="C:\WINDOWS\system32\qkurdvjn.dll" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoghDriver"="vhost.exe" [2007-06-13 05:23 1719808 C:\WINDOWS\system32\vhost.exe]
C:\Documents and Settings\Cindy\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-06-19 14:01:39 155648]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 09:19:14 147456]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe [2007-12-09 20:47:58 303104]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 16:26:02 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 0029371200642255mcinstcleanup;McAfee Application Installer Cleanup (0029371200642255);C:\WINDOWS\TEMP\002937~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{380bd584-7438-11dc-b702-00038a000015}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 00:30:00 C:\WINDOWS\Tasks\Advanced Registry Optimizer.job"
- C:\Program Files\Advanced Registry Optimizer\ARO.exe
"2008-01-14 01:35:58 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-19 11:04:19 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-20 01:04:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 07:42:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-20 7:50:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 12:50:50
.
2008-01-11 03:52:16 --- E O F ---
hijackthis & CCleaner log in next post...couldnt fit it all>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:06 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\vhost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=17706&affid=105-57
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [LoghDriver] vhost.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\RunServices: [LoghDriver] vhost.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1\482\log30C.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1\482.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1\482\g2a30D.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1\482.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1M9WRINL\AFFLAN~3.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\62CYPZNT\GOTOAS~1.SH! C:\DOCUME~1\Cindy\Cookies\CI2047~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\42DL9SU3\NONVOI~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1SXVCM07\AIM_UA~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1SXVCM07\OPTN_6~3.SH! C:\DOCUME~1\Cindy\Cookies\CI27F8~1.SH! C:\DOCUME~1\Cindy\Cookies\CI7492~1.SH! C:\DOCUME~1\Cindy\Cookies\CIB847~1.SH! C:\DOC
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: McAfee Application Installer Cleanup (0029371200642255) (0029371200642255mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\002937~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11281 bytes
CCleaner log:
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Advanced Registry Optimizer
AIM 6
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
CCleaner (remove only)
Confidence Online(tm) for Web Applications
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Support Center
Dell System Restore
DellSupport
Digital Content Portal
EducateU
EPSON Logiciel imprimante
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSafe for Wired Connections
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.1_04
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LimeWire 4.14.10
Macromedia Flash Player
McAfee SecurityCenter
McAfee Shredder
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Money 2005
Microsoft Office Word Viewer 2003
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
MyWay Search Assistant
Otto
PowerDVD 5.5
Qualxserve Service Agreement
QuickBooks
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer
RealProducer Basic 11
Sansa Media Converter
Sansa Updater
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Shockwave
Sonic Encoders
Sony Picture Utility
Sony USB Driver
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoEgg Publisher
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
Whale Communications' Client Components v3.6
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB925766
Works Upgrade
Simon V.
2008-01-20, 15:24
Hi :)
I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.
Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.
Here is some information that looks at the rates of infection:
http://www.benedelman.org/spyware/p2p/
With that being said, I recommend that you remove the following Peer-to-Peer program(s):
(Click on Start, then Control Panel. Double click on Add or Remove Programs)
LimeWire 4.14.10
Also remove the following programs:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_04
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
MyWay Search Assistant
Viewpoint Manager (Remove Only) <-- Only remove this if you haven't installed it yourself.
Viewpoint Media Player <-- Only remove this if you haven't installed it yourself.
Then download and install Java Runtime Environment (JRE) 6 Update 4 (http://java.sun.com/javase/downloads/index.jsp).
