View Full Version : Constant Error Interuptions
Draxton0102
2008-12-04, 06:38
As the title says I keep getting Internet Explorer error messages and/or Anti-virus pop-up ads constantly whenever I load a page or check my email etc.
I always scan my pc using malwarebytes and spybot in case one of those may help.
As a last resort, or when I'm totally confused, I come here hoping to recieve some kinda help.
My HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:34 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\OEM05Mon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll
O2 - BHO: (no name) - {aff6df53-df1b-4e12-823e-d6d1633dc795} - C:\WINDOWS\system32\huvuhije.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [OEM05Mon.exe] C:\WINDOWS\OEM05Mon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [70747fe3] rundll32.exe "C:\WINDOWS\system32\yosunovo.dll",b
O4 - HKLM\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\bikosobu.dll",s
O4 - HKLM\..\Run: [CPM73474c7f] Rundll32.exe "C:\WINDOWS\system32\hofukuwu.dll",a
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O4 - HKUS\S-1-5-20\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\yanuneyi.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\rifuninu.dll c:\windows\system32\hofukuwu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hofukuwu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hofukuwu.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 7298 bytes
Everything looks fine to me, but I'm not computer savy so what do I really know? Please have a look and let me know if anything is out of the ordinary.
Thank you.
Draxton0102
2008-12-05, 17:31
Forget everything above, after I left this site to check my mail and other stuff, I get everything that is to do with spyware/maleware. I used both malwarebytes and spybot BUT they still can't get rid of some of the stuff causing so much damage.
My new HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:45 AM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Q5EHRw2b.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Cameron\LOCALS~1\Temp\csrssc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {aff6df53-df1b-4e12-823e-d6d1633dc795} - C:\WINDOWS\system32\neyiwafu.dll
O2 - BHO: C:\WINDOWS\system32\jsdf8j3dgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Nlumulig] rundll32.exe "C:\WINDOWS\ezexocacir.dll",e
O4 - HKLM\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\ragayode.dll",s
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Cameron\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\ragayode.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\ragayode.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe (User 'Default user')
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\giruwili.dll
O22 - SharedTaskScheduler: lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\hsef73uhef.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsdf8j3dgf.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 5375 bytes
Hi Draxton0102
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
Draxton0102
2008-12-10, 14:11
I would like to try and fix/clean it first. I bought this pc no more than 6 months ago (I think) and to reinstall the OS would be a pain in my ass.
If I've choice after trying to fix it, then that's what I'll have to do.
But for now I would like help in cleaning this mess up.
Thank you.
Please print out and follow these instructions: "How to use SDFix (http://www.bleepingcomputer.com/forums/topic131299.html)". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
Disconnect from the Internet and temporarily disable your anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html), script blocking and any real time protection programs before performing a scan.
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
Please copy and paste the contents of Report.txt in your next reply.
Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
Post:
- sdfix report
- a fresh HijackThis log
Draxton0102
2008-12-11, 04:31
SDFix: Version 1.240
Run by Cameron on Wed 12/10/2008 at 07:10 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Rootkit Found :
C:\WINDOWS\system32\drivers\ATI2MLXX.sys - Rootkit Pandex/Cutwail - Protect.sys
Name :
ICF
restore
ATI2MLXX
Path :
C:\WINDOWS\system32\svchost.exe:ext.exe
\??\C:\WINDOWS\system32\drivers\restore.sys
System32\Drivers\ati2mlxx.sys
ICF - Deleted
restore - Deleted
ATI2MLXX - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Service ATI2MLXX - Deleted after Reboot
Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\SNXQTDUJ.dll - Deleted
C:\WINDOWS\system32\iqlryzogam.exe - Deleted
C:\188668~1 - Deleted
C:\WINDOWS\system32\drivers\ATI2MLXX.sys - Deleted
Folder C:\Temp\tn3 - Removed
Removing Temp Files
ADS Check :
C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 25600 bytes in 1 streams.
