View Full Version : Virtumonde.prx, can't boot
GoPhillies
2008-10-20, 07:06
I started getting a lot of pop-up ads last week, ran Spybot S&D which said I have Virtumonde.prx. I ran "Fix problems," but it was unsuccessful. I ran McAfee Virus Scan (free AOL version), but it didn't identify any problems. I quit using my computer, but left it running, not connected to the Net except McAfee's regular updates. This morning McAfee left a window saying it had picked up and fixed a vundo trojan. I looked at the McAfee log, and it listed a bunch of files that it had quarantined. Hoping that updated McAfee definitions had fixed the problem, I ran Spybot S&D today, but it still identified Virtumonde.prx. I told S&D to "Fix Problems," and it gave me green checkmarks. I had read on the Spybot description of Virtumonde that I needed to disconnect my Internet connection and reboot after running a fix, so I did that, rebooting by cycling the power.
Now I get the blue screen with the message: "STOP: c000021a (Fatal System Error) The Windows Logon Process system process terminated unexpectedly with a status of 0x00000000 (0x00000000 0x00000000)
The system has been shut down."
I am using my laptop for this post, as I can't get past the blue screen on the infected desktop machine. Please help.
Due to work hours, it may take me awhile to respond to your instructions.
pskelley
2008-10-23, 13:27
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Once you get the computer running again, read and follow the directions posted above and pinned (sticky) to the top of this forum, then post a HJT log according to the directions for starters.
http://support.microsoft.com/kb/156669 <<< to troubleshoot the error message you posted.
Thanks
GoPhillies
2008-10-24, 14:44
Thank you for responding. I will be away from my computer for the next 3 days, and will try to get around the Fatal System Error when I get back. FYI, I am using Windows XP Media Center Edition with SP 2. I do have the OS DVD supplied by Dell, so I should be able to boot using the disk.
pskelley
2008-10-24, 14:55
Ahhh...being from Clearwater/St.Petersburg, I will guess you are in front of the TV watching the series. I suggest you ask questions about Dell to the Dell techs: If the computer is still under warranty, keep in mind about anything you do could invalidate the warranty.
http://support.dell.com/
Thanks...Phil
GoPhillies
2008-10-24, 15:10
I just read the MS Troubleshooting page, and they advise against a software reinstallation except as a last resort, as I will lose my System Restore recovery points. From what I have read about Virtumonde, I probably have a winlogon.exe problem. I'll get back at it Monday evening.
GoPhillies
2008-10-24, 15:13
Ahhh...being from Clearwater/St.Petersburg, I will guess you are in front of the TV watching the series.
Nope, going to a reunion, so I'll be away from the TV too until Sunday evening. Ugly loss last night.
GoPhillies
2008-10-29, 17:51
Back from reunion. Good times.
Phillies up 3 games to 1.
Computer booted without the error message.
I have a good feeling about this.
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:20 AM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [1cb92e0b] rundll32.exe "C:\WINDOWS\system32\tkggxrnb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O20 - AppInit_DLLs: mgfbkz.dll ixnjtx.dll wbysep.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9242 bytes
pskelley
2008-10-29, 18:01
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I see evidence that the Vundo infection still exists on the computer, let's proceed like this.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed
Please continue as follows:
*Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
*Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When the tool is finished, it will produce a report for you. Post that report and a new HJT log
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Thanks...Phil
GoPhillies
2008-10-29, 18:03
By the way, my computer booted without the blue screen and Fatal System Error message. Not sure why, as I did not do any of the troubleshooting that MS suggested. I suspect, however, that the winlogon.exe problem is still lurking somewhere.
I will be using my laptop to communicate, and will move files back and forth with a flash drive. The Internet is almost unusable on the infected machine, so I unplugged the cable.
pskelley
2008-10-29, 18:08
As indicated in the above post, I agree with you about the infection. Let's hope that flash drive is not infected!
Thanks for the feedback...
GoPhillies
2008-10-29, 18:42
When I restarted my computer, I got the blue screen and error message again. I cycled the power button and pressed F12 during startup, got the Boot Menu screen, selected boot from SATA Hard Drive, hit Enter, and it finished the restart.
I have tried to install the Recovery Console, but Windows can't find the file on my Windows XP disk. i386\winnt32.exe is there, but not cmdcon.
GoPhillies
2008-10-29, 18:49
Pardon me, cmdcons is not showing up.
GoPhillies
2008-10-29, 18:53
Got it. I failed to notice the space between / and cmdcons.
