PDA

View Full Version : virtumonde, and smitfraud issues. beyond mcafee



rotrhed
2008-04-11, 20:02
could use some assistance with these dirtly little nasties..... purchased and installed mcafee software. no help. tried finding the .dll files manually, unlockikng them, (with "unlocker" program), and deleting them. still no good. please assist me in ridding my pc of these problems. I am currently running spybot along with my mcafee. here are my hjt, and kas scans.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:36 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Support.com\bin\TGSrvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Reflection\r2win.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Cache Cleaner 5.4.0\dsCacheCleaner.exe
C:\Program Files\RTS Land Rover\LANDROVER NAS\RTS_LR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sales Floor 15\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - (no file)
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {553FFAF3-6975-49AD-B20A-64045A1004C1} - C:\WINDOWS\system32\jkkjh.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: 0 - {8F58D7E3-A73F-42EF-E5BE-0837DFCDDA48} - (no file)
O2 - BHO: (no name) - {9D1328B1-7E22-410D-9215-7536B98ABA59} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C8A6DC8E-1F5A-4321-9C7F-3CA9B6C0C283} - (no file)
O2 - BHO: (no name) - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - (no file)
O2 - BHO: (no name) - {FF5019C8-C47C-451F-8E01-1F30EB5363D7} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [a4b4c670] rundll32.exe "C:\WINDOWS\system32\adonrjic.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Cache Cleaner 5.4.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://206.95.79.186
O16 - DPF: Launcher - http://dealer.jmagroup.com/jmfsdpweb/content/cabs/launcher.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207244086312
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AECEF2AF-FEC7-4193-AE72-75D33D7700C3}: NameServer = 64.83.0.10,209.137.160.3
O20 - AppInit_DLLs: C:\WINDOWS\system32\rlai.dll
O23 - Service: McAfee Application Installer Cleanup (0031251207826915) (0031251207826915mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\003125~1.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\TGSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.gminsidenews.com/naias/GMT900/Tahoe/01h.jpg
O24 - Desktop Component 1: (no name) - http://www.fregate.com/images/s011200200.jpg
O24 - Desktop Component 2: (no name) - http://www.roversnorth.com/wallpaper/RR_SPORT_06.jpg
O24 - Desktop Component 3: (no name) - http://www.fas.org/man/dod-101/sys/ac/f-16-j-98821f16wwf.jpg
O24 - Desktop Component 4: (no name) - http://www.tourismemarocain.ca/gallery/villes/villes_97.jpg
O24 - Desktop Component 5: (no name) - http://www.tourismemarocain.ca/gallery/sport/sport_33.jpg
O24 - Desktop Component 6: (no name) - http://www.automobilemag.com/photo_gallery/0503_rover_02_1280.jpg
O24 - Desktop Component 7: (no name) - http://www.mbusa.com/microsite/s-class/media/images/launch/landing-blank.jpg

--
End of file - 14446 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 10, 2008 5:08:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 696121
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 60939
Number of viruses found: 6
Number of infected objects: 13
Number of suspicious objects: 2
Duration of the scan process: 01:03:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{533A066A-E170-4782-8040-94E68A6A8D61}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{DF1B65FA-F809-4BB9-AAE5-2B449E801412}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR7.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip/install.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Cache Cleaner 5.4.0\dsCacheCleaner.log Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Setup\JuniperSetupCtrl.log Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Setup\JuniperSetupDLL.log Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Microsoft\Forms\r2win.box Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\History\History.IE5\MSHist012008041020080411\index.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\JETC7.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF2683.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF2696.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF2C6A.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF2C9F.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF315A.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF3193.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF31A6.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF35DB.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF3B4B.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF924F.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DFCDCF.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\ntuser.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RTS Land Rover\LANDROVER NAS\SRODATA.ldb Object is locked skipped
C:\Program Files\RTS Land Rover\LANDROVER NAS\SRODATA.mdb Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112464.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112466.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112467.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112468.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112469.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112470.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112471.dll Infected: not-a-virus:AdWare.Win32.Agent.bgj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112472.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP874\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\Beach Islands Screensaver.scr Infected: not-a-virus:AdWare.Win32.GAINNetwork.c skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe NSIS: infected - 2 skipped
C:\WINDOWS\SYSTEM32\rlai.dll Infected: not-a-virus:AdWare.Win32.BHO.th skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_7RBMmiM8IMQqqAZ Object is locked skipped
C:\WINDOWS\Temp\mcafee_HgacNmfUwbaf3HA Object is locked skipped
C:\WINDOWS\Temp\mcmsc_44O325A04kCgNOu Object is locked skipped
C:\WINDOWS\Temp\mcmsc_fNVIj4BSs8fmWef Object is locked skipped
C:\WINDOWS\Temp\mcmsc_GxAKWtUUpa4LqBW Object is locked skipped
C:\WINDOWS\Temp\mcmsc_H8ndZkXfa4XdKzw Object is locked skipped
C:\WINDOWS\Temp\mcmsc_jrekumehqEHqhU3 Object is locked skipped
C:\WINDOWS\Temp\sqlite_3voCIKuZELzTDHm Object is locked skipped
C:\WINDOWS\Temp\sqlite_5SMfNUDe60zyWq6 Object is locked skipped
C:\WINDOWS\Temp\sqlite_ce4bchaR1n8FPaR Object is locked skipped
C:\WINDOWS\Temp\sqlite_jAKbA0zfFfuIEKL Object is locked skipped
C:\WINDOWS\Temp\sqlite_Nx8Kbggfxuvj3db Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


with baited breath..... rotrhed

pskelley
2008-04-12, 13:13
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

KASPERSKY ONLINE SCANNER REPORT Thursday, April 10, 2008 5:08:29 PM

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that folder
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

