View Full Version : Virtumonde Problem
Please help me out. I've tried everything to get rid of this thing. This is the log from the Hijack program. the on-line scanner failed at the end for me.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:17 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\a la mode\Sched\eSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: {52ed280d-3761-623a-0284-269f68d36da4} - {4ad63d86-f962-4820-a326-1673d082de25} - C:\WINDOWS\system32\ryawnxjt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {84D59186-68FE-48BE-9694-E7B16D167142} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\DOCUME~1\ARTHUR~1\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f4593a2f] rundll32.exe "C:\WINDOWS\system32\hbmnqxpr.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154386913437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160711155875
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} -
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11829 bytes
__RiP_ChAiN_
2008-02-15, 08:46
Hello art736 :)
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
----------------------------------------------- Step 1
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
----------------------------------------------- Step 2
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
----------------------------------------------- Step 3
Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
AOLIcon
Apple Mobile Device Support
Apple Software Update
Broadcom Management Programs
Brother HL-2070N
Brother MFL-Pro Suite
BulletProof FTP
Conexant HDA D110 MDC V.92 Modem
Cool
DellSupport
Digital Content Portal
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
DVD Shrink 3.2
EducateU
ELIcon
Games, Music, & Photos Launcher
Google Talk (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
McAfee SecurityCenter
McAfee Uninstaller
mCore
MCU
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft SQL Server Desktop Engine (ALAMODE)
Microsoft Streets & Trips 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mWlsSafe
mWMI
mXML
mZConfig
Nero 6 Ultra Edition
NetWaiting
NewsBin Pro
PaperPort
PC Connectivity Solution
PDF-XChange 3
PokerStars
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer Basic
REAP Internet
Search Assist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SVCD2DVD 2.0
Synaptics Pointing Device Driver
TTS Wrapper
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URL Assistant
Videora iPod Converter 0.91
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WIDCOMM Bluetooth Software
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)
Windows Internet Explorer 7
Windows Live Local Add-in for Microsoft Office Outlook
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
ComboFix 08-02-15.2 - ARTHUR VAZQUEZ 2008-02-15 11:01:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1443 [GMT -5:00]
Running from: C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\abW9
C:\Temp\isgTi19
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa17yy
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 17:32 . 2008-02-14 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 16:30 . 2008-02-14 16:54 <DIR> d-------- C:\VundoFix Backups
2008-02-14 15:52 . 2008-02-14 15:52 37,782 --a------ C:\WINDOWS\alaredun.ini
2008-02-13 15:32 . 2008-02-13 15:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 15:32 . 2008-02-13 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 11:57 . 2008-02-07 11:53 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 11:57 . 2008-02-07 11:57 3,449 --a------ C:\WINDOWS\unins000.dat
2008-02-06 12:56 . 2008-02-15 11:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 12:56 . 2008-02-06 12:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-06 12:55 . 2008-02-06 12:55 <DIR> d-------- C:\Program Files\iPod
2008-02-05 12:49 . 2008-02-05 12:49 226 --a------ C:\WINDOWS\TECHUSER.INI
2008-01-25 14:06 . 2008-01-25 14:06 67 --a------ C:\WINDOWS\Mercury.ini
2008-01-25 13:57 . 2008-02-13 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\alamode
2008-01-24 17:32 . 2008-01-24 17:32 575 --a------ C:\WINDOWS\TSA.LNK
2008-01-24 17:32 . 2008-01-24 17:32 0 --a------ C:\WINDOWS\0
2008-01-24 17:30 . 2008-01-24 17:30 <DIR> d-------- C:\Program Files\Tracker Software
2008-01-24 17:30 . 2004-12-07 07:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-24 17:30 . 2006-01-30 09:32 5,632 --a------ C:\WINDOWS\system32\pxc25pm.dll
2008-01-24 17:28 . 2008-01-24 17:29 <DIR> d-------- C:\Program Files\a la mode
2008-01-24 17:24 . 2008-02-14 15:52 3,573 --a------ C:\WINDOWS\alamode.ini
2008-01-24 17:19 . 2008-01-24 17:19 1,461,724 --a------ C:\WINDOWS\t.tmp
2008-01-24 17:19 . 2002-12-17 17:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-01-24 17:19 . 2002-10-20 15:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-01-24 17:19 . 2008-01-24 17:32 5,753 --a------ C:\WINDOWS\AuroraSetupLogs.z_
2008-01-24 17:17 . 2008-01-24 17:17 <DIR> d-------- C:\Program Files\Microsoft SQL Server
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 16:04 --------- d-----w C:\Program Files\McAfee
2008-02-09 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 17:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 17:55 --------- d-----w C:\Program Files\iTunes
2008-02-06 17:54 --------- d-----w C:\Program Files\QuickTime
2008-02-01 15:03 --------- d-----w C:\Documents and Settings\ARTHUR VAZQUEZ\Application Data\NewsBin
2008-01-25 03:37 --------- d-----w C:\Documents and Settings\ARTHUR VAZQUEZ\Application Data\U3