GoPhillies
2008-10-29, 20:18
ComboFix 08-10-29.07 - Dad 2008-10-29 13:47:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1397 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\tempzor
C:\WINDOWS\system32\bllkeuep.dll
C:\WINDOWS\system32\bnrxggkt.ini
C:\WINDOWS\system32\cdrldcfc.ini
C:\WINDOWS\system32\cfcdlrdc.dll
C:\WINDOWS\system32\ebodkfap.dll
C:\WINDOWS\system32\ehqneiut.dll
C:\WINDOWS\system32\iktkawvm.dll
C:\WINDOWS\system32\ixnjtx.dll
C:\WINDOWS\system32\laqnhget.exe
C:\WINDOWS\system32\mgfbkz.dll
C:\WINDOWS\system32\mkxyxu.dll
C:\WINDOWS\system32\mnWvCcdd.ini
C:\WINDOWS\system32\mnWvCcdd.ini2
C:\WINDOWS\system32\pqugsjvm.ini
C:\WINDOWS\system32\pwhwjaup.ini
C:\WINDOWS\system32\rCcKkUvw.ini
C:\WINDOWS\system32\rCcKkUvw.ini2
C:\WINDOWS\system32\snyxvppv.ini
C:\WINDOWS\system32\tdpdzw.dll
C:\WINDOWS\system32\uzdgqg.dll
C:\WINDOWS\system32\vxbnlgdq.dll
C:\WINDOWS\system32\wbysep.dll
C:\WINDOWS\system32\wvUkKcCr.dll
C:\WINDOWS\system32\xcxlricc.ini
C:\WINDOWS\system32\ychsbkau.dll
C:\WINDOWS\system32\yedunhmb.dll
C:\WINDOWS\system32\zgfadk.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.
2008-10-29 11:41 . 2008-10-29 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 11:20 . 2008-10-16 11:20 121 --ahs---- C:\WINDOWS\system32\ueffiasc.ini
2008-10-15 11:20 . 2008-10-15 11:20 120 --ahs---- C:\WINDOWS\system32\ibqdswae.ini
2008-10-15 11:00 . 2008-10-19 20:11 153 --a------ C:\WINDOWS\wininit.ini
2008-10-15 02:05 . 2008-10-15 02:05 29,696 --a------ C:\WINDOWS\system32\opnlMcbx.dll
2008-10-15 02:05 . 2008-10-15 02:05 29,696 --a------ C:\WINDOWS\system32\jkkIXOfD.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-29 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-20 03:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-20 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-05 23:55 --------- d-----w C:\Program Files\Picasa2
2008-09-28 05:55 --------- d-----w C:\Program Files\America Online 9.0b
2008-09-12 12:00 --------- d-----w C:\Program Files\McAfee
2008-09-12 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-12 03:40 --------- d-----w C:\Program Files\Lavasoft
2008-09-12 03:40 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-09-12 03:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-12 03:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 21:18 --------- d-----w C:\Documents and Settings\Dad\Application Data\HouseCall 6.6
2008-09-06 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-11-10 00:35 22,328 ----a-w C:\Documents and Settings\Dad\Application Data\PnkBstrK.sys
2006-05-30 22:09 1 ----a-w C:\Documents and Settings\Pete\SI.bin
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,776 2005-07-12 05:17:42 C:\Program Files\America Online 9.0b\bak\AOL.EXE
----a-w 339,968 2004-07-14 02:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1142944241\ee\bak\AOLSoftware.exe
----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
----a-w 153,168 2006-11-20 20:42:15 C:\Program Files\Common Files\AOL\1142944241\ee\bak\SSCRun.exe
----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
----a-w 65,536 2003-05-01 23:44:50 C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe
----a-w 53,248 2005-02-23 20:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 241,664 2004-05-12 20:18:56 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 324 2008-02-21 06:30:36 C:\Program Files\HP\hpcoretech\bak\data\EvntData-1007428232.xml
----a-w 20,480 2007-01-08 16:22:46 C:\Program Files\McAfee\MBK\bak\LogOnHook.exe
----a-w 20,480 2007-01-08 16:22:46 C:\Program Files\McAfee\MBK\LogonHook.exe
----a-w 4,838,952 2007-01-16 18:59:50 C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe
----a-w 4,838,952 2007-01-16 18:59:50 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
----a-w 401,491 2004-02-03 21:42:54 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE
----a-w 99,480 2004-04-05 21:33:54 C:\Program Files\Pure Networks\Port Magic\bak\bak\PortAOL.exe
----a-w 99,480 2004-04-05 21:33:54 C:\Program Files\Pure Networks\Port Magic\bak\bak\PortAOL.exe
----a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-03-29 03:37:20 C:\Program Files\QuickTime\QTTask.exe
----a-w 319,488 2003-07-15 17:36:50 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe
----a-w 868,352 2003-10-21 15:43:12 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe
----a-w 292,152 2007-09-23 17:30:24 C:\Program Files\WinPatrol\bak\winpatrol.exe
----a-w 64,512 2005-08-05 18:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 18:56:34 C:\WINDOWS\ehome\ehtray.exe
----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86E7AEDE-F36B-4CCC-8F97-50923DB32982}]
2008-10-15 02:05 29696 --a------ C:\WINDOWS\system32\jkkIXOfD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DD4658C-27E2-422C-90DD-C93BF0015DA5}]
2008-10-29 14:03 313344 --a------ C:\WINDOWS\system32\jkkhiIcY.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3f70ce6-888e-4115-9924-ba0d44acad0e}]
2008-10-29 14:05 123904 --a------ C:\WINDOWS\system32\wmxcms.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"AOL Fast Start"="C:\Program Files\America Online 9.0b\AOL.EXE" [N/A]
"Start WingMan Profiler"="" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HostManager"="C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe" [2006-09-25 50736]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"1cb92e0b"="C:\WINDOWS\system32\cfcdlrdc.dll" [N/A]
"P17Helper"="P17.dll" [2005-05-03 C:\WINDOWS\system32\P17.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{86E7AEDE-F36B-4CCC-8F97-50923DB32982}"= "C:\WINDOWS\system32\jkkIXOfD.dll" [2008-10-15 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIXOfD]
2008-10-15 02:05 29696 C:\WINDOWS\system32\jkkIXOfD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mgfbkz.dll ixnjtx.dll wbysep.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkhiIcY
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0b\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\1142944241\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2004-09-13 198880]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2001-10-29 3712]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2001-10-29 7584]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f89b2fe-5e51-11db-80de-00038a000015}]
\Shell\AutoRun\command - explorer.exe http://www.cymbaltamd.com
.