C:\WINDOWS\SYSTEM32\Beach Islands Screensaver.scr <<< delete that file

C:\WINDOWS\SYSTEM32\IDME\ <<< delete that folder

C:\WINDOWS\SYSTEM32\rlai.dll <<< delete that file


We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Thanks to Atribune and any others who helped with this fix.

Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Follow these directions starting at: Normal Usage for Removal
http://vundofix.atribune.org/

Post the Vundofix.txt and a new HJT log
Vundofix.txt will be on the C:\

Thanks

rotrhed
2008-04-14, 19:00
was able to delete C:\WINDOWS\SYSTEM32\Beach Island Screensaver.scr

was able to delete C:\WINDOWS\SYSTEM32\IDME folder

was not able to delete C:\WINDOWS\SYSTEM32\lrai.dll..... error message:
"cannot delete rlai.dll Access is denied. Make sure disk is not full, or write-protected, and that file is not currently in use"

I tried in normal window, and in safe mode. no other programs running.
also tried to "unlock" file will "unlocker" software. still no good. didnt want to proceed with remainder of instructions untill you tell me to.

rotrhed

pskelley
2008-04-15, 18:05
That file has to go before you will be clean, try this tool and instructions on it: How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

Continue with the instructions and post the information I requested.

Thanks

pskelley
2008-04-21, 17:12
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

rotrhed
2008-04-22, 22:09
sorry for the delay in responding, causing the closure of my last thread. (death in the family)

http://forums.spybot.info/showthread.php?t=26703

new hjt report, and first vundofix report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:15 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Support.com\bin\TGSrvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Reflection\r2win.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sales Floor 15\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {553FFAF3-6975-49AD-B20A-64045A1004C1} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: 0 - {8F58D7E3-A73F-42EF-E5BE-0837DFCDDA48} - (no file)
O2 - BHO: (no name) - {9D1328B1-7E22-410D-9215-7536B98ABA59} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C8A6DC8E-1F5A-4321-9C7F-3CA9B6C0C283} - (no file)
O2 - BHO: (no name) - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - (no file)
O2 - BHO: (no name) - {FF5019C8-C47C-451F-8E01-1F30EB5363D7} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [a4b4c670] rundll32.exe "C:\WINDOWS\system32\adonrjic.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA7527] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC946] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB664] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1725] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://206.95.79.186
O16 - DPF: Launcher - http://dealer.jmagroup.com/jmfsdpweb/content/cabs/launcher.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207244086312
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AECEF2AF-FEC7-4193-AE72-75D33D7700C3}: NameServer = 64.83.0.10,209.137.160.3
O20 - AppInit_DLLs: C:\WINDOWS\system32\rlai.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\TGSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.gminsidenews.com/naias/GMT900/Tahoe/01h.jpg
O24 - Desktop Component 1: (no name) - http://www.fregate.com/images/s011200200.jpg
O24 - Desktop Component 2: (no name) - http://www.roversnorth.com/wallpaper/RR_SPORT_06.jpg
O24 - Desktop Component 3: (no name) - http://www.fas.org/man/dod-101/sys/ac/f-16-j-98821f16wwf.jpg
O24 - Desktop Component 4: (no name) - http://www.tourismemarocain.ca/gallery/villes/villes_97.jpg
O24 - Desktop Component 5: (no name) - http://www.tourismemarocain.ca/gallery/sport/sport_33.jpg
O24 - Desktop Component 6: (no name) - http://www.automobilemag.com/photo_gallery/0503_rover_02_1280.jpg
O24 - Desktop Component 7: (no name) - http://www.mbusa.com/microsite/s-class/media/images/launch/landing-blank.jpg

--
End of file - 14333 bytes

VundoFix V7.0.3

Scan started at 1:02:09 PM 4/22/2008

Listing files found while scanning....

C:\windows\SYSTEM32\hjkkj.ini
C:\windows\SYSTEM32\hjkkj.ini2
C:\windows\SYSTEM32\jkkjh.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\hjkkj.ini
C:\windows\SYSTEM32\hjkkj.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\hjkkj.ini2
C:\windows\SYSTEM32\hjkkj.ini2 Has been deleted!

Attempting to delete C:\windows\SYSTEM32\jkkjh.dll
C:\windows\SYSTEM32\jkkjh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 2:27:29 PM 4/22/2008

Listing files found while scanning....

No infected files were found.

tashi
2008-04-23, 19:11
Hello rotrhed,

Sorry to hear of your loss. I re-opened your original topic and merged it with your new one.

Phil will respond when he is on-line.