Checking for remaining Streams
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 19:24:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"="C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe:*:Enabled:VideoAccelerator"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Curse\\CurseClient.exe"="C:\\Program Files\\Curse\\CurseClient.exe:*:Enabled:Curse Client"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\system32\\igfxtray.exe"="C:\\WINDOWS\\system32\\igfxtray.exe:*:Enabled:igfxtray"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:rundll32"
"C:\\WINDOWS\\system32\\hkcmd.exe"="C:\\WINDOWS\\system32\\hkcmd.exe:*:Enabled:hkcmd"
"C:\\WINDOWS\\system32\\igfxpers.exe"="C:\\WINDOWS\\system32\\igfxpers.exe:*:Enabled:igfxpers"
"C:\\WINDOWS\\OEM05Mon.exe"="C:\\WINDOWS\\OEM05Mon.exe:*:Enabled:OEM05Mon"
"C:\\Program Files\\Trickster Online\\Splash.exe"="C:\\Program Files\\Trickster Online\\Splash.exe:*:Enabled:Splash"
"C:\\Program Files\\Trickster Online\\Trickster.bin"="C:\\Program Files\\Trickster Online\\Trickster.bin:*:Enabled:Trickster"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"="C:\\Program Files\\McAfee\\MSC\\mcuimgr.exe:*:Enabled:mcuimgr"
"C:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"="C:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe:*:Enabled:mcsysmon"
"C:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"="C:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe:*:Enabled:mcshield"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:spoolsv"
"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"="C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe:*:Enabled:wmiprvse"
"C:\\WINDOWS\\system32\\dwwin.exe"="C:\\WINDOWS\\system32\\dwwin.exe:*:Enabled:dwwin"
"C:\\WINDOWS\\system32\\igfxsrvc.exe"="C:\\WINDOWS\\system32\\igfxsrvc.exe:*:Enabled:igfxsrvc"
"C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"="C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe:*:Enabled:sprtcmd"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:iexplore"
"C:\\Program Files\\NETGEAR\\WPN111\\WPN111.exe"="C:\\Program Files\\NETGEAR\\WPN111\\WPN111.exe:*:Enabled:wpn111"
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe:*:Enabled:mbam"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"
"C:\\WINDOWS\\system32\\regsvr32.exe"="C:\\WINDOWS\\system32\\regsvr32.exe:*:Enabled:Regsvr32"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\is-QPKF6.tmp"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 27 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\bavuyuhe.dll.tmp"
Wed 3 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\bikosobu.dll.tmp"
Sat 29 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\bubepoji.dll"
Thu 4 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\bukujifi.dll"
Sat 6 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\butebujo.dll"
Wed 10 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\dapohoso.dll"
Wed 10 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\datudela.dll"
Sun 30 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\dejegima.dll"
Sat 30 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\desoyahi.dll.tmp"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\diyayeze.dll.tmp"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\dojisino.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\dorulelo.dll.tmp"
Fri 5 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fadokase.dll"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fagometo.dll.tmp"
Wed 10 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fagunake.dll.tmp"
Wed 27 Aug 2008 87,040 A.SH. --- "C:\WINDOWS\system32\fakahale.dll"
Fri 5 Sep 2008 59,392 A.SH. --- "C:\WINDOWS\system32\fanudugu.dll"
Wed 10 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\faviloze.dll"
Fri 5 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\faviwewe.dll"
Mon 1 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fegopaki.dll.tmp"
Thu 27 Nov 2008 86,580 A.SH. --- "C:\WINDOWS\system32\femififi.dll"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fihaholo.dll.tmp"
Fri 29 Aug 2008 57,344 A.SH. --- "C:\WINDOWS\system32\fimamile.dll"
Sat 30 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fopijunu.dll.tmp"
Sat 30 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fudojeka.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\fuyotufu.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\gakajawo.dll.tmp"
Thu 4 Sep 2008 22,528 A.SH. --- "C:\WINDOWS\system32\gibopiti.dll"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\giruwili.dll.tmp"
Sat 29 Nov 2008 88,116 A.SH. --- "C:\WINDOWS\system32\goluwuwe.dll"
Mon 1 Sep 2008 69,632 A.SH. --- "C:\WINDOWS\system32\guniketu.dll"