Contents of the 'Scheduled Tasks' folder
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-10-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-10-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
BHO-{26FB4E7B-69EE-4A1E-A64E-B215A6E44D01} - C:\WINDOWS\system32\wvUkKcCr.dll
BHO-{296E9158-78F1-4747-A6FB-A9E262B350EF} - C:\WINDOWS\system32\ddcCvWnm.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\lpyuq3xn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.pcusa.org/cgi-bin/lectiond.cgi
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 13:58:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkIXOfD.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\jkkhiIcY.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wkdmtxqk.exe
.
**************************************************************************
.
Completion time: 2008-10-29 14:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 18:09:19
Pre-Run: 185,860,902,912 bytes free
Post-Run: 185,964,376,064 bytes free
242 --- E O F --- 2008-09-27 18:09:32
GoPhillies
2008-10-29, 20:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:01 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O20 - AppInit_DLLs: mgfbkz.dll ixnjtx.dll wbysep.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8675 bytes
pskelley
2008-10-30, 00:07
Thanks for returning your information, I am going to post a lot of instructions and I want you to know I am in no way expecting you to rush. Please take the time you need to read carefully and to complete the instructions carefully and in the numbered order.
We have new problems, you also have this infection:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.awf&threatid=70517
http://www.google.com/search?hl=en&q=Trojan.AWF+&btnG=Google+Search&aq=f&oq=
This one is a file infector and it has infected some of your programs. combofix will usually fix it, wish us luck, the manual removal is tough.
Do you know how you got this badly infected?
1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
2) C:\Program Files\Java\jre1.6.0_02\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(IT IS VERY IMPORTANT YOU GET EVERYTHING POSTED IN THE NOTEPAD)
4) Open notepad and copy/paste the text in the codebox below into it:
AWF::
C:\Program Files\America Online 9.0b\bak\AOL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\Common Files\AOL\1142944241\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1142944241\ee\bak\SSCRun.exe
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
C:\Program Files\HP\hpcoretech\bak\data\EvntData-1007428232.xml
C:\Program Files\McAfee\MBK\bak\LogOnHook.exe
C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe
C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE
C:\Program Files\Pure Networks\Port Magic\bak\bak\PortAOL.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe
C:\Program Files\WinPatrol\bak\winpatrol.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\ctfmon.exe
File::
C:\WINDOWS\system32\ueffiasc.ini
C:\WINDOWS\system32\ibqdswae.ini
C:\WINDOWS\system32\opnlMcbx.dll
C:\WINDOWS\system32\jkkIXOfD.dll
C:\WINDOWS\system32\wmxcms.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86E7AEDE-F36B-4CCC-8F97-50923DB32982}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DD4658C-27E2-422C-90DD-C93BF0015DA5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3f70ce6-888e-4115-9924-ba0d44acad0e}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIXOfD]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{86E7AEDE-F36B-4CCC-8F97-50923DB32982}"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O20 - AppInit_DLLs: mgfbkz.dll ixnjtx.dll wbysep.dll <<< this may be gone
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
How is the computer running?
Thanks
GoPhillies
2008-10-30, 02:01
I have no idea how things got this bad. I had a few unwanted pop-ups about 2 weeks ago, but nothing bad. It really went down the tubes after a session on a college sports forum that I visit every day. I have not heard that any of the other posters have an infection, however, so doubt that was the source.
I will not be able to get back at this until Saturday afternoon.
Thanks for your help. So far, your instructions have been easy to follow for this technophobe.