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\ALAMODE.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM120.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM112.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM105.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM100.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM09B.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM090.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM080.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\ADATA095.fot
2008-01-22 16:56 --------- d-----w C:\Program Files\PokerStars
2008-01-07 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-27 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-15 19:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-05 18:43 92,064 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmmdm.sys
2007-12-05 18:43 9,232 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmmdfl.sys
2007-12-05 18:43 79,328 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmserd.sys
2007-12-05 18:43 66,656 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmbus.sys
2007-12-05 18:43 6,208 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmcmnt.sys
2007-12-05 18:43 5,936 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmwhnt.sys
2007-12-05 18:43 4,048 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmcr.sys
2007-12-05 18:43 25,600 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\usbsermptxp.sys
2007-12-05 18:43 22,768 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ad63d86-f962-4820-a326-1673d082de25}]
C:\WINDOWS\system32\ryawnxjt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84D59186-68FE-48BE-9694-E7B16D167142}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Zinio DLM"="C:\Program Files\Zinio\ZinioDeliveryManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 02:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 02:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 02:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2006-04-06 14:58 1032192]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 13:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 14:04 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34 851968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"The Assistant"="C:\Program Files\a la mode\Sched\eSched.exe" [2007-04-16 08:18 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"f4593a2f"="C:\WINDOWS\system32\hbmnqxpr.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-26 11:48:22 24576]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-08-15 14:43:03 819200]
[HKLM\~\startupfolder\C:^Documents and Settings^ARTHUR VAZQUEZ^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=C:\Documents and Settings\ARTHUR VAZQUEZ\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=C:\WINDOWS\pss\Cool - Auto Update.lnkStartup
R2 MSSQL$ALAMODE;MSSQL$ALAMODE;"c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" [2005-05-04 00:04]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 14:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 14:31]
S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;"c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" [2005-05-03 21:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f385aac4-2453-11dc-b8a1-0016cffb9762}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f385aac5-2453-11dc-b8a1-0016cffb9762}]
\Shell\AutoRun\command - G:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 03:03:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-08-01 00:35:36 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 06:00:16 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 11:07:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-15 11:08:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 16:08:52
.
2008-02-13 18:59:29 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:11 AM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\a la mode\Sched\eSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: {52ed280d-3761-623a-0284-269f68d36da4} - {4ad63d86-f962-4820-a326-1673d082de25} - C:\WINDOWS\system32\ryawnxjt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {84D59186-68FE-48BE-9694-E7B16D167142} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f4593a2f] rundll32.exe "C:\WINDOWS\system32\hbmnqxpr.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154386913437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160711155875
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} -
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11254 bytes
__RiP_ChAiN_
2008-02-15, 22:09
Hello art736 :)
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\system32\ryawnxjt.dll
C:\WINDOWS\system32\hbmnqxpr.dll
Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\Rabio
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ad63d86-f962-4820-a326-1673d082de25}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84D59186-68FE-48BE-9694-E7B16D167142}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f4593a2f"=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix 08-02-15.2 - ARTHUR VAZQUEZ 2008-02-15 17:37:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT -5:00]
Running from: C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\hbmnqxpr.dll
C:\WINDOWS\system32\ryawnxjt.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Rabio
C:\VundoFix Backups
C:\VundoFix Backups\hbmnqxpr.dll.bad
C:\VundoFix Backups\rpxqnmbh.ini.bad
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.