Best regards. :)

pskelley
2008-04-23, 19:40
Please make sure TeaTimer is still diabled, leave it like that until we finish.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

rotrhed
2008-04-23, 21:40
as requested.

And as always, thanks for your help in this matter.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:32 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Support.com\bin\TGSrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Reflection\r2win.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sales Floor 15\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {553FFAF3-6975-49AD-B20A-64045A1004C1} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [a4b4c670] rundll32.exe "C:\WINDOWS\system32\adonrjic.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://206.95.79.186
O16 - DPF: Launcher - http://dealer.jmagroup.com/jmfsdpweb/content/cabs/launcher.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207244086312
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AECEF2AF-FEC7-4193-AE72-75D33D7700C3}: NameServer = 64.83.0.10,209.137.160.3
O23 - Service: McAfee Application Installer Cleanup (0303831208949076) (0303831208949076mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\030383~1.EXE (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\TGSrvc.exe
O24 - Desktop Component 0: (no name) - http://www.gminsidenews.com/naias/GMT900/Tahoe/01h.jpg
O24 - Desktop Component 1: (no name) - http://www.fregate.com/images/s011200200.jpg
O24 - Desktop Component 2: (no name) - http://www.roversnorth.com/wallpaper/RR_SPORT_06.jpg
O24 - Desktop Component 3: (no name) - http://www.fas.org/man/dod-101/sys/ac/f-16-j-98821f16wwf.jpg
O24 - Desktop Component 4: (no name) - http://www.tourismemarocain.ca/gallery/villes/villes_97.jpg
O24 - Desktop Component 5: (no name) - http://www.tourismemarocain.ca/gallery/sport/sport_33.jpg
O24 - Desktop Component 6: (no name) - http://www.automobilemag.com/photo_gallery/0503_rover_02_1280.jpg
O24 - Desktop Component 7: (no name) - http://www.mbusa.com/microsite/s-class/media/images/launch/landing-blank.jpg

--
End of file - 13371 bytes
ComboFix 08-04-22.5 - Sales Floor 15 2008-04-23 13:58:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -4:00]
Running from: C:\Documents and Settings\Sales Floor 15\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sales Floor 15\Application Data\CROSOF~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\smante~1\S?mantec\
C:\Program Files\myglobalsearch
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\outerinfo
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\temp\tn3
C:\WINDOWS\BMa787f5ec.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\pqtwa.ini
C:\WINDOWS\SYSTEM32\pqtwa.ini2
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\SYSTEM32\utstv.ini2
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 14:03 . 2008-04-23 14:03 <DIR> d-------- C:\temp\tn3
2008-04-23 14:03 . 2008-04-23 14:03 932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-04-22 13:52 . 2008-04-22 13:52 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-04-22 13:02 . 2008-04-22 14:27 <DIR> d-------- C:\VundoFix Backups
2008-04-14 11:06 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Sonic
2008-04-14 11:06 . 2004-11-04 20:47 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Jasc Software Inc
2008-04-14 11:06 . 2004-11-04 21:00 <DIR> d--h----- C:\Documents and Settings\Administrator.SALES15\Application Data\Gtek
2008-04-14 11:06 . 2008-04-14 11:06 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15
2008-04-14 11:06 . 2008-04-23 12:06 1,024 --ah----- C:\Documents and Settings\Administrator.SALES15\ntuser.dat.LOG
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 17:34 . 2008-04-04 17:34 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Desktopicon
2008-04-04 15:45 . 2008-04-08 10:51 998 ---hs---- C:\WINDOWS\SYSTEM32\cijrnoda.ini
2008-04-04 15:40 . 2008-04-04 15:40 <DIR> d-------- C:\64185eef7abf5141d20e8a54af
2008-04-04 12:33 . 2008-04-04 17:44 <DIR> d-------- C:\Program Files\Unlocker
2008-04-04 11:14 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-04 11:14 . 2008-04-23 13:57 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-03 13:50 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-04-03 13:50 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-04-03 13:47 . 2008-04-04 15:25 <DIR> d-------- C:\c0b7f2fa2de60d3052
2008-04-03 11:21 . 2008-04-04 15:44 414 --ahs---- C:\WINDOWS\SYSTEM32\acmdtvlu.ini
2008-04-02 15:04 . 2008-04-02 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-02 14:55 . 2008-04-23 14:06 21,962 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-04-02 14:52 . 2008-04-03 07:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-04 17:19 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-02 14:51 . 2008-04-23 09:51 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-02 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-02 14:50 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-04-02 14:47 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-04-02 14:47 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-04-02 14:47 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-04-02 14:47 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-04-02 14:47 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-04-02 14:46 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-04-02 14:44 . 2008-04-23 07:11 <DIR> d-------- C:\Program Files\McAfee
2008-04-02 14:44 . 2008-04-02 14:49 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-02 14:34 . 2008-04-02 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-02 13:19 . 2008-04-02 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-02 07:00 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-04-01 15:56 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-04-01 15:56 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-04-01 15:56 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-04-01 15:51 . 2008-04-01 15:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 14:55 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-04-01 14:35 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-04-01 14:35 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-04-01 13:40 . 2008-04-01 13:40 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 09:45 . 2008-04-01 09:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-31 10:45 . 2008-03-31 10:45 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\GlarySoft
2008-03-31 10:33 . 2008-03-31 10:33 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Uniblue
2008-03-31 07:02 . 2008-04-01 14:19 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-28 13:43 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-28 07:45 . 2008-04-03 10:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-28 07:20 . 2008-03-28 16:12 1,585,233 --ahs---- C:\WINDOWS\SYSTEM32\jldnoecx.ini
2008-03-27 17:59 . 2008-04-08 10:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 17:59 . 2008-04-08 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 14:59 . 2008-04-01 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 13:47 . 2008-04-03 11:44 <DIR> d--hs---- C:\WINDOWS\U2FsZXMgRmxvb3IgMTU
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-27 13:45 . 2008-04-01 14:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01
2008-03-27 13:45 . 2008-03-27 13:45 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 19:25 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks
2008-04-03 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-03 14:14 --------- d-----w C:\Program Files\Sonic
2008-04-03 13:23 --------- d-----w C:\Program Files\Common Files\Software FX Shared
2008-04-02 18:45 --------- d-----w C:\Program Files\McAfee.com
2008-03-31 15:13 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-31 15:10 --------- d-----w C:\Program Files\Java
2008-03-31 15:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:02 --------- d-----w C:\Program Files\Rhytxg
2008-03-26 12:57 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Image Zone Express
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{553FFAF3-6975-49AD-B20A-64045A1004C1}]
C:\WINDOWS\system32\jkkjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 14:17 4621816]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 08:10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-01 07:15 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-06-21 16:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-01-19 17:11 1082920]
"a4b4c670"="C:\WINDOWS\system32\adonrjic.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 usbscann;usbscann;C:\WINDOWS\system32\drivers\usbscann.sys [2008-03-27 13:45]
R2 Support.com Repair Service;Support.com Repair Service;C:\Program Files\Support.com\bin\TGSrvc.exe [2002-04-24 21:37]
S2 0303831208949076mcinstcleanup;McAfee Application Installer Cleanup (0303831208949076);C:\WINDOWS\TEMP\[u]030383~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - 0303831208949076MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 18:46:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-02 18:46:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 14:04:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-04-23 14:09:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 18:09:08