GoPhillies
2008-11-02, 02:47
Big problem! I dragged the CFScript.txt file into the ComboFix icon on the desktop, and everything ran as it was supposed to. However, when ComboFix tried to reboot my computer, I got the blue screen with the c000021a Fatal System Error message! I'm now stuck in the midst of ComboFix with nowhere to go. The way I have gotten my computer to boot past this error message in the past was to turn the power button off, then on, and hit the F12 key during the boot, but I don't dare do that in the middle of ComboFix.
The last time I ran ComboFix, I did not get this Error message.
pskelley
2008-11-02, 03:00
Have a look at these link, perhaps you will see something to help.
http://www.google.com/search?hl=en&q=c000021a+Fatal+System+Error+&btnG=Google+Search&aq=f&oq=
Because of the infections you have, and many of your programs are infected, you might want to consider reformatting.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
If you can get that CFScript to run it may clean the AWF infection? We would be able to continue trying to clean the mess?
Thanks
GoPhillies
2008-11-02, 03:39
OK, I cycled the power, hit F12, "Boot from SATA Hard Drive," and it rebooted, finished ComboFix, and produced a log file. Whew! When ComboFix says to not touch the computer while the program is running, and it also says it is not responsible for any damage done to the computer, I don't like to see anything unexpected! Looks like I'm OK, though. Back soon with the log files.
GoPhillies
2008-11-02, 05:00
ComboFix log after adding the CFScript per your codebox:
ComboFix 08-11-01.01 - Dad 2008-11-01 20:37:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1411 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\ibqdswae.ini
C:\WINDOWS\system32\jkkIXOfD.dll
C:\WINDOWS\system32\opnlMcbx.dll
C:\WINDOWS\system32\ueffiasc.ini
C:\WINDOWS\system32\wmxcms.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ibqdswae.ini
C:\WINDOWS\system32\itsmireg.dll
C:\WINDOWS\system32\jkkIXOfD.dll
C:\WINDOWS\system32\qgeinjir.dll
C:\WINDOWS\system32\refrekgr.dll
C:\WINDOWS\system32\rgkerfer.ini
C:\WINDOWS\system32\rijniegq.ini
C:\WINDOWS\system32\rnlieumo.dll
C:\WINDOWS\system32\ueffiasc.ini
C:\WINDOWS\system32\wmxcms.dll
C:\WINDOWS\system32\wrhrdt.dll
C:\WINDOWS\system32\YcIihkkj.ini
C:\WINDOWS\system32\YcIihkkj.ini2
.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.
2008-11-01 20:33 . 2008-11-01 20:33 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-11-01 20:33 . 2008-11-01 20:33 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-29 11:41 . 2008-10-29 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-15 11:00 . 2008-10-19 20:11 153 --a------ C:\WINDOWS\wininit.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 01:35 --------- d-----w C:\Program Files\QuickTime
2008-11-02 01:35 --------- d-----w C:\Program Files\America Online 9.0b
2008-11-02 00:37 --------- d-----w C:\Program Files\WinPatrol
2008-11-02 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-11-02 00:33 --------- d-----w C:\Program Files\Java
2008-11-02 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-11-01 18:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-29 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-20 03:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-05 23:55 --------- d-----w C:\Program Files\Picasa2
2008-09-12 12:00 --------- d-----w C:\Program Files\McAfee
2008-09-12 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-12 03:40 --------- d-----w C:\Program Files\Lavasoft
2008-09-12 03:40 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-09-12 03:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-12 03:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 21:18 --------- d-----w C:\Documents and Settings\Dad\Application Data\HouseCall 6.6
2008-09-06 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-11-10 00:35 22,328 ----a-w C:\Documents and Settings\Dad\Application Data\PnkBstrK.sys
2006-05-30 22:09 1 ----a-w C:\Documents and Settings\Pete\SI.bin
.
((((((((((((((((((((((((((((( snapshot@2008-10-29_14.06.33.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-29 17:24:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-01 23:53:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-29 17:24:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-01 23:53:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-01 23:53:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-12 05:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-11-02 00:33:19 144,792 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-11-02 00:33:19 144,792 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-11-02 00:33:19 148,888 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-08-26 17:28:14 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-10-07 19:19:40 16,721,856 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-11-02 01:35:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_554.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"AOL Fast Start"="C:\Program Files\America Online 9.0b\AOL.EXE" [2005-07-12 50776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HostManager"="C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe" [2006-09-25 50736]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-04-27 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-11-01 136600]
"P17Helper"="P17.dll" [2005-05-03 C:\WINDOWS\system32\P17.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0b\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\1142944241\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-01 152984]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2004-09-13 198880]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2001-10-29 3712]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2001-10-29 7584]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f89b2fe-5e51-11db-80de-00038a000015}]
\Shell\AutoRun\command - explorer.exe http://www.cymbaltamd.com
.