Sat 6 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\hafalahu.dll.tmp"
Wed 10 Dec 2008 94,260 A.SH. --- "C:\WINDOWS\system32\hofalobu.dll"
Wed 3 Dec 2008 94,772 A.SH. --- "C:\WINDOWS\system32\hofukuwu.dll"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\hupetetu.dll.tmp"
Wed 10 Dec 2008 94,772 A.SH. --- "C:\WINDOWS\system32\hupihola.dll"
Wed 3 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\huvuhije.dll.tmp"
Thu 27 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\janobubu.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\jehalipo.dll.tmp"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\jorijefe.dll.tmp"
Mon 24 Nov 2008 93,236 A.SH. --- "C:\WINDOWS\system32\kanelewu.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\kavudumu.dll.tmp"
Thu 28 Aug 2008 21,504 A.SH. --- "C:\WINDOWS\system32\korediri.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\kufumayu.dll"
Sat 30 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\laroriwa.dll.tmp"
Wed 10 Dec 2008 85,556 A.SH. --- "C:\WINDOWS\system32\liboluma.dll"
Wed 10 Dec 2008 87,092 A.SH. --- "C:\WINDOWS\system32\limowuyu.dll"
Wed 10 Sep 2008 36,864 A.SH. --- "C:\WINDOWS\system32\lojaloke.dll"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\lusumune.dll.tmp"
Sat 29 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\mepavuhi.dll"
Sat 30 Aug 2008 62,464 A.SH. --- "C:\WINDOWS\system32\mivojova.dll"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\mojedufo.dll.tmp"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\nakuteye.dll.tmp"
Wed 26 Nov 2008 93,236 A.SH. --- "C:\WINDOWS\system32\nofiyeze.dll"
Sat 6 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\nozirofi.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\nujeyori.dll.tmp"
Wed 27 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\nuvupino.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\paweduwo.dll.tmp"
Sat 6 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\payulayo.dll.tmp"
Fri 5 Sep 2008 19,456 A.SH. --- "C:\WINDOWS\system32\perapola.dll"
Wed 3 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\pirebego.dll"
Wed 10 Dec 2008 91,700 A.SH. --- "C:\WINDOWS\system32\polekove.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\radegave.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\rakubuse.dll.tmp"
Sat 29 Nov 2008 95,284 A.SH. --- "C:\WINDOWS\system32\ratapeju.dll"
Thu 27 Nov 2008 93,748 A.SH. --- "C:\WINDOWS\system32\rezizoto.dll"
Wed 3 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\rifuninu.dll.tmp"
Sat 6 Sep 2008 80,896 A.SH. --- "C:\WINDOWS\system32\rowewaya.dll"
Sat 30 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\rowuwoze.dll.tmp"
Fri 28 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\rujezare.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\ruziwaba.dll.tmp"
Sun 7 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\sagagunu.dll.tmp"
Thu 4 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\sihufepa.dll"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\sikiloro.dll.tmp"
Fri 5 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\sivuvaje.dll"
Sat 29 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\sojerire.dll"
Mon 1 Sep 2008 29,696 A.SH. --- "C:\WINDOWS\system32\soluwale.dll"
Wed 26 Nov 2008 87,092 A.SH. --- "C:\WINDOWS\system32\susujewe.dll"
Thu 4 Sep 2008 57,344 A.SH. --- "C:\WINDOWS\system32\tatokalo.dll"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\tegojizo.dll.tmp"
Tue 25 Nov 2008 93,236 A.SH. --- "C:\WINDOWS\system32\tevehuge.dll"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\tiyanezi.dll.tmp"
Sun 7 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\tomijehi.dll.tmp"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vasudere.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vedilune.dll.tmp"
Wed 27 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vewokuso.dll.tmp"
Fri 29 Aug 2008 72,704 A.SH. --- "C:\WINDOWS\system32\veyevida.dll"
Thu 4 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vinavola.dll"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\voganojo.dll.tmp"
Fri 5 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vokubonu.dll"
Thu 4 Dec 2008 94,772 A.SH. --- "C:\WINDOWS\system32\vokufaye.dll"
Sun 30 Nov 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vufeguja.dll"
Wed 10 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\vumefesa.dll.tmp"
Mon 24 Nov 2008 93,236 A.SH. --- "C:\WINDOWS\system32\wihomeki.dll"
Sat 30 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\wodezoga.dll.tmp"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\wumiwuso.dll.tmp"
Fri 5 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\yahipeja.dll.tmp"