Pre-Run: 63,360,139,264 bytes free
Post-Run: 63,552,905,216 bytes free

239 --- E O F --- 2008-04-09 12:27:26

pskelley
2008-04-23, 22:15
Thanks for returning your information, let's proceed like this.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) We will use combofix to remove Vundofix, if anything is left on the Desktop when we finish, delete it.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\adonrjic.dll
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
C:\WINDOWS\SYSTEM32\cijrnoda.ini
C:\temp\tn3
C:\WINDOWS\SYSTEM32\acmdtvlu.ini
C:\WINDOWS\SYSTEM32\jldnoecx.ini

Folder::
C:\VundoFix Backups

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {553FFAF3-6975-49AD-B20A-64045A1004C1} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [a4b4c670] rundll32.exe "C:\WINDOWS\system32\adonrjic.dll",b
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm103YYUS
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm

(I am not sure what you use these for, most are bad links. If you need them, leave them?)

O24 - Desktop Component 0: (no name) - http://www.gminsidenews.com/naias/GMT900/Tahoe/01h.jpg
O24 - Desktop Component 1: (no name) - http://www.fregate.com/images/s011200200.jpg
O24 - Desktop Component 2: (no name) - http://www.roversnorth.com/wallpaper/RR_SPORT_06.jpg
O24 - Desktop Component 3: (no name) - http://www.fas.org/man/dod-101/sys/a...8821f16wwf.jpg
O24 - Desktop Component 4: (no name) - http://www.tourismemarocain.ca/galle.../villes_97.jpg
O24 - Desktop Component 5: (no name) - http://www.tourismemarocain.ca/galle...t/sport_33.jpg
O24 - Desktop Component 6: (no name) - http://www.automobilemag.com/photo_g...er_02_1280.jpg
O24 - Desktop Component 7: (no name) - http://www.mbusa.com/microsite/s-cla...ding-blank.jpg

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log and a new HJT log. Tell me how the computer is running now.

Thanks

rotrhed
2008-04-24, 15:57
logs as requested. computer performance seems back to normal. still getting a couple pop up windows as i post this. Also, my mcafee antivirus now tells me to reinstall program?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:58 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Support.com\bin\TGSrvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sales Floor 15\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://206.95.79.186
O16 - DPF: Launcher - http://dealer.jmagroup.com/jmfsdpweb/content/cabs/launcher.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207244086312
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AECEF2AF-FEC7-4193-AE72-75D33D7700C3}: NameServer = 64.83.0.10,209.137.160.3
O23 - Service: McAfee Application Installer Cleanup (0194881209036049) (0194881209036049mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\019488~1.EXE (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\TGSrvc.exe