2008-02-14 17:32 . 2008-02-14 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 15:52 . 2008-02-14 15:52 37,782 --a------ C:\WINDOWS\alaredun.ini
2008-02-13 15:32 . 2008-02-13 15:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 15:32 . 2008-02-13 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 11:57 . 2008-02-07 11:53 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 11:57 . 2008-02-07 11:57 3,449 --a------ C:\WINDOWS\unins000.dat
2008-02-06 12:56 . 2008-02-15 16:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 12:56 . 2008-02-06 12:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-06 12:55 . 2008-02-06 12:55 <DIR> d-------- C:\Program Files\iPod
2008-02-05 12:49 . 2008-02-05 12:49 226 --a------ C:\WINDOWS\TECHUSER.INI
2008-01-25 14:06 . 2008-01-25 14:06 67 --a------ C:\WINDOWS\Mercury.ini
2008-01-25 13:57 . 2008-02-13 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\alamode
2008-01-24 17:32 . 2008-01-24 17:32 575 --a------ C:\WINDOWS\TSA.LNK
2008-01-24 17:32 . 2008-01-24 17:32 0 --a------ C:\WINDOWS\0
2008-01-24 17:30 . 2008-01-24 17:30 <DIR> d-------- C:\Program Files\Tracker Software
2008-01-24 17:30 . 2004-12-07 07:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-24 17:30 . 2006-01-30 09:32 5,632 --a------ C:\WINDOWS\system32\pxc25pm.dll
2008-01-24 17:28 . 2008-01-24 17:29 <DIR> d-------- C:\Program Files\a la mode
2008-01-24 17:24 . 2008-02-15 16:18 3,573 --a------ C:\WINDOWS\alamode.ini
2008-01-24 17:19 . 2008-01-24 17:19 1,461,724 --a------ C:\WINDOWS\t.tmp
2008-01-24 17:19 . 2002-12-17 17:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-01-24 17:19 . 2002-10-20 15:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-01-24 17:19 . 2008-01-24 17:32 5,753 --a------ C:\WINDOWS\AuroraSetupLogs.z_
2008-01-24 17:17 . 2008-01-24 17:17 <DIR> d-------- C:\Program Files\Microsoft SQL Server
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-15 16:04 --------- d-----w C:\Program Files\McAfee
2008-02-09 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 17:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 17:55 --------- d-----w C:\Program Files\iTunes
2008-02-06 17:54 --------- d-----w C:\Program Files\QuickTime
2008-02-01 15:03 --------- d-----w C:\Documents and Settings\ARTHUR VAZQUEZ\Application Data\NewsBin
2008-01-26 00:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-25 03:37 --------- d-----w C:\Documents and Settings\ARTHUR VAZQUEZ\Application Data\U3
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\ALAMODE.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM120.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM112.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM105.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM100.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM09B.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM090.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM080.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\ADATA095.fot
2008-01-22 16:56 --------- d-----w C:\Program Files\PokerStars
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-02 16:53 2,409,720 ----a-w C:\WINDOWS\system32\alamapctrl.dll
2007-12-27 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-21 02:26 798,720 ----a-w C:\WINDOWS\system32\auroraupgrade.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-19 17:58 460,024 ----a-w C:\WINDOWS\system32\alaconn5.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 02:21 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-12-07 02:21 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-07 02:21 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-07 02:21 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-07 02:21 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-12-07 02:21 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-07 02:21 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-12-07 02:21 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-12-07 02:21 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-07 02:21 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-12-07 02:21 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-07 02:21 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-12-07 02:21 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-12-07 02:21 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-12-07 02:21 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-12-07 02:21 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-12-07 02:21 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-12-07 02:21 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-12-07 02:21 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-12-07 02:21 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-12-07 02:21 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-05 18:43 92,064 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmmdm.sys
2007-12-05 18:43 9,232 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmmdfl.sys
2007-12-05 18:43 79,328 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmserd.sys
2007-12-05 18:43 66,656 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmbus.sys
2007-12-05 18:43 6,208 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmcmnt.sys
2007-12-05 18:43 5,936 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmwhnt.sys
2007-12-05 18:43 4,048 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmcr.sys
2007-12-05 18:43 25,600 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\usbsermptxp.sys