Contents of the 'Scheduled Tasks' folder
2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2008-10-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-11-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
BHO-{26cb046b-a43d-4d3d-8799-6272caea1288} - C:\WINDOWS\system32\wrhrdt.dll
HKCU-Run-Start WingMan Profiler - (no file)
HKLM-Run-1cb92e0b - C:\WINDOWS\system32\qgeinjir.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 21:35:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\America Online 9.0b\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-11-01 21:47:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-02 01:47:40
ComboFix2.txt 2008-10-29 18:09:43
Pre-Run: 185,814,540,288 bytes free
Post-Run: 185,707,511,808 bytes free
198 --- E O F --- 2008-11-02 01:45:35
HJT log after running ComboFix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:33 PM, on 11/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0b\waol.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9424 bytes
GoPhillies
2008-11-02, 05:02
MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1355
Windows 5.1.2600 Service Pack 2
11/1/2008 10:48:22 PM
mbam-log-2008-11-01 (22-48-22).txt
Scan type: Full Scan (C:\|)
Objects scanned: 189464
Time elapsed: 51 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\cfcdlrdc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\itsmireg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qgeinjir.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\refrekgr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rnlieumo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\uzdgqg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wmxcms.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wrhrdt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ychsbkau.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP887\A0111517.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP888\A0111594.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP888\A0111607.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP888\A0111612.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP890\A0111718.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP890\A0111720.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP896\A0112072.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP896\A0112070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP896\A0112073.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP896\A0112074.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP896\A0112077.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{517D1832-159B-40DF-A657-3C9535C2C680}\RP896\A0112078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
HJT log after running MBAM:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:34 PM, on 11/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0b\waol.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9550 bytes
GoPhillies
2008-11-02, 05:28
The computer is running much faster. I have not signed on to the Internet, and I don't plan to until I get the OK from you. At some point I will want advice on what I need to turn on and/or install to protect from this happening again.
pskelley
2008-11-02, 15:47
I had a post prepared with connection information and will give you that information also in case it helps once I look over these results.
I can not point at anything in this HJT log that looks like malware, but I will suggest you have a lot of stuff starting up each time that I doubt you need. This stuff slows your boottime, uses resources during operation (especially questionable when you don't use the programs) and slows the shutdown. Have a look at this information:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Moving on with the cleanup, I can report all of what MBAM located is either in combofix quarantine or infected System Restore files. Let's do this now:
1) Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
2) Clean infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
3) Update MBAM (if possible) and scan to be sure we missed none of the junk. No need to post a clean scan result.
4) Update McAfee and scan the system, both to be sure it is running right and scaning clean. If you have issues with the program, contact tech support for instructions. http://www.mcafee.com/us/support/
5) Please post an uninstall list for me to view:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Let me know how the computer is running now.
Thanks
__________________________________
Posting this internet connection troubleshooting information for you.
http://support.microsoft.com/kb/310590/en-us
http://support.microsoft.com/default.aspx?scid=kb;en-us;281336&sd=tech
Network Connections Repair:
Go to Control Panel > Network Connections.
Right-click on the network icons and select Repair.
Alternately, if the network icon appears in the notification area in the lower right corner of your desktop, right-click it, and then click Repair from the shortcut menu.
How to reset Internet Protocol (TCP/IP) in Windows XP
http://support.microsoft.com/kb/299357
Network Diagnostics for Windows XP is available to help identify and fix network connection problems
http://support.microsoft.com/kb/914440/en-us
Repair/Reset Winsock settings (Links)
http://windowsxp.mvps.org/winsock.htm
http://www.microsoft.com/windows/using/tools/igd/default.mspx
Internet Connectivity Evaluation Tool
The Internet Connectivity Evaluation Tool checks your Internet
router to see if it supports certain technologies
I have not had the opportunity to use all of those tools, so proceed with caution, if you make a change, record it in case you need to change back.
GoPhillies
2008-11-03, 05:12
The MBAM and McAfee scans both came back clean.
The computer is running faster than it has in a long time. I had added a gig of RAM last month and was disappointed that performance didn't seem all that much better. This clean-up has made a huge difference! Best of all, I am no longer getting the Fatal System Error message, and I am using Internet Explorer with no pop-ups.
I have updated and re-enabled McAfee's virus protection, spyware protection, SytemGuard, script scanning, firewall, and e-mail and IM protection. These are all part of the free version of McAfee provided by AOL. What else should I run to safeguard against another infection like this? Do I need a better set of tools than McAfee?
I now have HijackThis, ATF-Cleaner, MBAM, Ad-Aware, and Spybot S&D saved on my desktop. How much of this should I keep/purchase/run?
During startup I am still given the choice of booting into System Recovery. Can I get rid of this now? If so, how?
Internet connection has not been a problem, but I will save the troubleshooting links that you sent me for future reference. Also, I will start attacking all of the programs running at startup. I knew about using msconfig, but I had no idea what I needed to keep and what I could turn off. Your links will help greatly.