--
End of file - 11489 bytes
ComboFix 08-04-22.5 - Sales Floor 15 2008-04-24 8:22:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -4:00]
Running from: C:\Documents and Settings\Sales Floor 15\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sales Floor 15\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\temp\tn3
C:\WINDOWS\SYSTEM32\acmdtvlu.ini
C:\WINDOWS\system32\adonrjic.dll
C:\WINDOWS\SYSTEM32\cijrnoda.ini
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\jldnoecx.ini
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sales Floor 15\Local Settings\Temporary Internet Files\CPV.stt
C:\temp\tn3
C:\VundoFix Backups
C:\VundoFix Backups\hjkkj.ini.bad
C:\VundoFix Backups\hjkkj.ini2.bad
C:\VundoFix Backups\jkkjh.dll.bad
C:\WINDOWS\SYSTEM32\acmdtvlu.ini
C:\WINDOWS\SYSTEM32\cijrnoda.ini
C:\WINDOWS\SYSTEM32\jldnoecx.ini
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 08:27 . 2008-04-24 08:27 <DIR> d-------- C:\temp\tn3
2008-04-23 14:03 . 2008-04-24 08:26 932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-04-14 11:06 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Sonic
2008-04-14 11:06 . 2004-11-04 20:47 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Jasc Software Inc
2008-04-14 11:06 . 2004-11-04 21:00 <DIR> d--h----- C:\Documents and Settings\Administrator.SALES15\Application Data\Gtek
2008-04-14 11:06 . 2008-04-14 11:06 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15
2008-04-14 11:06 . 2008-04-24 07:36 1,024 --ah----- C:\Documents and Settings\Administrator.SALES15\ntuser.dat.LOG
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 17:34 . 2008-04-04 17:34 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Desktopicon
2008-04-04 15:40 . 2008-04-04 15:40 <DIR> d-------- C:\64185eef7abf5141d20e8a54af
2008-04-04 12:33 . 2008-04-04 17:44 <DIR> d-------- C:\Program Files\Unlocker
2008-04-04 11:14 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-04 11:14 . 2008-04-23 13:57 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-03 13:50 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-04-03 13:50 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-04-03 13:47 . 2008-04-04 15:25 <DIR> d-------- C:\c0b7f2fa2de60d3052
2008-04-02 15:04 . 2008-04-02 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-02 14:55 . 2008-04-24 08:26 21,962 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-04-02 14:52 . 2008-04-03 07:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-04 17:19 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-02 14:51 . 2008-04-24 07:23 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-02 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-02 14:50 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-04-02 14:47 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-04-02 14:47 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-04-02 14:47 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-04-02 14:47 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-04-02 14:47 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-04-02 14:46 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-04-02 14:44 . 2008-04-23 07:11 <DIR> d-------- C:\Program Files\McAfee
2008-04-02 14:44 . 2008-04-24 07:28 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-02 14:34 . 2008-04-02 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-02 13:19 . 2008-04-02 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-02 07:00 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-04-01 15:56 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-04-01 15:56 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-04-01 15:56 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-04-01 15:51 . 2008-04-01 15:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 14:55 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-04-01 14:35 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-04-01 14:35 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-04-01 13:40 . 2008-04-01 13:40 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 09:45 . 2008-04-01 09:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-31 10:45 . 2008-03-31 10:45 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\GlarySoft
2008-03-31 10:33 . 2008-03-31 10:33 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Uniblue
2008-03-31 07:02 . 2008-04-01 14:19 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-28 13:43 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-28 07:45 . 2008-04-03 10:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 17:59 . 2008-04-08 10:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 17:59 . 2008-04-08 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 14:59 . 2008-04-01 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 13:47 . 2008-04-03 11:44 <DIR> d--hs---- C:\WINDOWS\U2FsZXMgRmxvb3IgMTU
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-27 13:45 . 2008-04-01 14:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01
2008-03-27 13:45 . 2008-03-27 13:45 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 19:25 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks
2008-04-03 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-03 14:14 --------- d-----w C:\Program Files\Sonic
2008-04-03 13:23 --------- d-----w C:\Program Files\Common Files\Software FX Shared
2008-04-02 18:45 --------- d-----w C:\Program Files\McAfee.com
2008-03-31 15:13 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-31 15:10 --------- d-----w C:\Program Files\Java
2008-03-31 15:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:02 --------- d-----w C:\Program Files\Rhytxg
2008-03-26 12:57 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Image Zone Express
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_14.08.49.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 18:03:35 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-24 12:26:50 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{553FFAF3-6975-49AD-B20A-64045A1004C1}]
C:\WINDOWS\system32\jkkjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 14:17 4621816]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 08:10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-01 07:15 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-06-21 16:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"a4b4c670"="C:\WINDOWS\system32\adonrjic.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 usbscann;usbscann;C:\WINDOWS\system32\drivers\usbscann.sys [2008-03-27 13:45]
R2 Support.com Repair Service;Support.com Repair Service;C:\Program Files\Support.com\bin\TGSrvc.exe [2002-04-24 21:37]
S2 0194881209036049mcinstcleanup;McAfee Application Installer Cleanup (0194881209036049);C:\WINDOWS\TEMP\[u]019488~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 18:46:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-02 18:46:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 08:27:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-24 8:32:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 12:32:16
ComboFix2.txt 2008-04-23 18:09:15

Pre-Run: 63,455,932,416 bytes free
Post-Run: 63,464,845,312 bytes free

230 --- E O F --- 2008-04-09 12:27:26

pskelley
2008-04-24, 16:16
Thanks for the feedback, there are a few items in the HJT log I do not know, look at the log to make sure you know everything there.