2007-12-05 18:43 22,768 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\usbsermpt.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 15:38 376,868 ----a-w C:\WINDOWS\system32\GeacView.dll
2007-12-03 16:57 495,616 ----a-w C:\WINDOWS\system32\alabilling.dll
2007-11-28 19:08 849,144 ----a-w C:\WINDOWS\system32\wtapi.exe
2007-11-19 18:56 253,952 ----a-w C:\WINDOWS\system32\alaDnxConvert.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Zinio DLM"="C:\Program Files\Zinio\ZinioDeliveryManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 02:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 02:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 02:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2006-04-06 14:58 1032192]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 13:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 14:04 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34 851968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"The Assistant"="C:\Program Files\a la mode\Sched\eSched.exe" [2007-04-16 08:18 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-26 11:48:22 24576]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-08-15 14:43:03 819200]
[HKLM\~\startupfolder\C:^Documents and Settings^ARTHUR VAZQUEZ^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=C:\Documents and Settings\ARTHUR VAZQUEZ\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=C:\WINDOWS\pss\Cool - Auto Update.lnkStartup
R2 MSSQL$ALAMODE;MSSQL$ALAMODE;"c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" [2005-05-04 00:04]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 14:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 14:31]
S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;"c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" [2005-05-03 21:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f385aac4-2453-11dc-b8a1-0016cffb9762}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f385aac5-2453-11dc-b8a1-0016cffb9762}]
\Shell\AutoRun\command - G:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 03:03:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-08-01 00:35:36 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 06:00:16 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:39:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-15 17:40:23
ComboFix-quarantined-files.txt 2008-02-15 22:40:13
ComboFix2.txt 2008-02-15 16:08:57
.
2008-02-13 18:59:29 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:54 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\a la mode\Sched\eSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154386913437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160711155875
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} -
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://www.realquest.com/mapviewer/mapviewer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10919 bytes
__RiP_ChAiN_
2008-02-16, 20:41
Hello art736 :)
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Plattform: "Windows".
Select your Language: "English".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (http://www.bleepingcomputer.com/forums/topic42133.html) and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Incident Status Location
Possible Virus. Not disinfected C:\a la mode\WinTOTAL\Mercury\PlugIns\Universal\UnivPlug.exe
Possible Virus. Not disinfected C:\AuroraCD\Setup\WinTOTAL.zip[Mercury/PlugIns/Universal/UnivPlug.exe]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@bluestreak[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@burstnet[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@fastclick[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@statcounter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Cookies\arthur_vazquez@zedo[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\VundoFix Backups\hbmnqxpr.dll.bad.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
__RiP_ChAiN_
2008-02-18, 06:58
Hello art736 :)
Please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Microsoft Windows XP Home Edition
Without Service Packs
http://www.microsoft.com/downloads/details...55-BD5AFEE126D8 (http://www.microsoft.com/downloads/details.aspx?FamilyID=E8FE6868-6E4F-471C-B455-BD5AFEE126D8)
Service Pack 1
http://www.microsoft.com/downloads/details...05-719F45C382A4 (http://www.microsoft.com/downloads/details.aspx?FamilyID=FBE5E4FC-695F-43E5-AF05-719F45C382A4)
Service Pack 2
http://www.microsoft.com/downloads/details...3D-81C2137FF464 (http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464)
Microsoft Windows XP Professional
Without Service Packs
http://www.microsoft.com/downloads/details...B7-4FED408EA73F (http://www.microsoft.com/downloads/details.aspx?FamilyID=55820EDB-5039-4955-BCB7-4FED408EA73F)
Service Pack 1
http://www.microsoft.com/downloads/details...C2-631504EF5E26 (http://www.microsoft.com/downloads/details.aspx?FamilyID=83F53BE9-28FA-40E8-8EC2-631504EF5E26)
Service Pack 2
http://www.microsoft.com/downloads/details...0C-0A0205368124 (http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124)
## Important ##
As we do not know the name of the file that's downloaded, you have to save the file as RC.exe to the root of SystemDrive e.g. C:\RC.exe
STEP #2
Download the latest copy of ComboFix.exe => http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Open notepad and copy/paste the text in the quotebox below into it:
RecoveryConsole::
C:\RC.EXE
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\CF-RC.txt. Post that log in your next reply.