Step 1
Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=22812
Collect::
C:\WINDOWS\system32\vhost.exe
File::
C:\WINDOWS\system32\lkxwarvw.ini
C:\WINDOWS\system32\hqptwrur.ini
C:\WINDOWS\system32\unrxynam.ini
C:\WINDOWS\system32\ddnfbsjq.ini
C:\WINDOWS\system32\jithwjvt.ini
C:\WINDOWS\BM7b43caf5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\sxdwrpfv.ini
C:\WINDOWS\system32\ebavwcre.ini
C:\WINDOWS\system32\wodfjmnm.ini
C:\WINDOWS\system32\osbexgoq.ini
C:\WINDOWS\system32\xbamivqk.ini
C:\WINDOWS\system32\tcwrlren.ini
C:\WINDOWS\system32\jgwavxvj.ini
C:\WINDOWS\system32\exgibhvw.ini
C:\WINDOWS\system32\rhlqyfos.ini
C:\WINDOWS\system32\efipxnmn.ini
C:\WINDOWS\system32\ffhcjxie.ini
C:\WINDOWS\system32\pkmkikdi.ini
C:\WINDOWS\SecretStub.exe
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442C0694-274B-487B-80FD-080849F06CB5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B300418-C10B-4C3A-AB10-53021F444EF9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527BE0E5-BDD1-4FA3-A8DC-91BD364C2AC5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4C0719D-4EB0-4303-83D7-BEC173B6947E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46C383E-0240-40EF-9444-404DA9A5B1C7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40DB9D6-CE17-4A32-9E92-3B70B08D10EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D675866E-251F-49FD-82F4-A73076628D58}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA0E66E-D62C-4F6A-ABEB-4128235722DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF8F48FB-BD2C-4880-A694-D6FC62FABEC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA084DF6-E63C-475D-969C-9ECC8DD7A867}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update"=-
"7870f969"=-
"BM7b43caf5"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoghDriver"=-
Click on File > Save as....
In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)
Click Save (Save the CFScript in the same location as Combofix.exe)
Close any open windows.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
When Combofix has completed, a webpage will open. Follow the instructions and upload the file requested.
It will create a log. Be sure to save it to a convenient location.
Step 2
Close all programs before continuing, and try not to run anything during the scan.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html). (You will need to use Internet Explorer to run this scan)
On the welcome screen, click Accept.
You will be promted to install an ActiveX component from Kaspersky, click Install.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Now under Select a Target to Scan:
Select My Computer.
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button and save the file to your desktop.
Step 3
In your next reply, please post:
the Combofix log (C:\Combofix.txt)
the Kaspersky Online Scan report
a new HijackThis log
Thanks for all the info, I was unaware of the potential threat of the program and I have now deleted it. I also deleted the other ones as requested but I had trouble with the Java (TM) 6 Update 3. I was able to delete all of them but when I went to install the other Java it requested me to D/L the java (TM) 6 Update 3. I believe as of now I no Java programs on my system. Should i just keep the 6 Update 3 one????
Here are the new logs>>>>
combofix:
ComboFix 08-01-20.1 - Cindy 2008-01-21 8:03:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.189 [GMT -5:00]