Mon 1 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\yanuneyi.dll.tmp"
Mon 1 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\yibedipa.dll.tmp"
Fri 29 Aug 2008 64,052 A.SH. --- "C:\WINDOWS\system32\yubuguyi.dll.tmp"
Mon 1 Dec 2008 64,052 A.SH. --- "C:\WINDOWS\system32\yuteraji.dll"
Wed 10 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\zagodowi.dll.tmp"
Thu 4 Sep 2008 64,052 A.SH. --- "C:\WINDOWS\system32\zakokuro.dll.tmp"
Thu 4 Sep 2008 16,384 A.SH. --- "C:\WINDOWS\system32\zefimago.dll"
Sat 30 Aug 2008 74,752 A.SH. --- "C:\WINDOWS\system32\zepuwuvi.dll"
Mon 1 Sep 2008 31,744 A.SH. --- "C:\WINDOWS\system32\zevihami.dll"
Fri 5 Dec 2008 95,284 A.SH. --- "C:\WINDOWS\system32\zonoyago.dll"
Wed 9 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 16 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 16 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 6 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 9 Jul 2008 4,348 ...H. --- "C:\Documents and Settings\Cameron\My Documents\My Music\License Backup\drmv1key.bak"
Sun 10 Aug 2008 20 A..H. --- "C:\Documents and Settings\Cameron\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 9 Jul 2008 312 A.SH. --- "C:\Documents and Settings\Cameron\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:12 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Nlumulig] rundll32.exe "C:\WINDOWS\ezexocacir.dll",e
O4 - HKLM\..\Run: [70747fe3] rundll32.exe "C:\WINDOWS\system32\liboluma.dll",b
O4 - HKLM\..\Run: [CPM73474c7f] Rundll32.exe "c:\windows\system32\polekove.dll",a
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\muhafoji.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rikomireha] Rundll32.exe "C:\WINDOWS\system32\muhafoji.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [xsjfn83jkemfofght] C:\WINDOWS\TEMP\winlogin.exe (User 'Default user')
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\jomujore.dll:\WINDOWS\system32\hafalahu.dll c:\windows\system32\polekove.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\polekove.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\polekove.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 4834 bytes
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Draxton0102
2008-12-11, 12:33
ComboFix 08-12-09.03 - Cameron 2008-12-11 3:26:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2581 [GMT -8:00]
Running from: c:\documents and settings\Cameron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cameron\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Cameron\Application Data\IUpd721
c:\documents and settings\Cameron\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\NetworkService\Application Data\gadcom
c:\documents and settings\NetworkService\Application Data\gadcom\gadcom.exe
c:\documents and settings\NetworkService\Application Data\gadcom\gadcom.exer3
c:\documents and settings\NetworkService\Application Data\IUpd721
c:\documents and settings\NetworkService\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\NetworkService\Application Data\NI.GSCNS
c:\documents and settings\NetworkService\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\NetworkService\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common\helper.sig
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\IE4 Error Log.txt
c:\windows\system32\_vivmxkwyyjuo.dll
c:\windows\system32\amulobil.ini
c:\windows\system32\bafekuta.dll
c:\windows\system32\bubepoji.dll
c:\windows\system32\bukujifi.dll
c:\windows\system32\butebujo.dll
c:\windows\system32\dapohoso.dll
c:\windows\system32\datudela.dll
c:\windows\system32\dejegima.dll
c:\windows\system32\dogomoti.dll
c:\windows\system32\dufatime.dll
c:\windows\system32\fadokase.dll
c:\windows\system32\fakahale.dll
c:\windows\system32\fanudugu.dll
c:\windows\system32\fapugali.dll
c:\windows\system32\faviloze.dll
c:\windows\system32\faviwewe.dll
c:\windows\system32\femififi.dll
c:\windows\system32\fimamile.dll
c:\windows\system32\g4.exe
c:\windows\system32\gibopiti.dll
c:\windows\system32\gokapozu.dll
c:\windows\system32\goluwuwe.dll
c:\windows\system32\guniketu.dll
c:\windows\system32\hofalobu.dll
c:\windows\system32\hofukuwu.dll
c:\windows\system32\homesubu.dll
c:\windows\system32\hupihola.dll
c:\windows\system32\itomogod.ini
c:\windows\system32\janobubu.dll
c:\windows\system32\jomujore.dll
c:\windows\system32\kanelewu.dll
c:\windows\system32\ki3
c:\windows\system32\ki3\RI2ES6i.exe
c:\windows\system32\korediri.dll
c:\windows\system32\kufumayu.dll
c:\windows\system32\liboluma.dll
c:\windows\system32\limowuyu.dll
c:\windows\system32\lojaloke.dll
c:\windows\system32\mepavuhi.dll
c:\windows\system32\mivojova.dll
c:\windows\system32\mst120.dll