## Important ##
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log & responded to you.
ComboFix 08-02-18.1 - ARTHUR VAZQUEZ 2008-02-18 10:39:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1473 [GMT -5:00]
Running from: C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ARTHUR VAZQUEZ\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.
2008-02-18 10:36 . 2008-02-18 10:36 4,608,744 --a------ C:\rc.exe
2008-02-18 10:22 . 2008-02-18 10:22 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-17 17:28 . 2008-02-17 17:28 37,782 --a------ C:\WINDOWS\alaredun.ini
2008-02-16 15:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 15:24 . 2008-02-16 16:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 15:24 . 2008-02-16 15:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 15:24 . 2008-02-16 15:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 15:24 . 2008-02-16 15:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 15:18 . 2008-02-16 15:18 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-16 15:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-14 17:32 . 2008-02-14 17:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 15:32 . 2008-02-13 15:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 15:32 . 2008-02-13 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 11:57 . 2008-02-07 11:53 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 11:57 . 2008-02-07 11:57 3,449 --a------ C:\WINDOWS\unins000.dat
2008-02-06 12:56 . 2008-02-17 18:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-06 12:56 . 2008-02-06 12:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-06 12:55 . 2008-02-06 12:55 <DIR> d-------- C:\Program Files\iPod
2008-02-05 12:49 . 2008-02-05 12:49 226 --a------ C:\WINDOWS\TECHUSER.INI
2008-01-25 14:06 . 2008-01-25 14:06 67 --a------ C:\WINDOWS\Mercury.ini
2008-01-25 13:57 . 2008-02-13 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\alamode
2008-01-24 17:32 . 2008-01-24 17:32 575 --a------ C:\WINDOWS\TSA.LNK
2008-01-24 17:32 . 2008-01-24 17:32 0 --a------ C:\WINDOWS\0
2008-01-24 17:30 . 2008-01-24 17:30 <DIR> d-------- C:\Program Files\Tracker Software
2008-01-24 17:30 . 2004-12-07 07:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-24 17:30 . 2006-01-30 09:32 5,632 --a------ C:\WINDOWS\system32\pxc25pm.dll
2008-01-24 17:28 . 2008-01-24 17:29 <DIR> d-------- C:\Program Files\a la mode
2008-01-24 17:24 . 2008-02-17 17:28 3,574 --a------ C:\WINDOWS\alamode.ini
2008-01-24 17:19 . 2008-01-24 17:19 1,461,724 --a------ C:\WINDOWS\t.tmp
2008-01-24 17:19 . 2002-12-17 17:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-01-24 17:19 . 2002-10-20 15:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-01-24 17:19 . 2008-01-24 17:32 5,753 --a------ C:\WINDOWS\AuroraSetupLogs.z_
2008-01-24 17:17 . 2008-01-24 17:17 <DIR> d-------- C:\Program Files\Microsoft SQL Server
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 15:22 --------- d-----w C:\Program Files\McAfee
2008-02-16 21:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-16 21:23 --------- d-----w C:\Program Files\NetWaiting
2008-02-16 21:21 --------- d-----w C:\Program Files\iTunes
2008-02-16 21:20 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-16 21:18 --------- d-----w C:\Program Files\BAE
2008-02-16 20:18 --------- d-----w C:\Program Files\Java
2008-02-15 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-09 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 17:54 --------- d-----w C:\Program Files\QuickTime
2008-02-01 15:03 --------- d-----w C:\Documents and Settings\ARTHUR VAZQUEZ\Application Data\NewsBin
2008-01-26 00:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-25 03:37 --------- d-----w C:\Documents and Settings\ARTHUR VAZQUEZ\Application Data\U3
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\ALAMODE.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM120.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM112.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM105.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM100.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM09B.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM090.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\AFORM080.fot