Running from: C:\Documents and Settings\Cindy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cindy\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\BM7b43caf5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SecretStub.exe
C:\WINDOWS\system32\ddnfbsjq.ini
C:\WINDOWS\system32\ebavwcre.ini
C:\WINDOWS\system32\efipxnmn.ini
C:\WINDOWS\system32\exgibhvw.ini
C:\WINDOWS\system32\ffhcjxie.ini
C:\WINDOWS\system32\hqptwrur.ini
C:\WINDOWS\system32\jgwavxvj.ini
C:\WINDOWS\system32\jithwjvt.ini
C:\WINDOWS\system32\lkxwarvw.ini
C:\WINDOWS\system32\osbexgoq.ini
C:\WINDOWS\system32\pkmkikdi.ini
C:\WINDOWS\system32\rhlqyfos.ini
C:\WINDOWS\system32\sxdwrpfv.ini
C:\WINDOWS\system32\tcwrlren.ini
C:\WINDOWS\system32\unrxynam.ini
C:\WINDOWS\system32\wodfjmnm.ini
C:\WINDOWS\system32\xbamivqk.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\aryrdbyn.dllbox.bad
C:\VundoFix Backups\bigwwmdw.dll.bad
C:\VundoFix Backups\dofpqkyg.dll.bad
C:\VundoFix Backups\dyuumnlj.dll.bad
C:\VundoFix Backups\egprpsyf.dllbox.bad
C:\VundoFix Backups\ewnfrkut.dll.bad
C:\VundoFix Backups\fijeoage.dllbox.bad
C:\VundoFix Backups\ghfdlfnp.dll.bad
C:\VundoFix Backups\ghtdfbmm.dll.bad
C:\VundoFix Backups\gowlwlrl.dll.bad
C:\VundoFix Backups\howqhmli.ini.bad
C:\VundoFix Backups\iejnhnay.dll.bad
C:\VundoFix Backups\ilmhqwoh.dll.bad
C:\VundoFix Backups\iuiemavl.dll.bad
C:\VundoFix Backups\jgnoruel.dll.bad
C:\VundoFix Backups\jkhhf.dll.bad
C:\VundoFix Backups\jlnmuuyd.ini.bad
C:\VundoFix Backups\jvdvnfoa.dll.bad
C:\VundoFix Backups\jvxvawgj.dll.bad
C:\VundoFix Backups\kofqascm.dll.bad
C:\VundoFix Backups\kqvimabx.dll.bad
C:\VundoFix Backups\kxbsrmhu.dll.bad
C:\VundoFix Backups\manyxrnu.dll.bad
C:\VundoFix Backups\mmbfdthg.ini.bad
C:\VundoFix Backups\mnbictcv.dll.bad
C:\VundoFix Backups\mnmjfdow.dll.bad
C:\VundoFix Backups\mpyqepfq.dll.bad
C:\VundoFix Backups\nerlrwct.dll.bad
C:\VundoFix Backups\nggmoqxq.dll.bad
C:\VundoFix Backups\nmnxpife.dll.bad
C:\VundoFix Backups\qmupbjuc.dll.bad
C:\VundoFix Backups\qogxebso.dll.bad
C:\VundoFix Backups\rurwtpqh.dll.bad
C:\VundoFix Backups\sequurxj.dll.bad
C:\VundoFix Backups\sofyqlhr.dll.bad
C:\VundoFix Backups\tkpjtjvo.dll.bad
C:\VundoFix Backups\tqywtrpr.dllbox.bad
C:\VundoFix Backups\tvkybpsk.dll.bad
C:\VundoFix Backups\vfprwdxs.dll.bad
C:\VundoFix Backups\wdmwwgib.ini.bad
C:\VundoFix Backups\wlupueyh.dll.bad
C:\VundoFix Backups\wvhbigxe.dll.bad
C:\VundoFix Backups\xfsqpjsq.dll.bad
C:\VundoFix Backups\yivweias.dll.bad
C:\WINDOWS\BM7b43caf5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SecretStub.exe
C:\WINDOWS\system32\ddnfbsjq.ini
C:\WINDOWS\system32\ebavwcre.ini
C:\WINDOWS\system32\efipxnmn.ini
C:\WINDOWS\system32\exgibhvw.ini
C:\WINDOWS\system32\ffhcjxie.ini
C:\WINDOWS\system32\hqptwrur.ini
C:\WINDOWS\system32\jgwavxvj.ini
C:\WINDOWS\system32\jithwjvt.ini
C:\WINDOWS\system32\lkxwarvw.ini
C:\WINDOWS\system32\osbexgoq.ini
C:\WINDOWS\system32\pkmkikdi.ini
C:\WINDOWS\system32\rhlqyfos.ini
C:\WINDOWS\system32\sxdwrpfv.ini
C:\WINDOWS\system32\tcwrlren.ini
C:\WINDOWS\system32\unrxynam.ini
C:\WINDOWS\system32\vhost.exe
C:\WINDOWS\system32\wodfjmnm.ini
C:\WINDOWS\system32\xbamivqk.ini
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- Unknown downloads made by BITS: ----
http://www.dellsupportcenter.com
.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.