Here is the Uninstall List generated by HijackThis:
Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
ADS Tech Master Installer V3.6
ADS Tech V3.6.1 DVD Xpress CapWiz
AOL Coach Version 1.0(Build:20030807.3)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Pictures Tools (version 10.6.0.4)
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) Demo
CH Control Manager
Dell ResourceCD
Dell Support 3.2.1
DesignPro 5.0 Limited Edition
ESPNMotion
GemMaster Mystic
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
Graphics and Imaging
HijackThis 2.0.2
HouseCall 6.6
HP Image Zone 4.0
HP Scanjet 4070
HP Software Update
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Adapters and Drivers
iPAQ WebReg
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9.01 - (9.0.1.1)
Java(TM) 6 Update 10
K-Lite Codec Pack 2.85 Full
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Mozilla Firefox (2.0.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
OpenAL
Pacific Fighters
Pagis Viewer 2.0
Picasa 2
PowerDVD 5.5
QuickTime
RealPlayer
Snapshot Viewer
Sonic Encoders
Spybot - Search & Destroy
Time Zone Data Update Tool for Microsoft Office Outlook
Ulead Straight-to-Disc SDK
Update Rollup 2 for Windows XP Media Center Edition 2005
USB Driver
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
WingMan Software
WinZip 11.1
Yahoo! Toolbar
pskelley
2008-11-03, 17:16
I now have HijackThis, ATF-Cleaner, MBAM, Ad-Aware, and Spybot S&D saved on my desktop. How much of this should I keep/purchase/run?
None of those program run and use resources during day to day operations.
1) HijackThis: Good diagnostic tool when you need it, but it does much more. Here is a tutorial.
http://www.bleepingcomputer.com/tutorials/tutorial42.html
2) MBAM: A good on demand scanner, keep it up to date and run in once a month or so. Hackers are blocking the download so you know it works.
3) ATF-Cleaner: You will not find a better cleaning tool on the internet for the price, I clean Temp junk weekly and Prefetch when there is a possible issue.
4) Ad-Aware: Your call: http://www.google.com/search?hl=en&q=review+ad-aware&btnG=Google+Search&aq=f&oq=
5) Spybot S&D: great free on demand scanner, here is some information:
http://www.safer-networking.org/en/faq/index.html
During startup I am still given the choice of booting into System Recovery. Can I get rid of this now? If so, how?
Not sure about this one, I know it shows on the screen as you boot as does safe mode etc. Are you actually having a Windows on the Desktop that stays there? If so, provide more information.
Here is some for you: Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 7.0.8 <<< out of date and being exploited
http://www.filehippo.com/download_adobe_reader/
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Removal tool if needed: http://www.majorgeeks.com/JavaRa_d5967.html
Mozilla Firefox (2.0.0.17) <<< out of date and a security risk.
http://www.mozilla.com/en-US/firefox/
Viewpoint Media Player <<< uninstall if you don't use it.
For your information, Viewpoint is installed by aohell probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
GoPhillies
2008-11-05, 06:36
I just turned TeaTimer back on and immediately got a whole string of messages about Spybot detecting "an important registry entry that has been changed," and asking me to "Allow change" or "Deny change." What is my resonse? Am I OK to turn TeaTimer back on? I denied the first 6 or so queries, but when they kept coming, I thought better of it and decided to ask your advice.
GoPhillies
2008-11-05, 07:31
After TeaTimer sent me messages about registry changes, I decided to run mbam again, and it picked up one bad file. Here is the log:
Malwarebytes' Anti-Malware 1.30
Database version: 1358
Windows 5.1.2600 Service Pack 2
11/5/2008 12:25:36 AM
mbam-log-2008-11-05 (00-25-36).txt
Scan type: Quick Scan
Objects scanned: 56017
Time elapsed: 4 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cb92e0b (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
GoPhillies
2008-11-05, 08:00
New HJT log after latest mbam:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:25 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {296E9158-78F1-4747-A6FB-A9E262B350EF} - (no file)
O2 - BHO: (no name) - {32d3356d-3ba6-4a6d-baba-f97f2610a734} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {86E7AEDE-F36B-4CCC-8F97-50923DB32982} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {D8EEAB36-3CB9-41FA-B947-4AF2E28366B1} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_10.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O20 - Winlogon Notify: jkkIXOfD - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 10813 bytes
pskelley
2008-11-05, 14:05
TeaTimer has returned dead lines (not malware) to the HJT log because of it's memory, we will remove those again. Here is information about how to use TeaTimer.
http://www.safer-networking.org/en/faq/index.html
If you have questions, you can ask those here:
http://forums.spybot.info/forumdisplay.php?f=4
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {296E9158-78F1-4747-A6FB-A9E262B350EF} - (no file)
O2 - BHO: (no name) - {32d3356d-3ba6-4a6d-baba-f97f2610a734} - (no file)
O2 - BHO: (no name) - {86E7AEDE-F36B-4CCC-8F97-50923DB32982} - (no file)
O2 - BHO: (no name) - {D8EEAB36-3CB9-41FA-B947-4AF2E28366B1} - (no file)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O20 - Winlogon Notify: jkkIXOfD - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Thanks
GoPhillies
2008-11-05, 14:59
OK, that is done. Should I turn TeaTimer back on now?