2008-01-24 22:29 1,409 ----a-w C:\WINDOWS\Fonts\ADATA095.fot
2008-01-22 16:56 --------- d-----w C:\Program Files\PokerStars
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-02 16:53 2,409,720 ----a-w C:\WINDOWS\system32\alamapctrl.dll
2007-12-27 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-21 02:26 798,720 ----a-w C:\WINDOWS\system32\auroraupgrade.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-19 17:58 460,024 ----a-w C:\WINDOWS\system32\alaconn5.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-05 18:43 92,064 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmmdm.sys
2007-12-05 18:43 9,232 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmmdfl.sys
2007-12-05 18:43 79,328 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmserd.sys
2007-12-05 18:43 66,656 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmbus.sys
2007-12-05 18:43 6,208 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmcmnt.sys
2007-12-05 18:43 5,936 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmwhnt.sys
2007-12-05 18:43 4,048 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\mqdmcr.sys
2007-12-05 18:43 25,600 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\usbsermptxp.sys
2007-12-05 18:43 22,768 ----a-w C:\Documents and Settings\ARTHUR VAZQUEZ\usbsermpt.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 15:38 376,868 ----a-w C:\WINDOWS\system32\GeacView.dll
2007-12-03 16:57 495,616 ----a-w C:\WINDOWS\system32\alabilling.dll
2007-11-28 19:08 849,144 ----a-w C:\WINDOWS\system32\wtapi.exe
2007-11-19 18:56 253,952 ----a-w C:\WINDOWS\system32\alaDnxConvert.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ad63d86-f962-4820-a326-1673d082de25}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84D59186-68FE-48BE-9694-E7B16D167142}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Zinio DLM"="C:\Program Files\Zinio\ZinioDeliveryManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 02:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 02:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 02:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2006-04-06 14:58 1032192]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 13:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 14:04 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34 851968]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"The Assistant"="C:\Program Files\a la mode\Sched\eSched.exe" [2007-04-16 08:18 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 18:28:28 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-26 11:48:22 24576]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-08-15 14:43:03 819200]
[HKLM\~\startupfolder\C:^Documents and Settings^ARTHUR VAZQUEZ^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=C:\Documents and Settings\ARTHUR VAZQUEZ\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=C:\WINDOWS\pss\Cool - Auto Update.lnkStartup
R2 MSSQL$ALAMODE;MSSQL$ALAMODE;"c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" [2005-05-04 00:04]
S2 0246601203348150mcinstcleanup;McAfee Application Installer Cleanup (0246601203348150);C:\WINDOWS\TEMP\024660~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 14:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 14:31]
S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;"c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" [2005-05-03 21:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f385aac4-2453-11dc-b8a1-0016cffb9762}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f385aac5-2453-11dc-b8a1-0016cffb9762}]
\Shell\AutoRun\command - G:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 03:03:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-08-01 00:35:36 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-02-01 06:00:16 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 10:41:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-18 10:42:23
ComboFix-quarantined-files.txt 2008-02-18 15:42:20
ComboFix2.txt 2008-02-15 22:40:23
ComboFix3.txt 2008-02-15 16:08:57
.
2008-02-13 18:59:29 --- E O F ---
__RiP_ChAiN_
2008-02-19, 11:02
Hello art736 :)
Do you have the log from the Recovery Console install? If done correctly Combofix would have produced a log at C:\CF-RC.txt. Could you check to see if one was created?