2008-01-21 07:53 . 2008-01-21 07:54 <DIR> d-------- C:\Documents and Settings\Cindy\.SunDownloadManager
2008-01-20 07:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-20 07:30 . 2005-11-29 15:24 209 --a------ C:\Boot.bak
2008-01-20 07:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 07:02 . 2008-01-20 07:02 <DIR> d-------- C:\Program Files\CCleaner
2008-01-16 10:00 . 2008-01-16 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 18:34 . 2008-01-03 18:35 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-03 18:34 . 2008-01-03 18:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-21 15:54 . 2007-12-21 15:55 <DIR> d-------- C:\Program Files\Whale Communications
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 12:56 --------- d-----w C:\Program Files\Java
2008-01-21 12:43 --------- d-----w C:\Program Files\Viewpoint
2008-01-21 12:43 --------- d-----w C:\Program Files\LimeWire
2008-01-21 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-21 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 19:46 --------- d-----w C:\Documents and Settings\Cindy\Application Data\LimeWire
2008-01-18 10:12 --------- d-----w C:\Program Files\McAfee
2008-01-05 12:55 --------- d-----w C:\Documents and Settings\Cindy\Application Data\SiteAdvisor
2008-01-03 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-17 21:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-10 01:55 --------- d-----w C:\Program Files\QuickTime
2007-12-10 01:47 --------- d-----w C:\Program Files\SanDisk
2007-12-06 16:01 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-06 16:00 --------- d-----w C:\Documents and Settings\Cindy\Application Data\WholeSecurity
2007-12-02 03:51 --------- d-----w C:\Documents and Settings\Cindy\Application Data\InstallShield
2007-11-29 13:03 --------- d-----w C:\Documents and Settings\Cindy\Application Data\Snapfish
2007-11-15 13:03 7,126 -c--a-w C:\Documents and Settings\Cindy\Application Data\wklnhst.dat
2007-08-16 23:38 47,360 -c--a-w C:\Documents and Settings\Cindy\Application Data\pcouffin.sys
2006-10-28 22:48 65,016 -c--a-w C:\Documents and Settings\Cindy\Application Data\GDIPFONTCACHEV1.DAT
2006-07-15 07:28 56 -csh--r C:\WINDOWS\system32\B9CA2D43D9.sys
2006-07-15 07:28 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-20_ 7.50.29.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 12:28:18 1,339,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 13:02:55 1,339,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 12:28:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 13:02:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 12:28:19 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 13:02:56 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 12:28:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 13:02:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 12:28:19 5,591,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 13:02:56 5,591,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 12:28:19 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 13:02:56 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-20 10:52:02 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-21 09:05:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-20 10:52:02 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-21 09:05:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-21 09:05:08 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442C0694-274B-487B-80FD-080849F06CB5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B300418-C10B-4C3A-AB10-53021F444EF9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527BE0E5-BDD1-4FA3-A8DC-91BD364C2AC5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4C0719D-4EB0-4303-83D7-BEC173B6947E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46C383E-0240-40EF-9444-404DA9A5B1C7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40DB9D6-CE17-4A32-9E92-3B70B08D10EF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D675866E-251F-49FD-82F4-A73076628D58}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA0E66E-D62C-4F6A-ABEB-4128235722DB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF8F48FB-BD2C-4880-A694-D6FC62FABEC2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA084DF6-E63C-475D-969C-9ECC8DD7A867}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-07-25 15:10 111904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46 8192]
"HostManager"="C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-07 04:13 282624]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"LoghDriver"="vhost.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 13:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"7870f969"="C:\WINDOWS\system32\ygqylwit.dll" [ ]
"BM7b43caf5"="C:\WINDOWS\system32\qkurdvjn.dll" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"InstallShieldSetup"="C:\PROGRA~1\INSTAL~1\{FC053~1\setup.exe" [2006-09-20 20:01 127488]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe [2007-12-09 20:47:58 303104]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 16:26:02 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S2 0219511200858799mcinstcleanup;McAfee Application Installer Cleanup (0219511200858799);C:\WINDOWS\TEMP\021951~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{380bd584-7438-11dc-b702-00038a000015}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
*Newly Created Service* - 0219511200858799MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 00:30:00 C:\WINDOWS\Tasks\Advanced Registry Optimizer.job"
- C:\Program Files\Advanced Registry Optimizer\ARO.exe
"2008-01-21 12:34:07 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-21 11:03:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-21 01:00:23 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 08:07:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-21 8:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 13:16:37
ComboFix2.txt 2008-01-20 12:50:55
.