c:\windows\system32\nofiyeze.dll
c:\windows\system32\nuvupino.dll
c:\windows\system32\perapola.dll
c:\windows\system32\pirebego.dll
c:\windows\system32\polekove.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\ratapeju.dll
c:\windows\system32\rezizoto.dll
c:\windows\system32\rowewaya.dll
c:\windows\system32\rqwnw64s.exe
c:\windows\system32\rujezare.dll
c:\windows\system32\sahomozu.dll
c:\windows\system32\sihufepa.dll
c:\windows\system32\sivuvaje.dll
c:\windows\system32\sojerire.dll
c:\windows\system32\soluwale.dll
c:\windows\system32\susujewe.dll
c:\windows\system32\tatokalo.dll
c:\windows\system32\tevehuge.dll
c:\windows\system32\torajuje.dll
c:\windows\system32\uv9
c:\windows\system32\uv9\peco85IV.exe
c:\windows\system32\uyuwomil.ini
c:\windows\system32\uzomohas.ini
c:\windows\system32\vazajare.dll
c:\windows\system32\VC
c:\windows\system32\veyevida.dll
c:\windows\system32\vinavola.dll
c:\windows\system32\vivmxkwyyjuo.dll
c:\windows\system32\vokubonu.dll
c:\windows\system32\vokufaye.dll
c:\windows\system32\vufeguja.dll
c:\windows\system32\wafadewi.dll
c:\windows\system32\wanebape.dll
c:\windows\system32\wihomeki.dll
c:\windows\system32\x64
c:\windows\system32\yuteraji.dll
c:\windows\system32\zefimago.dll
c:\windows\system32\zekiwiwu.dll
c:\windows\system32\zepuwuvi.dll
c:\windows\system32\zevihami.dll
c:\windows\system32\zonoyago.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.
2008-12-10 19:10 . 2008-12-10 19:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-10 09:00 . 2008-12-10 09:00 <DIR> d-------- c:\windows\ERUNT
2008-12-10 08:59 . 2008-12-10 19:25 <DIR> d-------- C:\SDFix
2008-12-10 08:56 . 2008-06-20 08:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-10 08:56 . 2008-06-20 08:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberLink
2008-12-10 08:56 . 2008-12-10 08:56 <DIR> d-------- c:\documents and settings\Administrator
2008-12-08 06:55 . 2008-12-08 06:55 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2008-12-05 05:34 . 2008-12-05 05:34 132,608 --a------ c:\windows\ezexocacir.dll
2008-12-05 05:18 . 2008-12-05 05:18 40,448 --a------ c:\windows\Hgibimiba.dll
2008-12-05 05:02 . 2008-12-05 05:02 <DIR> d-------- c:\windows\system32\ta
2008-12-05 05:02 . 2008-12-05 05:02 <DIR> d-------- c:\windows\system32\din
2008-12-05 05:02 . 2008-12-11 03:26 <DIR> d-------- C:\Temp
2008-12-05 05:02 . 2008-11-21 20:15 401,408 --a------ c:\windows\system32\windc77.dll
2008-12-05 05:02 . 2008-12-05 05:02 64,859 --a------ c:\windows\system32\szoruslxsary.exe
2008-12-04 21:51 . 2008-12-04 21:51 63,488 --a------ c:\windows\system32\Q5EHRw2b.exe
2008-11-29 01:01 . 2008-11-29 01:01 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-11-12 09:01 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:00 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 11:26 --------- d-----w c:\program files\Common
2008-12-10 11:21 --------- d-----w c:\program files\World of Warcraft
2008-12-07 11:16 --------- d-----w c:\program files\Trickster Online
2008-12-07 11:14 --------- d-----w c:\program files\Dell
2008-12-05 13:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 20:27 141,612 ----a-w c:\windows\system32\drivers\dump_wmimmc.sys
2008-11-29 09:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-11-29 09:00 --------- d-----w c:\program files\PokerStars.NET
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 11:43 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-07-09 23:35 7,468,448 ----a-w c:\program files\PokerStarsInstallPM.exe
2008-06-20 16:09 76 --sh--r c:\windows\CT4CET.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-18 4789760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"Nlumulig"="c:\windows\ezexocacir.dll" [2008-12-05 132608]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-06-30 884838]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\OEM05Mon.exe"=
"c:\\Program Files\\Trickster Online\\Splash.exe"=
"c:\\Program Files\\Trickster Online\\Trickster.bin"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\NETGEAR\\WPN111\\WPN111.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2008-06-30 17149]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;\??\c:\windows\system32\Drivers\OEM05Afx.sys [2008-06-20 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\DRIVERS\OEM05Vfx.sys [2008-06-20 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\DRIVERS\OEM05Vid.sys [2008-06-20 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2008-06-20 31616]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2008-06-30 362944]
S1 asyncmacc;asyncmacc;c:\windows\system32\drivers\asyncmacc.sys []
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys [2008-07-09 141612]
.