Here is probably the reason:
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk . . . . failed to delete
This piece of junk comes with a hidden driver and without manually scanning each driver in the combofix log, I am not sure which on it is. I would like you do do this.

1) Remove combofix completely, also the C:\Qoobox\Quarantine folder\

2) Restart the computer

3) Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

4) I would like to look at a combofix log from the newest version of the tool:
Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and the log from BlackLight

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

rotrhed
2008-04-24, 18:53
combofix and blacklight logs. blacklight log found no hidden objects, was this expected?

ComboFix 08-04-22.5 - Sales Floor 15 2008-04-24 11:29:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.185 [GMT -4:00]
Running from: C:\Documents and Settings\Sales Floor 15\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 11:33 . 2008-04-24 11:33 <DIR> d-------- C:\temp\tn3
2008-04-24 10:54 . 2008-04-24 10:54 1,018,520 --a------ C:\fsbl.exe
2008-04-23 14:03 . 2008-04-24 11:32 932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-04-14 11:06 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Sonic
2008-04-14 11:06 . 2004-11-04 20:47 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Jasc Software Inc
2008-04-14 11:06 . 2004-11-04 21:00 <DIR> d--h----- C:\Documents and Settings\Administrator.SALES15\Application Data\Gtek
2008-04-14 11:06 . 2008-04-14 11:06 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15
2008-04-14 11:06 . 2008-04-24 09:47 1,024 --ah----- C:\Documents and Settings\Administrator.SALES15\ntuser.dat.LOG
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 17:34 . 2008-04-04 17:34 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Desktopicon
2008-04-04 15:40 . 2008-04-04 15:40 <DIR> d-------- C:\64185eef7abf5141d20e8a54af
2008-04-04 12:33 . 2008-04-04 17:44 <DIR> d-------- C:\Program Files\Unlocker
2008-04-04 11:14 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-04 11:14 . 2008-04-23 13:57 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-03 13:50 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-04-03 13:50 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-04-03 13:47 . 2008-04-04 15:25 <DIR> d-------- C:\c0b7f2fa2de60d3052
2008-04-02 15:04 . 2008-04-02 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-02 14:55 . 2008-04-24 11:35 21,962 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-04-02 14:52 . 2008-04-03 07:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-04 17:19 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-02 14:51 . 2008-04-24 07:23 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-02 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-02 14:50 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-04-02 14:47 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-04-02 14:47 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-04-02 14:47 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-04-02 14:47 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-04-02 14:47 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-04-02 14:46 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-04-02 14:44 . 2008-04-23 07:11 <DIR> d-------- C:\Program Files\McAfee
2008-04-02 14:44 . 2008-04-24 07:28 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-02 14:34 . 2008-04-02 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-02 13:19 . 2008-04-02 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-02 07:00 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-04-01 15:56 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-04-01 15:56 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-04-01 15:56 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-04-01 15:51 . 2008-04-01 15:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 14:55 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-04-01 14:35 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-04-01 14:35 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-04-01 13:40 . 2008-04-01 13:40 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 09:45 . 2008-04-01 09:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-31 10:45 . 2008-03-31 10:45 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\GlarySoft
2008-03-31 10:33 . 2008-03-31 10:33 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Uniblue
2008-03-31 07:02 . 2008-04-01 14:19 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-28 13:43 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-28 07:45 . 2008-04-03 10:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 17:59 . 2008-04-08 10:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 17:59 . 2008-04-08 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 14:59 . 2008-04-01 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 13:47 . 2008-04-03 11:44 <DIR> d--hs---- C:\WINDOWS\U2FsZXMgRmxvb3IgMTU
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-27 13:45 . 2008-04-01 14:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01
2008-03-27 13:45 . 2008-03-27 13:45 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 19:25 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks
2008-04-03 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-03 14:14 --------- d-----w C:\Program Files\Sonic
2008-04-03 13:23 --------- d-----w C:\Program Files\Common Files\Software FX Shared
2008-04-02 18:45 --------- d-----w C:\Program Files\McAfee.com
2008-03-31 15:13 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-31 15:10 --------- d-----w C:\Program Files\Java
2008-03-31 15:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:02 --------- d-----w C:\Program Files\Rhytxg
2008-03-26 12:57 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Image Zone Express
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_14.08.49.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 18:03:35 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-24 15:32:44 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 14:17 4621816]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 08:10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-01 07:15 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-06-21 16:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 usbscann;usbscann;C:\WINDOWS\system32\drivers\usbscann.sys [2008-03-27 13:45]
R2 Support.com Repair Service;Support.com Repair Service;C:\Program Files\Support.com\bin\TGSrvc.exe [2002-04-24 21:37]
S2 0194881209036049mcinstcleanup;McAfee Application Installer Cleanup (0194881209036049);C:\WINDOWS\TEMP\019488~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 18:46:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-02 18:46:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 11:33:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-24 11:38:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 15:38:53
ComboFix2.txt 2008-04-24 12:32:26