2008-01-11 03:52:16 --- E O F ---
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 6:17:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 525770
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 67944
Number of viruses found 10
Number of infected objects 64
Number of suspicious objects 0
Duration of the scan process 00:55:15
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e86e7963512c4db0c437b197c1f94839_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip/Setup.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Comet.aq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip/Setup.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.aq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Comet.aq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Cindy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cindy\Desktop\[4]-Submit_2008-01-21@8.03.zip/vhost.exe Infected: Trojan.Win32.Agent.awz skipped
C:\Documents and Settings\Cindy\Desktop\[4]-Submit_2008-01-21@8.03.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Application Data\SupportSoft\DellSupportCenter\Cindy\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temp\JET808B.tmp Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temp\sqlite_sIW1CFGoT1baENa Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temp\~DF328C.tmp Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temp\~DF6C6C.tmp Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temp\~DF6C7A.tmp Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cindy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Cindy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\VundoFix Backups\bigwwmdw.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\dyuumnlj.dll.bad.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ghfdlfnp.dll.bad.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ec skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ghtdfbmm.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ilmhqwoh.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\iuiemavl.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\jgnoruel.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\jvdvnfoa.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\jvxvawgj.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\kofqascm.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\kqvimabx.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnr skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mnbictcv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mnmjfdow.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\nerlrwct.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\nggmoqxq.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\QooBox\Quarantine\C\VundoFix Backups\nmnxpife.dll.bad.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\QooBox\Quarantine\C\VundoFix Backups\qogxebso.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\sofyqlhr.dll.bad.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\QooBox\Quarantine\C\VundoFix Backups\tkpjtjvo.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\tvkybpsk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\vfprwdxs.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\wlupueyh.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\QooBox\Quarantine\C\VundoFix Backups\wvhbigxe.dll.bad.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\QooBox\Quarantine\C\WINDOWS\SecretStub.exe.vir Infected: Trojan.Win32.Agent.awz skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP483\A0057041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP483\A0057042.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP485\A0057159.dll Infected: Trojan.Win32.Pakes.sv skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0058289.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0058290.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP493\A0058460.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP494\A0059479.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP503\A0059870.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060007.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060008.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060065.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060067.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060069.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ec skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060070.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060074.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060075.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060076.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060078.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060080.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060081.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnr skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060087.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060088.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060089.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060091.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060093.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060094.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060095.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060096.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060098.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP508\A0060099.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP524\A0061213.exe Infected: Trojan.Win32.Agent.awz skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP524\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8E09B669-246D-44B6-88FD-35210079CF64}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{ACE900CD-9236-4F53-85BA-F23A5E4A064F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_bFzmYc4PlcAfZRh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_BSHu71jL3NBSqh8 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_V47tfSXdHbZkTdW Object is locked skipped
C:\WINDOWS\Temp\sqlite_3PD4VjRceZ4GZ3Y Object is locked skipped
C:\WINDOWS\Temp\sqlite_eS0xcsHjyrt61Xe Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:04 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=17706&affid=105-57
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [LoghDriver] vhost.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{FC053~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{FC053~1\reboot.ini
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: McAfee Application Installer Cleanup (0219511200858799) (0219511200858799mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\021951~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9749 bytes
Simon V.
2008-01-22, 18:07
Hi :)
Thanks for all the info, I was unaware of the potential threat of the program and I have now deleted it. I also deleted the other ones as requested but I had trouble with the Java (TM) 6 Update 3. I was able to delete all of them but when I went to install the other Java it requested me to D/L the java (TM) 6 Update 3. I believe as of now I no Java programs on my system. Should i just keep the 6 Update 3 one????
That's weird. On the page I gave you, you should scroll down to Java Runtime Environment (JRE) 6 Update 4 (fourth down the list) and then click Download.
Step 1
Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip
C:\Documents and Settings\Cindy\Desktop\[4]-Submit_2008-01-21@8.03.zip
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442C0694-274B-487B-80FD-080849F06CB5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B300418-C10B-4C3A-AB10-53021F444EF9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527BE0E5-BDD1-4FA3-A8DC-91BD364C2AC5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4C0719D-4EB0-4303-83D7-BEC173B6947E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46C383E-0240-40EF-9444-404DA9A5B1C7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40DB9D6-CE17-4A32-9E92-3B70B08D10EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D675866E-251F-49FD-82F4-A73076628D58}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA0E66E-D62C-4F6A-ABEB-4128235722DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF8F48FB-BD2C-4880-A694-D6FC62FABEC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA084DF6-E63C-475D-969C-9ECC8DD7A867}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LoghDriver"=-
"7870f969"=-
"BM7b43caf5"=-
Driver::
0219511200858799mcinstcleanup
Click on File > Save as....
In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)
Click Save (Save the CFScript in the same location as Combofix.exe)
Close any open windows.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.