Contents of the 'Scheduled Tasks' folder
2008-12-06 c:\windows\Tasks\At1.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At10.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At11.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At12.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At13.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At14.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At15.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At16.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-09 c:\windows\Tasks\At17.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-06 c:\windows\Tasks\At18.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At19.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At2.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At20.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-11 c:\windows\Tasks\At21.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-11 c:\windows\Tasks\At22.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-11 c:\windows\Tasks\At23.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-06 c:\windows\Tasks\At24.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At25.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At26.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At27.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-10 c:\windows\Tasks\At28.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-10 c:\windows\Tasks\At29.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At3.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-10 c:\windows\Tasks\At30.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At31.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-08 c:\windows\Tasks\At32.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-09 c:\windows\Tasks\At33.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At34.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At35.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At36.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At37.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At38.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-07 c:\windows\Tasks\At39.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-10 c:\windows\Tasks\At4.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At40.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-09 c:\windows\Tasks\At41.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-06 c:\windows\Tasks\At42.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At43.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At44.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-11 c:\windows\Tasks\At45.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-11 c:\windows\Tasks\At46.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-11 c:\windows\Tasks\At47.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-06 c:\windows\Tasks\At48.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-10 c:\windows\Tasks\At5.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-10 c:\windows\Tasks\At6.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-05 c:\windows\Tasks\At7.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-08 c:\windows\Tasks\At8.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-12-09 c:\windows\Tasks\At9.job
- c:\windows\system32\Q5EHRw2b.exe [2008-12-04 21:51]
2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 10:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 10:32]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-xsjfn83jkemfofght - c:\windows\TEMP\winlogin.exe
HKU-Default-Run-jsg8jfgfdfhfhf - c:\windows\TEMP\winlogun.exe
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 03:29:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-11 3:31:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 11:30:59
Pre-Run: 560,617,504,768 bytes free
Post-Run: 560,684,773,376 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
348 --- E O F --- 2008-11-12 18:17:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:16 AM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Nlumulig] rundll32.exe "C:\WINDOWS\ezexocacir.dll",e
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 4125 bytes
Create own folder for HijackThis and move it into that folder.
After that:
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\ezexocacir.dll
c:\windows\Hgibimiba.dll
c:\windows\system32\windc77.dll
c:\windows\system32\szoruslxsary.exe
c:\windows\system32\Q5EHRw2b.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Folder::
c:\windows\system32\ta
c:\windows\system32\din
C:\Temp
Driver::
asyncmacc
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nlumulig"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\spoolsv.exe"=-
"c:\\WINDOWS\\system32\\dwwin.exe"=-
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=-
"c:\\WINDOWS\\system32\\regsvr32.exe"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Draxton0102
2008-12-11, 15:34
ComboFix 08-12-09.03 - Cameron 2008-12-11 6:27:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2530 [GMT -8:00]
Running from: c:\program files\Hijackthis\ComboFix.exe
Command switches used :: c:\program files\Hijackthis\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
c:\windows\ezexocacir.dll
c:\windows\Hgibimiba.dll
c:\windows\system32\Q5EHRw2b.exe
c:\windows\system32\szoruslxsary.exe
c:\windows\system32\windc77.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp
c:\windows\ezexocacir.dll
c:\windows\Hgibimiba.dll
c:\windows\system32\din
c:\windows\system32\Q5EHRw2b.exe
c:\windows\system32\szoruslxsary.exe
c:\windows\system32\ta
c:\windows\system32\ta\HXEdv47.exe
c:\windows\system32\windc77.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASYNCMACC
-------\Service_asyncmacc
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.