Pre-Run: 63,459,835,904 bytes free
Post-Run: 63,462,174,720 bytes free
04/24/08 10:55:31 [Info]: BlackLight Engine 1.0.70 initialized
04/24/08 10:55:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/24/08 10:55:32 [Note]: 7019 4
04/24/08 10:55:32 [Note]: 7005 0
04/24/08 10:55:59 [Note]: 7006 0
04/24/08 10:55:59 [Note]: 7022 0
04/24/08 10:55:59 [Note]: 7011 1448
04/24/08 10:55:59 [Note]: 7035 0
04/24/08 10:55:59 [Note]: 7026 0
04/24/08 10:55:59 [Note]: 7026 0
04/24/08 10:56:05 [Note]: FSRAW library version 1.7.1024
04/24/08 11:07:23 [Note]: 2000 1012
04/24/08 11:07:23 [Note]: 2000 1012
04/24/08 11:07:23 [Note]: 2000 1012
04/24/08 11:22:32 [Note]: 7007 0

202 --- E O F --- 2008-04-09 12:27:26

pskelley
2008-04-24, 22:13
The item causing the issue is still there:
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

I was hoping BlackLight would show us the hidden rootkit causing us not to be able to delete that item. It did not so you can remove BlackLight from your computer. The hackers are constantly changing their junk to keep us from removing it. As soon as I have more information for you, I will post it.

Thanks

pskelley
2008-04-24, 22:37
Open notepad and copy/paste the text in the codebox below into it:


Driver::
usbscann.sys

File::
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys
C:\fsbl.exe

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks

pskelley
2008-04-24, 22:48
That should take care of your problems, if that is the case, then this is the next bridge we need to cross:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

rotrhed
2008-04-25, 18:25
wooo-hooo!!! no pop up ads!!! awsome job!

here is the combofix, hjt, and console recovery logs you requested.

Ready to clean up anything else you think I need to.

ComboFix 08-04-22.5 - Sales Floor 15 2008-04-24 16:53:44.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.144 [GMT -4:00]
Running from: C:\Documents and Settings\Sales Floor 15\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sales Floor 15\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\fsbl.exe
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\usbscann.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_usbscann
-------\Service_usbscann


((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-14 11:06 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Sonic
2008-04-14 11:06 . 2004-11-04 20:47 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15\Application Data\Jasc Software Inc
2008-04-14 11:06 . 2004-11-04 21:00 <DIR> d--h----- C:\Documents and Settings\Administrator.SALES15\Application Data\Gtek
2008-04-14 11:06 . 2008-04-14 11:06 <DIR> d-------- C:\Documents and Settings\Administrator.SALES15
2008-04-14 11:06 . 2008-04-24 09:47 1,024 --ah----- C:\Documents and Settings\Administrator.SALES15\ntuser.dat.LOG
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-10 14:40 . 2008-04-10 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 17:34 . 2008-04-04 17:34 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Desktopicon
2008-04-04 15:40 . 2008-04-04 15:40 <DIR> d-------- C:\64185eef7abf5141d20e8a54af
2008-04-04 12:33 . 2008-04-04 17:44 <DIR> d-------- C:\Program Files\Unlocker
2008-04-04 11:14 . 2004-11-04 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-04 11:14 . 2008-04-04 15:39 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-04 11:14 . 2008-04-23 13:57 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-03 13:50 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-04-03 13:50 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-04-03 13:47 . 2008-04-04 15:25 <DIR> d-------- C:\c0b7f2fa2de60d3052
2008-04-02 15:04 . 2008-04-02 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-02 14:55 . 2008-04-24 17:01 22,250 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-04-02 14:52 . 2008-04-03 07:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-24 12:38 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-02 14:51 . 2008-04-24 07:23 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\SiteAdvisor
2008-04-02 14:51 . 2008-04-02 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-02 14:50 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-04-02 14:47 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-04-02 14:47 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-04-02 14:47 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-04-02 14:47 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-04-02 14:47 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-04-02 14:46 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-04-02 14:44 . 2008-04-24 12:46 <DIR> d-------- C:\Program Files\McAfee
2008-04-02 14:44 . 2008-04-24 07:28 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-02 14:34 . 2008-04-02 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-02 13:19 . 2008-04-02 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-02 07:00 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
2008-04-01 15:56 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-04-01 15:56 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-04-01 15:56 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-04-01 15:51 . 2008-04-01 15:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-01 14:55 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-04-01 14:35 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-04-01 14:35 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-04-01 14:35 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-04-01 13:40 . 2008-04-01 13:40 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-01 09:45 . 2008-04-01 09:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-31 10:45 . 2008-03-31 10:45 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\GlarySoft
2008-03-31 10:33 . 2008-03-31 10:33 <DIR> d-------- C:\Documents and Settings\Sales Floor 15\Application Data\Uniblue
2008-03-31 07:02 . 2008-04-01 14:19 <DIR> dr-h----- C:\$VAULT$.AVG
2008-03-28 13:43 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-28 07:45 . 2008-04-03 10:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 17:59 . 2008-04-08 10:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 17:59 . 2008-04-08 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 14:59 . 2008-04-01 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-27 13:47 . 2008-04-03 11:44 <DIR> d--hs---- C:\WINDOWS\U2FsZXMgRmxvb3IgMTU
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-27 13:45 . 2008-04-01 14:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-27 13:45 . 2008-03-31 08:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 19:25 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks
2008-04-03 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-03 14:14 --------- d-----w C:\Program Files\Sonic
2008-04-03 13:23 --------- d-----w C:\Program Files\Common Files\Software FX Shared
2008-04-02 18:45 --------- d-----w C:\Program Files\McAfee.com
2008-03-31 15:13 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-31 15:10 --------- d-----w C:\Program Files\Java
2008-03-31 15:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 12:02 --------- d-----w C:\Program Files\Rhytxg
2008-03-26 12:57 --------- d-----w C:\Documents and Settings\Sales Floor 15\Application Data\Image Zone Express
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_14.08.49.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 18:03:35 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-24 20:58:08 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2004-11-15 21:41:41 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-04-24 17:18:53 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2004-11-15 21:41:41 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-24 17:18:53 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-11-15 21:41:41 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-24 17:18:53 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 14:17 4621816]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 08:10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 20:19 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46 172032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-01 07:15 282624]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-06-21 16:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 Support.com Repair Service;Support.com Repair Service;C:\Program Files\Support.com\bin\TGSrvc.exe [2002-04-24 21:37]
S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 18:46:10 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-02 18:46:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 16:58:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-04-24 17:03:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 21:03:27
ComboFix2.txt 2008-04-24 15:38:59
ComboFix3.txt 2008-04-24 12:32:26

Pre-Run: 63,365,746,688 bytes free
Post-Run: 63,359,733,760 bytes free

211 --- E O F --- 2008-04-09 12:27:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:36 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Support.com\bin\TGSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Cache Cleaner 5.4.0\dsCacheCleaner.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sales Floor 15\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cache Cleaner] C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Cache Cleaner 5.4.0\dsCacheCleaner.exe -action delete
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://206.95.79.186
O16 - DPF: Launcher - http://dealer.jmagroup.com/jmfsdpweb/content/cabs/launcher.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207244086312
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AECEF2AF-FEC7-4193-AE72-75D33D7700C3}: NameServer = 64.83.0.10,209.137.160.3
O23 - Service: McAfee Application Installer Cleanup (0060501209122243) (0060501209122243mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\006050~1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Support.com Repair Service - Support.com, Inc. - C:\Program Files\Support.com\bin\TGSrvc.exe

--
End of file - 11194 bytesWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

pskelley
2008-04-25, 18:46
Good job with all of the complex instructions:bigthumb: and thanks for the feedback. We have some infected System Restore files to clean as we finish up, remove combofix and the C:\Qoobox\Quarantine\ folder and then run a new Kaspersky Online Scan using these settings, to be sure we missed nothing.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

rotrhed
2008-04-25, 21:50
new kas report...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 2:46:32 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 648360
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 54479
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 00:48:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{533A066A-E170-4782-8040-94E68A6A8D61}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRE.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Cache Cleaner 5.4.0\dsCacheCleaner.log Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Setup\JuniperSetupCtrl.log Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Juniper Networks\Setup\JuniperSetupDLL.log Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Application Data\Microsoft\Forms\r2win.box Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\sqlite_AbDJXtKX6ZROvYf Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\sqlite_qX7Zaaf1zOPJJpo Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\sqlite_YbB0HywtzGZdTA6 Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF345C.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF55D0.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF7950.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF7961.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF7F31.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF7F4C.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF8263.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF828B.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF829C.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DF88B7.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temp\~DFCC79.tmp Object is locked skipped
C:\Documents and Settings\Sales Floor 15\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\ntuser.dat Object is locked skipped
C:\Documents and Settings\Sales Floor 15\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-698356292-4057530492-1044131311-1008\Dc5\Quarantine\catchme2008-04-24_165623.54.zip/usbscann.sys Infected: Rootkit.Win32.Agent.to skipped
C:\RECYCLER\S-1-5-21-698356292-4057530492-1044131311-1008\Dc5\Quarantine\catchme2008-04-24_165623.54.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112464.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112466.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112467.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112468.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112469.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112470.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112471.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0112472.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP888\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DF6AA79A-E2F1-47F7-8A7C-A25CBC247B22}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00026.SHD Object is locked skipped
C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00026.SPL Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_F90ezSe3LlQucUF Object is locked skipped
C:\WINDOWS\Temp\mcmsc_0P1Z73o57mWRsR7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Epz8NbiQer3ssGg Object is locked skipped
C:\WINDOWS\Temp\sqlite_WYAEDyY9NcFEkEv Object is locked skipped
C:\WINDOWS\Temp\sqlite_ZwlUuDp8SZkhvUx Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-04-25, 21:58
KASPERSKY ONLINE SCANNER REPORT Friday, April 25, 2008 2:46:32 PM

1) Delete the contents of the Recycle Bin on the Desktop and restart the computer

2) Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.