Step 2
Open HijackThis, perform a scan and put a check next to the following items (if present):
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{FC053~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{FC053~1\reboot.ini
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
Close all programs except HijackThis and click on Fix checked.
Step 3
In your next reply, please post:
the Combofix log (C:\Combofix.txt)
a new HijackThis log
a description of how your computer is currently running
computer is running great. Havent had any stalling or popups and internet is running faster than before!!!Once again thanks for all the help you have given me!!!!
combofix:
ComboFix 08-01-20.1 - Cindy 2008-01-22 11:36:44.3 - NTFSx86
Running from: C:\Documents and Settings\Cindy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cindy\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip
C:\Documents and Settings\Cindy\Desktop\[4]-Submit_2008-01-21@8.03.zip
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\StarWare.zip
C:\Documents and Settings\Cindy\Desktop\[4]-Submit_2008-01-21@8.03.zip
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- Unknown downloads made by BITS: ----
http://www.dellsupportcenter.com
.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.
2008-01-21 18:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-21 18:34 . 2008-01-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 07:53 . 2008-01-21 07:54 <DIR> d-------- C:\Documents and Settings\Cindy\.SunDownloadManager
2008-01-20 07:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-20 07:30 . 2005-11-29 15:24 209 --a------ C:\Boot.bak
2008-01-20 07:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 07:02 . 2008-01-20 07:02 <DIR> d-------- C:\Program Files\CCleaner
2008-01-16 10:00 . 2008-01-16 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 18:34 . 2008-01-03 18:35 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-03 18:34 . 2008-01-03 18:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 23:35 --------- d-----w C:\Program Files\Java
2008-01-21 12:43 --------- d-----w C:\Program Files\Viewpoint
2008-01-21 12:43 --------- d-----w C:\Program Files\LimeWire
2008-01-21 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-21 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 19:46 --------- d-----w C:\Documents and Settings\Cindy\Application Data\LimeWire
2008-01-18 10:12 --------- d-----w C:\Program Files\McAfee
2008-01-05 12:55 --------- d-----w C:\Documents and Settings\Cindy\Application Data\SiteAdvisor
2008-01-03 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-21 20:55 --------- d-----w C:\Program Files\Whale Communications
2007-12-17 21:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-10 01:55 --------- d-----w C:\Program Files\QuickTime
2007-12-10 01:47 --------- d-----w C:\Program Files\SanDisk
2007-12-06 16:01 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-06 16:00 --------- d-----w C:\Documents and Settings\Cindy\Application Data\WholeSecurity
2007-12-02 03:51 --------- d-----w C:\Documents and Settings\Cindy\Application Data\InstallShield
2007-11-29 13:03 --------- d-----w C:\Documents and Settings\Cindy\Application Data\Snapfish
2007-11-15 13:03 7,126 -c--a-w C:\Documents and Settings\Cindy\Application Data\wklnhst.dat
2007-08-16 23:38 47,360 -c--a-w C:\Documents and Settings\Cindy\Application Data\pcouffin.sys
2006-10-28 22:48 65,016 -c--a-w C:\Documents and Settings\Cindy\Application Data\GDIPFONTCACHEV1.DAT
2006-07-15 07:28 56 -csh--r C:\WINDOWS\system32\B9CA2D43D9.sys
2006-07-15 07:28 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-20_ 7.50.29.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 12:28:18 1,339,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 16:36:22 1,339,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 12:28:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 16:36:22 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 12:28:19 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 16:36:22 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 12:28:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 16:36:23 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 12:28:19 5,591,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-22 16:36:23 5,591,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 12:28:19 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 16:36:23 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-20 10:52:02 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-22 12:54:29 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-20 10:52:02 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-22 12:54:29 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442C0694-274B-487B-80FD-080849F06CB5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B300418-C10B-4C3A-AB10-53021F444EF9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527BE0E5-BDD1-4FA3-A8DC-91BD364C2AC5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4C0719D-4EB0-4303-83D7-BEC173B6947E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46C383E-0240-40EF-9444-404DA9A5B1C7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40DB9D6-CE17-4A32-9E92-3B70B08D10EF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D675866E-251F-49FD-82F4-A73076628D58}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA0E66E-D62C-4F6A-ABEB-4128235722DB}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF8F48FB-BD2C-4880-A694-D6FC62FABEC2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA084DF6-E63C-475D-969C-9ECC8DD7A867}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-07-25 15:10 111904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46 8192]
"HostManager"="C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-07 04:13 282624]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 13:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"7870f969"="C:\WINDOWS\system32\ygqylwit.dll" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"InstallShieldSetup"="C:\PROGRA~1\INSTAL~1\{FC053~1\setup.exe" [2006-09-20 20:01 127488]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe [2007-12-09 20:47:58 303104]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 16:26:02 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S2 0130671201006594mcinstcleanup;McAfee Application Installer Cleanup (0130671201006594);C:\WINDOWS\TEMP\013067~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{380bd584-7438-11dc-b702-00038a000015}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
*Newly Created Service* - 0130671201006594MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 00:30:00 C:\WINDOWS\Tasks\Advanced Registry Optimizer.job"
- C:\Program Files\Advanced Registry Optimizer\ARO.exe
"2008-01-21 12:34:07 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-21 11:03:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-22 01:00:26 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 11:42:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-22 11:50:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 16:50:50
ComboFix2.txt 2008-01-21 13:16:42
ComboFix3.txt 2008-01-20 12:50:55
.