2008-12-10 19:10 . 2008-12-10 19:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-10 09:00 . 2008-12-10 09:00 <DIR> d-------- c:\windows\ERUNT
2008-12-10 08:59 . 2008-12-10 19:25 <DIR> d-------- C:\SDFix
2008-12-10 08:56 . 2008-06-20 08:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-10 08:56 . 2008-06-20 08:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CyberLink
2008-12-10 08:56 . 2008-12-10 08:56 <DIR> d-------- c:\documents and settings\Administrator
2008-12-08 06:55 . 2008-12-08 06:55 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2008-11-29 01:01 . 2008-11-29 01:01 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-11-12 09:01 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:00 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 11:26 --------- d-----w c:\program files\Common
2008-12-10 11:21 --------- d-----w c:\program files\World of Warcraft
2008-12-07 11:16 --------- d-----w c:\program files\Trickster Online
2008-12-07 11:14 --------- d-----w c:\program files\Dell
2008-12-05 13:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 20:27 141,612 ----a-w c:\windows\system32\drivers\dump_wmimmc.sys
2008-11-29 09:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-11-29 09:00 --------- d-----w c:\program files\PokerStars.NET
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 11:43 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-07-09 23:35 7,468,448 ----a-w c:\program files\PokerStarsInstallPM.exe
2008-06-20 16:09 76 --sh--r c:\windows\CT4CET.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-18 4789760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-06-30 884838]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\OEM05Mon.exe"=
"c:\\Program Files\\Trickster Online\\Splash.exe"=
"c:\\Program Files\\Trickster Online\\Trickster.bin"=
"c:\\Program Files\\McAfee\\MSC\\mcuimgr.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\NETGEAR\\WPN111\\WPN111.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2008-06-30 17149]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;\??\c:\windows\system32\Drivers\OEM05Afx.sys [2008-06-20 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\DRIVERS\OEM05Vfx.sys [2008-06-20 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\DRIVERS\OEM05Vid.sys [2008-06-20 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2008-06-20 31616]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys [2008-06-30 362944]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys [2008-07-09 141612]
.
Contents of the 'Scheduled Tasks' folder
2008-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 10:32]
2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 10:32]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 06:29:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-11 6:31:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 14:31:15
ComboFix2.txt 2008-12-11 11:31:03
Pre-Run: 560,505,643,008 bytes free
Post-Run: 560,584,491,008 bytes free
242 --- E O F --- 2008-11-12 18:17:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:32 AM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 4052 bytes
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
Draxton0102
2008-12-12, 10:12
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 12, 2008 03:43:02
Records in database: 1453549
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 71831
Threat name: 15
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 00:45:57
File name / Threat name / Threats count
C:\Documents and Settings\Cameron\Desktop\backups\backup-20081204-215836-945.dll Infected: Trojan.Win32.Inject.kyy 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.asmf 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\gadcom\gadcom.exer3.vir Infected: Trojan.Win32.Agent.asmf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bafekuta.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fakahale.dll.vir Infected: Trojan-GameThief.Win32.Magania.amis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\femififi.dll.vir Infected: Trojan.Win32.Monder.aard 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\g4.exe.vir Infected: Trojan-Clicker.Win32.Agent.btf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\goluwuwe.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kanelewu.dll.vir Infected: Trojan-Clicker.Win32.Agent.fnq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ki3\RI2ES6i.exe.vir Infected: Trojan.Win32.Agent.asjz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mst120.dll.vir Infected: Trojan-Downloader.Win32.DlKroha.n 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nofiyeze.dll.vir Infected: Trojan-Clicker.Win32.Agent.fnq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Q5EHRw2b.exe.vir Infected: Trojan-Downloader.Win32.Injecter.bby 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ratapeju.dll.vir Infected: Trojan.Win32.Monder.aavx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rezizoto.dll.vir Infected: Trojan-GameThief.Win32.Magania.amis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqwnw64s.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\susujewe.dll.vir Infected: Trojan.Win32.Monder.aare 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ta\HXEdv47.exe.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tevehuge.dll.vir Infected: Trojan-Clicker.Win32.Agent.fnq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uv9\peco85IV.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vivmxkwyyjuo.dll.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wihomeki.dll.vir Infected: Trojan-Clicker.Win32.Agent.fnq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zekiwiwu.dll.vir Infected: Trojan.Win32.Monder.aavx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_vivmxkwyyjuo.dll.vir Infected: Trojan.Win32.Agent.asjk 1
C:\SDFix\backups\catchme.zip Infected: Rootkit.Win32.Protector.bd 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:55 AM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Cameron\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 4134 bytes
Empty these folders:
C:\Documents and Settings\Cameron\Desktop\backups
C:\Qoobox\Quarantine
C:\SDFix\backups
Empty Recycle Bin.
Still problems?
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.