It was a bit disappointing when mbam identified another file infected with vundo. Does this mean it just missed an innocuous file on earlier scans, or that there are still problems lurking in my system that will reinfect me at some point, or that I encountered a new attack from the Internet. If it is a new attack, then I still have some vulnerability somewhere.
pskelley
2008-11-05, 15:11
I don't run TT, preferring SpywareGuard which you will read about in the links I provided. If you wish to run it, turn it on, but first read the tutorial so you know how to respond to the prompts that may occur.
The one file may have been something added to the MBAM data base recently or it may have been something missed the first run for one reason or another. Malware removal is not an exact science and the hackers continue to change the rules. Chances are any good scan you run willl locate something, but we have destroyed the executables and the malware is no longer valid.
Here is a little information about this junk.
http://en.wikipedia.org/wiki/Vundo_trojan
Keep clearly in mind that the days of kids doing pranks online are over, it is now all about the $$$ and organized crime.
http://news.cnet.com/8301-1009_3-9992897-83.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search
Thanks
GoPhillies
2008-11-08, 17:28
It looks like everything is holding up OK. Fast startup and loading of programs, no Fatal System Errors, and pleasant Internet sessions with no pop-ups are all continuing. I updated and ran Spybot S&D last night and it detected evidence of virtumonde, which it said it fixed. I then updated and ran Mbam, and it was clean.
After reading some of the scary stuff you sent me on trojans and organized crime, I also changed a bunch of my passwords, as I have no idea how long I was infected. Checking and card accounts haven't shown any funny activity, but then I never downloaded any of the anti-spyware junk that was offered by the pop-ups.
I have noticed one consequence of the cleanup that I hope you can explain. A lot of the folders in Windows Explorer, with the exception of those in My Documents, have been rearranged, and several folders have disappeared. For instance, last night when I removed my old version of Mozilla Firefox, I tried to save my Bookmarks, which I always do when I back up my files. Firefox stores the Bookmarks file in a folder in Documents and Settings called Application Data\Mozilla\Firefox\Profiles\. The entire Application Data folder is gone, and although the Firefox Bookmarks still worked, I was unable to find that file to save it. Where did that file and the rather large Application Data folder go? In addition, I have a couple of new folders at the top of the C: drive heading that have no information to identify the purpose of the files they contain. One of the folders is labeled 174f375f17ca3244962838b9bf1caee, and it contains a .txt file that appears to be some sort of log with the name msxml4-KB927978-enu. The other folder has a similarly lengthy combination of letters and numbers, and it contains a single Application file for Windows Service Pack Setup.
Lastly, when I removed the old version of Firefox using Add-Remove, it left behind a "Mozilla Firefox" folder under my Programs folder. This Mozilla folder includes three subfolders labeled "defaults," "extensions," and "plug-ins." The "extensions" folder contains a single subfolder labeled {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}, which looks suspiciously like one of the files you had me remove through HJT. That folder eventually leads to a bunch of files labeled ffjext.dtd. Any idea what those might be, and is it OK to just delete that whole "Mozilla Firefox" folder before I install the new version?
pskelley
2008-11-08, 17:53
Most of these questions are not malware related and as such I have limited knowledge and would prefer you ask at a good Windows XP forum, here are two:
http://www.techsupportforum.com/microsoft-support/windows-xp-support/
http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html
Here are a couple of Firefox forums:
http://forums.mozillazine.org/index.php?c=4
http://support.mozilla.com/en-US/kb/Support+Website+Forums
While I keep a updated copy of my computers for emergencies, I rarely use Firefox and my knowledge is limited.
A lot of the folders in Windows Explorer, with the exception of those in My Documents, have been rearranged, and several folders have disappeared.
Possible this is a result of the malware, I just do not know.
You should be able to arrange folder as you wish, for instance:
My Documents > View > Arrange Icons by...
For your issues with files/folders in Firefox, I suggest you uninstall the program and download it again. It will install all files and folders it requires:
http://www.mozilla.com/en-US/firefox/
Make sure to update the program at that point.
msxml4-KB927978-enu >>> http://www.google.com/
http://www.google.com/search?hl=en&q=msxml4-KB927978-enu&btnG=Google+Search&aq=f&oq=
Thanks
GoPhillies
2008-11-08, 18:07
Am I OK to update my Windows XP with Service Pack 3 now?
pskelley
2008-11-08, 18:25
To be truthful, I have two XP computers. One updated with no problems, the others had issues and removed the update. I since ordered and received a CD to see if I can install it that way, but have not have the time to do it. There is also a website at Microsoft where you can get free help if you have any issues. That information:
Microsoft Windows XP Service Pack 3 (All Languages)
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131
PURCHASE CD <<< $10. includes S&H
http://support.microsoft.com/kb/322389
If you wish to continue updates but wait on SP#3, here is additional information:
How to prevent SP3 from being installed by Windows Update
Windows Service Pack Blocker Tool Kit
http://www.microsoft.com/downloads/details.aspx?FamilyId=D7C9A07A-5267-4BD6-87D0-E2A72099EDB7&displaylang=en
I would say to go for it, but I am not the one who has to do it.
Thanks...Phil (not as in Phillies:sad:)
GoPhillies
2008-11-08, 18:28
Possible this is a result of the malware, I just do not know.
You should be able to arrange folder as you wish, for instance:
My Documents > View > Arrange Icons by...
The problem is not so much that the folders have been rearranged, but that several major folders aren't there anymore. Everything works OK, so I guess the files are there somewhere, but I can't find them using File Search. I'll contact one of the Windows XP forums and let you know what I find out.
For your issues with files/folders in Firefox, I suggest you uninstall the program and download it again. It will install all files and folders it requires:
That is what I did. The orphan folder was left behind after Uninstall. I'm worried that it may include malicious files that will be inserted into the new version of Firefox, so I'm reluctant to do the Installation without finding out what they are.
GoPhillies
2008-11-08, 18:38
By the way, I can't get rid of that danged Viewpoint. I have uninstalled it several times now through Add-Remove, but it shows back up whenever I reboot. I guess AOL keeps automatically reinstalling it. Guess I'll go on an AOL forum and research that annoyance.
pskelley
2008-11-08, 18:50
C:\Program Files\Viewpoint\ <<< you can try starting in safe mode and see if you can delete that folder. Another option I can think of is to install it again to create a new uninstaller, then try to uninstall. I wonder why aol thinks they have the right to install junk on your computer anyway. I say that, but they are smart enough to know the legalities and you can bet the information about viewpoint was included in the EULA agreement with whatever program you installed.
I have not used it, but there is a tool in MBAM you can try. The only thing, it is for files so you would have to open the folder and delete one file at a time.
MBAM > More Tools > FilesASSASSIN > Run Tool
Thanks
GoPhillies
2008-11-10, 20:26
Phil, I think we have done what we set out to accomplish, and I believe we can close this thread at your discretion. From the looks of the new pleas for help showing up on the Malware Removal forum, you have plenty of work to do, so I need to get out of your way. You have been an immeasurable help and a pleasure to work with, and I can't thank you enough.
Also, as the father of an active duty Marine infantry officer, I appreciate your "thank a veteran" signature. If you are a veteran yourself, thank you for your service, and I hope you receive the recognition that you deserve on Veterans Day tomorrow.
GoPhillies
2008-11-11, 01:39
Oops, one more question. I just noticed that I have LimeWire on my computer, downloaded back in January, 2007. To my recollection, I have never used it, and I didn't even know I had it. It does not show up under Control Panel > Add-Remove Programs, and the Windows Install Clean Up Utility doesn't show it either. There is a LimeWire folder in my Program Files, and it contains a whole bunch of "Executable Jar Files" with Java icons, but it does not contain an Uninstall Limewire icon. Any suggestions on how to remove this P2P file?
GoPhillies
2008-11-11, 01:47
The LimeWire version is 1.0.0.2. The Malware Removal web site that Spybot directs me to says that LimeWire 4.12 is clean. Should I go to the LimeWire site and upgrade to the newer version, then uninstall, or should I try to get rid of the current 1.0.0.2 version?
pskelley
2008-11-11, 02:11
This is out policy concerning all p2p programs:
File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
I can't help without reinstalling combofix and using a script to remove Limewire. I suggest you use Seach Companion. Start > Search > All files and folder > then search for Limewire. Write down the location of all files, then boot to safe mode when the program will not be running and delete anything SC located.
Hope that helps...
GoPhillies
2008-11-11, 03:03
Yeah, I had already read the policy. That's why I turned myself in when I noticed the LimeWire folder. Wonder why it didn't show up when we ran HijackThis, ComboFix, SpyBot, or Mbam?
GoPhillies
2008-11-11, 03:41
I guess it worked. When I rebooted a balloon popped up in the lower right corner that said "Program Changes Detected. Program(s) removed: Limewire 1." Thanks.
pskelley
2008-11-11, 14:52
It did, but once I say the AWF infection which is very bad, I concentrated on it.
Reg Loading Points <<< in the combofix lig
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
GoPhillies
2008-11-11, 21:56
Well, let me repeat my earlier post: I think we have done what we set out to accomplish, and I believe we can retire this thread. I greatly appreciate your expert, clear, very patient, not to mention successful, help with my problem. I hope that I won't need your services again, but I will certainly recommend this forum to any family or friends who have the misfortune of getting infected. Thank you!