2008-01-11 03:52:16 --- E O F ---
hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:17 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=17706&affid=105-57
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P35 "EPSON Stylus CX4800 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [7870f969] rundll32.exe "C:\WINDOWS\system32\ygqylwit.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1\482\log30C.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1\482.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1\GOTOAS~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\CITRIX~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1\482\g2a30D.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1\482.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix\GOTOAS~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\Temp\Citrix.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1M9WRINL\AFFLAN~3.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\62CYPZNT\GOTOAS~1.SH! C:\DOCUME~1\Cindy\Cookies\CI2047~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\42DL9SU3\NONVOI~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1SXVCM07\AIM_UA~1.SH! C:\DOCUME~1\Cindy\LOCALS~1\TEMPOR~1\Content.IE5\1SXVCM07\OPTN_6~3.SH! C:\DOCUME~1\Cindy\Cookies\CI27F8~1.SH! C:\DOCUME~1\Cindy\Cookies\CI7492~1.SH! C:\DOCUME~1\Cindy\Cookies\CIB847~1.SH! C:\DOC
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1730B226-35E6-48F3-A333-53617DCEAD44}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: McAfee Application Installer Cleanup (0130671201006594) (0130671201006594mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\013067~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 10851 bytes
Simon V.
2008-01-22, 19:35
Hi :)
There are still some things showing in your log; it should be gone after doing the following:
Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:
KillAll::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{442C0694-274B-487B-80FD-080849F06CB5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B300418-C10B-4C3A-AB10-53021F444EF9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527BE0E5-BDD1-4FA3-A8DC-91BD364C2AC5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4C0719D-4EB0-4303-83D7-BEC173B6947E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C46C383E-0240-40EF-9444-404DA9A5B1C7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40DB9D6-CE17-4A32-9E92-3B70B08D10EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D675866E-251F-49FD-82F4-A73076628D58}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA0E66E-D62C-4F6A-ABEB-4128235722DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF8F48FB-BD2C-4880-A694-D6FC62FABEC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA084DF6-E63C-475D-969C-9ECC8DD7A867}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7870f969"=-
Click on File > Save as....
In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)
Click Save (Save the CFScript in the same location as Combofix.exe)
Close any open windows.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Post the contents of that log back here.
:bigthumb:
ComboFix 08-01-20.1 - Cindy 2008-01-22 22:26:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT -5:00]
Running from: C:\Documents and Settings\Cindy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cindy\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.
