View Full Version : Malware crazy
Mars4now
2008-07-18, 21:36
Hi, Computer acting crazy after New Malware .j infection. Browser locked down and advertisement open in windows not solisited.
I had to change the name of HIJackthis in order for it to execute.
Help please !
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:24 PM, on 7/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Safari\Safari.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ec184f58] rundll32.exe "C:\WINDOWS\system32\byjnhoyb.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm020YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192064371937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192498261375
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0325611215602524) (0325611215602524mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\032561~1.EXE (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Program%20Files/Adobe/Acrobat%207.0/Acrobat/HowTo/ENU/images/bkgrnd_art.gif
--
End of file - 16107 bytes
shelf life
2008-07-21, 02:25
hi,
still need help? we will use combofix;
Download combofix from one of these links and save it to your Desktop
http://subs.geekstogo.com/ComboFix.exe\
http://download.bleepingcomputer.com/sUBs/ComboFix.exe\
Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Mars4now
2008-07-21, 17:14
hi,
Here is the info requested. Thanks for your assistance!
ComboFix 08-07-20.7 - Billy 2008-07-21 8:29:30.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1706 [GMT -4:00]
Running from: C:\Documents and Settings\Billy\Desktop\2-2.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\Cache\02B9258B.bin
C:\Program Files\MyWebSearch\bar\Cache\02B928E6.bin
C:\Program Files\MyWebSearch\bar\Cache\02E28E50
C:\Program Files\MyWebSearch\bar\Cache\02E29881
C:\Program Files\MyWebSearch\bar\Cache\02E29D44.bin
C:\Program Files\MyWebSearch\bar\Cache\02E2A10C.bin
C:\Program Files\MyWebSearch\bar\Cache\02E2A5FE.bin
C:\Program Files\MyWebSearch\bar\Cache\02E2A979.bin
C:\Program Files\MyWebSearch\bar\Cache\02EA5B62.bin
C:\Program Files\MyWebSearch\bar\Cache\02EA5EAD.bin
C:\Program Files\MyWebSearch\bar\Cache\02EA6266.bin
C:\Program Files\MyWebSearch\bar\Cache\02EA68A0.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtqqqrP.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\byohnjyb.ini
C:\WINDOWS\SYSTEM32\CcLTvyxx.ini
C:\WINDOWS\SYSTEM32\CcLTvyxx.ini2
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dpiruiwy.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fdszer.dll
C:\WINDOWS\system32\fhwpjt.dll
C:\WINDOWS\system32\flemlxik.dll
C:\WINDOWS\system32\fnjxoycr.dll
C:\WINDOWS\system32\gpqgde.dll
C:\WINDOWS\system32\grvnsgug.ini
C:\WINDOWS\system32\gzimxi.dll
C:\WINDOWS\system32\holojdpe.dll
C:\WINDOWS\system32\iuumda.dll
C:\WINDOWS\system32\jnbkgb.dll
C:\WINDOWS\system32\kgtfadob.ini
C:\WINDOWS\system32\lwwgjy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mefiyron.ini
C:\WINDOWS\system32\ndjxmz.dll
C:\WINDOWS\system32\oajufrib.dll
C:\WINDOWS\system32\ovwleaxq.dll
C:\WINDOWS\system32\pucomcyo.dll
C:\WINDOWS\system32\rrmmvhbs.dll
C:\WINDOWS\system32\rsjgkpqa.ini
C:\WINDOWS\system32\skuoyqmk.dll
C:\WINDOWS\system32\tuvvtqQK.dll
C:\WINDOWS\system32\vrfyvrrx.ini
C:\WINDOWS\system32\wuqmljaq.ini
C:\WINDOWS\system32\xxyvTLcC.dll
C:\WINDOWS\system32\ywiuripd.ini
C:\WINDOWS\system32\zdznic.dll
C:\WINDOWS\temp\perflib_perfdata_1cc.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CLBDRIVER
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.
2008-07-18 14:00 . 2008-07-18 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 13:46 . 2008-07-16 13:46 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-16 12:55 . 2008-07-16 12:55 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-12 20:06 . 2008-07-21 09:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-12 18:01 . 2005-04-15 11:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-07-12 18:01 . 2005-04-15 11:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-12 18:01 . 2005-04-15 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-07-12 18:00 . 2008-07-12 18:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-11 21:06 . 2008-07-11 21:06 294 --ahs---- C:\WINDOWS\SYSTEM32\uthwqkkr.tmp
2008-07-11 17:56 . 2008-07-11 17:56 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\McAfee
2008-07-10 13:58 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-07-08 13:39 . 2008-07-08 13:39 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-08 13:37 . 2008-07-08 13:37 <DIR> d-------- C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$
2008-07-08 11:37 . 2008-07-08 11:39 <DIR> d-------- C:\Program Files\Safari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 22:52 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-21 13:24 --------- d-----w C:\Program Files\Plaxo
2008-07-20 21:12 --------- d-----w C:\Documents and Settings\Billy\Application Data\SiteAdvisor
2008-07-20 02:03 --------- d-----w C:\Program Files\e-Sword
2008-07-15 03:35 --------- d-----w C:\Program Files\DB CIF Cam
2008-07-15 03:16 --------- d-----w C:\Program Files\Airmail
2008-07-15 03:15 --------- d-----w C:\Program Files\AIMTunes
2008-07-10 19:15 --------- d-----w C:\Program Files\McAfee
2008-07-08 16:07 --------- d-----w C:\Documents and Settings\Billy\Application Data\Apple Computer
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-11 14:14 --------- d-----w C:\Documents and Settings\Billy\Application Data\OfficeUpdate12
2008-06-10 00:38 --------- d-----w C:\Program Files\PKTerm99
2008-06-05 18:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-31 04:00 --------- d-----w C:\Program Files\Greetings Workshop
2008-05-30 00:33 --------- d-----w C:\Documents and Settings\Billy\Application Data\QQ Games Plugin
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2006-11-04 00:12 17,177,896 -c--a-w C:\Documents and Settings\All Users\Install_Messenger.exe
2006-11-03 23:07 15,521,072 -c--a-w C:\Documents and Settings\All Users\IE7-WindowsXP-x86-enu.exe
2005-05-30 21:27 64,512 -c-ha-w C:\Documents and Settings\Billy\Application Data\rbap450.dll
2005-05-30 21:27 1,360,384 -c-ha-w C:\Documents and Settings\Billy\Application Data\V4RB.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2008-04-13 20:12 1695232]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe" [2008-05-06 11:12 293447]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"PlaxoSysTray"="C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe" [2008-05-06 11:12 20480]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 14:25 270336]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-04 21:34 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-22 18:52 331830]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 01:41 28738]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00 241714]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"Atari Launcher 2"="C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe" [2001-05-22 18:13 55296]
"AtariBanner"="C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" [2001-05-22 18:17 49152]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 17:34 213936]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11:06 11776]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 17:22 3739648]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2006-03-20 17:34 86960]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 10:32 206184]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 22:39 36904]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-27 08:25 185896]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 11:12 243240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"P17Helper"="P17.dll" [2005-05-04 02:38 64512 C:\WINDOWS\SYSTEM32\P17.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 20:12 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]
C:\Documents and Settings\Robby\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-04-21 21:05:18 25214]
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2006-08-28 17:16:02 221247]
Bluetooth.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2005-05-31 14:29:16 577597]
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-05-27 12:48:52 542192]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\xxyvTLcC
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"C:\\Program Files\\Windows Defender\\MSASCui.exe"=
R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 13:53]
R2 fsssvc;Windows Live OneCare Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 11:13]
R2 LxrSII1d;Secure II Driver;C:\WINDOWS\system32\Drivers\LxrSII1d.sys [2005-05-19 15:48]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
S2 0325611215602524mcinstcleanup;McAfee Application Installer Cleanup (0325611215602524);C:\WINDOWS\TEMP\032561~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 06:29]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 15:24:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-20 21:05:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-11 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (DFWTQ871-Billy).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-06-15 06:39:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-07-01 05:00:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-06-11 23:51:47 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2008-07-21 13:17:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-20 13:48:02 C:\WINDOWS\Tasks\MSK_ABImport_Daily_Billy.job"
- C:\WINDOWS\system32\RUNDLL32.EXE<
"2008-07-08 13:48:04 C:\WINDOWS\Tasks\MSK_ABImport_Monthly_Billy.job"
- C:\WINDOWS\system32\RUNDLL32.EXE>
"2008-07-21 13:34:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{267FAAC0-6DAB-4F89-9348-37C2A0A4077C}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ec184f58 - C:\WINDOWS\system32\dpiruiwy.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
O8 -: &MSN Search - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 -: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm020YYUS
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 09:17:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
Completion time: 2008-07-21 9:43:47
ComboFix-quarantined-files.txt 2008-07-21 13:43:24
Pre-Run: 34,772,877,312 bytes free
Post-Run: 35,324,764,160 bytes free
321 --- E O F --- 2008-07-08 22:25:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:28 AM, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\IOGEAR\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.12.0.48\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.12.0.48\PlaxoSysTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm020YYUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192064371937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192498261375
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0325611215602524) (0325611215602524mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\032561~1.EXE (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Program%20Files/Adobe/Acrobat%207.0/Acrobat/HowTo/ENU/images/bkgrnd_art.gif
--
End of file - 19999 bytes
shelf life
2008-07-22, 01:04
hi,
thanks for the info. we will get two more downloads to use. first download and run SDfix, followed by malwarebytes. Sdfix run in safe mode. please post the sdfix log and the malwarebytes log:
Sdfix:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
----------------------------------------------
malwarebytes:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Mars4now
2008-07-22, 23:08
Hi, the computer is running faster. I see in the log the trojan that seems to have caused the problem.
Here are the two files requested. I appreciate your help!
SDFix: Version 1.207
Run by Billy on Tue 07/22/2008 at 09:41 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
Folder C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 10:04:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002720b16de]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0002720b16de]
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4B80E6A4-8CBC-58EE-8288-97AE3D7DB545}]
"oamojlicadhebbjphapfjbigocbhfj"=hex:64,61,6a,69,64,67,6e,70,00,80
"oaacpebiepggpdnadildfdjmblabbg"=hex:6a,61,6a,69,66,66,6a,66,6a,69,64,6f,6e,6c,6e,61,6d,6d,68,70,00,..
"nagcfjcalfjgogihndhmbckhlipg"=hex:6a,61,6a,69,69,6b,6b,62,70,61,6d,64,62,62,6b,62,69,69,64,6d,00,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"="C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe:*:Enabled:McAfee Wireless Network Security"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"="C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe:*:Enabled:McAfee Data Backup"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"="C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe:*:Enabled:QQ Games"
"C:\\Program Files\\Windows Defender\\MSASCui.exe"="C:\\Program Files\\Windows Defender\\MSASCui.exe:*:Enabled:Windows Defender"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe"="C:\\Program Files\\WatchGuard\\Mobile User VPN\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Fri 6 Oct 2006 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Fri 11 Jul 2008 294 A.SH. --- "C:\WINDOWS\SYSTEM32\uthwqkkr.tmp"
Tue 7 Feb 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 30 May 2005 64,512 A..H. --- "C:\Documents and Settings\Billy\Application Data\rbap450.dll"
Mon 30 May 2005 1,360,384 A..H. --- "C:\Documents and Settings\Billy\Application Data\V4RB.dll"
Sun 6 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 6 Apr 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 19 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 30 Apr 2005 28,672 ...H. --- "C:\Documents and Settings\Sharon\My Documents\SGBC\~WRL0944.tmp"
Sat 30 Apr 2005 29,184 ...H. --- "C:\Documents and Settings\Sharon\My Documents\SGBC\~WRL1495.tmp"
Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 2 Dec 2004 3,338,240 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Colossians\~WRL0005.tmp"
Tue 25 Jun 2002 21,504 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Dispensationalism S.'02\~WRL0852.tmp"
Thu 19 Dec 2002 28,160 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Greek Exegetical Methods F.'02\~WRL3778.tmp"
Fri 27 Feb 2004 62,464 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Biblical Preaching\Course Questions & Sermon Paper\~WRL0164.tmp"
Fri 27 Feb 2004 59,904 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Biblical Preaching\Course Questions & Sermon Paper\~WRL0754.tmp"
Fri 27 Feb 2004 70,144 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Biblical Preaching\Course Questions & Sermon Paper\~WRL1424.tmp"
Thu 26 Feb 2004 53,760 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Biblical Preaching\Course Questions & Sermon Paper\~WRL2637.tmp"
Fri 27 Feb 2004 56,320 A..H. --- "C:\Documents and Settings\Billy\My Documents\bible\Biblical Preaching\Course Questions & Sermon Paper\~WRL2732.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Billy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Billy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Billy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Billy\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Robby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Sara\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Sara\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Sara\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Sara\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!
Malwarebytes' Anti-Malware 1.22
Database version: 978
Windows 5.1.2600 Service Pack 3
3:54:12 PM 7/22/2008
mbam-log-7-22-2008 (15-54-12).txt
Scan type: Full Scan (C:\|)
Objects scanned: 168051
Time elapsed: 5 hour(s), 22 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 36
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWay) -> Delete on reboot.
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dpiruiwy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f3PSSavr.scr.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fdszer.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fhwpjt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\flemlxik.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fnjxoycr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gpqgde.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jnbkgb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lwwgjy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oajufrib.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ovwleaxq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skuoyqmk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zdznic.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
shelf life
2008-07-23, 01:10
hi Mars4now,
thanks for the info. hows the pop up situation now on your end?
Mars4now
2008-07-23, 19:13
Hi shelf life,
The pop ups a gone and the computer is running faster. Thank you for your time and effort!
Mars4now
shelf life
2008-07-24, 01:38
hi,
ok good. the easy way to remove both combofix and sdfix we used is with OTmoveIt2: keep malwarebytes and always check for updates before using it.
Please download the OTMoveIt2 by OldTimer.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
click the green looking Cleanup! button at the top
chose yes at the prompts.
two things java and system restore points:
java
Vulnerabilities and possible exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites and possible exploits that can be taken advantage of to possibly introduce malware via your browser.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
system restore:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore points)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(create new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
if all is good:
My Top Ten
The Short Version:
1) Keep your OS, (Windows) browser (IE, FireFox) and software up to date.
2) Know what you are installing to your computer. A lot of software can come with unwanted add-ons. Do you trust the source?
3) Install, keep updated: antivirus and two anti-malware applications.
4)Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting the message. Do you trust the source?
5) Dont click on adds/pop ups or offers from websites to install software.
6) Dont click on offers to "scan" your computer.
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez, cracks etc or p2p networks you are much more likely to encounter malicious code. Do you trust the source?
happy safe surfing