2008-01-21 18:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-21 18:34 . 2008-01-21 18:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 07:53 . 2008-01-21 07:54 <DIR> d-------- C:\Documents and Settings\Cindy\.SunDownloadManager
2008-01-20 07:30 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-20 07:30 . 2005-11-29 15:24 209 --a------ C:\Boot.bak
2008-01-20 07:27 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 07:02 . 2008-01-20 07:02 <DIR> d-------- C:\Program Files\CCleaner
2008-01-16 10:00 . 2008-01-16 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 08:12 . 2008-01-16 08:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 18:34 . 2008-01-03 18:35 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-03 18:34 . 2008-01-03 18:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 23:35 --------- d-----w C:\Program Files\Java
2008-01-21 12:43 --------- d-----w C:\Program Files\Viewpoint
2008-01-21 12:43 --------- d-----w C:\Program Files\LimeWire
2008-01-21 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-21 12:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 19:46 --------- d-----w C:\Documents and Settings\Cindy\Application Data\LimeWire
2008-01-18 10:12 --------- d-----w C:\Program Files\McAfee
2008-01-05 12:55 --------- d-----w C:\Documents and Settings\Cindy\Application Data\SiteAdvisor
2008-01-03 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-21 20:55 --------- d-----w C:\Program Files\Whale Communications
2007-12-17 21:37 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-17 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-10 01:55 --------- d-----w C:\Program Files\QuickTime
2007-12-10 01:47 --------- d-----w C:\Program Files\SanDisk
2007-12-06 16:01 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-06 16:00 --------- d-----w C:\Documents and Settings\Cindy\Application Data\WholeSecurity
2007-12-02 03:51 --------- d-----w C:\Documents and Settings\Cindy\Application Data\InstallShield
2007-11-29 13:03 --------- d-----w C:\Documents and Settings\Cindy\Application Data\Snapfish
2007-11-15 13:03 7,126 -c--a-w C:\Documents and Settings\Cindy\Application Data\wklnhst.dat
2007-08-16 23:38 47,360 -c--a-w C:\Documents and Settings\Cindy\Application Data\pcouffin.sys
2006-10-28 22:48 65,016 -c--a-w C:\Documents and Settings\Cindy\Application Data\GDIPFONTCACHEV1.DAT
2006-07-15 07:28 56 -csh--r C:\WINDOWS\system32\B9CA2D43D9.sys
2006-07-15 07:28 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-20_ 7.50.29.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 12:28:18 1,339,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 03:26:05 1,339,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 12:28:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 03:26:05 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 12:28:19 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 03:26:05 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 12:28:19 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 03:26:06 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 12:28:19 5,591,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-23 03:26:06 5,591,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 12:28:19 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 03:26:06 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-20 10:52:02 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-23 02:47:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-20 10:52:02 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-23 02:47:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-23 02:47:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-07-25 15:10 111904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46 8192]
"HostManager"="C:\Program Files\Common Files\AOL\1133394632\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-07 04:13 282624]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"EPSON Stylus CX4800 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 13:05 36640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"7870f969"="C:\WINDOWS\system32\ygqylwit.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - C:\Program Files\SanDisk\Common\Bin\WinCinemaMgr.exe [2007-12-09 20:47:58 303104]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-12-06 16:26:02 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S2 0130671201006594mcinstcleanup;McAfee Application Installer Cleanup (0130671201006594);C:\WINDOWS\TEMP\013067~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{380bd584-7438-11dc-b702-00038a000015}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 00:30:00 C:\WINDOWS\Tasks\Advanced Registry Optimizer.job"
- C:\Program Files\Advanced Registry Optimizer\ARO.exe
"2008-01-21 12:34:07 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-01-21 11:03:27 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-23 01:00:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 22:36:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-22 22:42:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 03:42:03
ComboFix2.txt 2008-01-22 16:50:55
ComboFix3.txt 2008-01-21 13:16:42
ComboFix4.txt 2008-01-20 12:50:55
.
2008-01-11 03:52:16 --- E O F ---
Simon V.
2008-01-23, 08:41
Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:
Click Start then Run....
Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
This will uninstall Combofix.
Make your Internet Explorer More Secure
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ (http://update.microsoft.com/) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html
Install Malwarebytes' Anti-Malware - You should scan your computer with the program on a regular basis just as you would with your anti-virus software. You can download the program here: http://www.malwarebytes.org/mbam.php
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutorials/tutorial49.html
Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD
Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.
You can also read this excellent article by TonyKlein: So how did I get infected in the first place? (http://www.castlecops.com/p35268-So_how_did_I_get_infected_in_the_first_place.html#35268)
Follow this list and your potential for being infected again will reduce dramatically.
Stand Up and Be Counted! (http://www.malwarecomplaints.info/index.php) - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo.