PDA

View Full Version : live messenger virus?



CJALFA
2010-03-16, 00:05
I've contracted some kind of virus on messenger, which makes the chat windows disappear. any help would be appreciated as it's not being picked up by either mcAfee or spybot!

Logfile of HijackThis v1.99.1
Scan saved at 22:02:36, on 15/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\infocard.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://postarticles.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Firewall Administrating] C:\WINDOWS\infocard.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firewall Administrating] C:\WINDOWS\infocard.exe
O4 - Startup: Client Accounts Time Lapse Monitor.lnk = C:\Program Files\CCL Software\Client Accounts\cliactsk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} (ExWebClientUtils Class) - http://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
O16 - DPF: {034DA761-EDB7-11D7-A20A-000802318089} (EWGPHI.desInput) - http://exweb.exchange.uk.com/clientbinaries/EWGPHI.CAB
O16 - DPF: {090EC279-1378-44B7-B521-888980212E7E} (Complist3 Class) - http://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl3.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.intelligent-office.net/print/smsx.cab
O16 - DPF: {16DF9B46-AA2C-4E7B-B594-6CA477463E19} - http://195.10.116.33/scotprov/download/sa/v6_06a/install.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} (EWGPensions.desInput) - http://exweb.exchange.uk.com/clientbinaries/EWGPensions.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {511835FF-EDC9-11D7-A20A-000802318089} (EWGWholeLife.desInput) - http://exweb.exchange.uk.com/clientbinaries/EWGWholeLife.CAB
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {61DA056C-EDE7-11D7-A20A-000802318089} (EWGBonds.desInput) - https://exweb.exchange.uk.com/clientbinaries/EWGBonds.CAB
O16 - DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} (VSPrefMgmt Class) - https://www.unipass.co.uk/trustwise/vspcakm.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://msnuk.oberon-media.com//online2/MSN_INTL_UK/luxor_amun_rising/mjolauncher.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} (VersionInfo.clsVersionInfo) - http://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB
O16 - DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} (TEXNBSHELL.ProposalForm) - http://exweb.exchange.uk.com/texonline/core_services/new_business_processing/texnbshell.cab
O16 - DPF: {9DAB9AB1-5498-418B-A8F6-4A528392CF43} - http://195.10.116.33/scotprov/download/pe/v6_09/install.cab
O16 - DPF: {A74D724A-AB17-11D2-A96A-006097E20477} (eXwebUtils.HTMLUtils) - http://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB
O16 - DPF: {B1283429-F6B4-4BAE-9C11-F061FE9A5A6D} - http://195.10.116.33/scotprov/download/sa/v6_08/install.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} (PrintComponent.clsVersionInfo) - http://exweb.exchange.uk.com/clientbinaries/printdll.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E735D3EB-05D1-4459-B374-AAFC4E65151C} - http://195.10.116.33/scotprov/download/pe/v6_06a/install.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {E7FF5332-854E-11D2-A952-006097E20477} (eXwebOccList.clsOccRes) - http://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB
O16 - DPF: {E95B7E5E-14F8-483E-A5C3-0564CA3E6226} - http://195.10.116.33/scotprov/download/pe/v6_08/install.cab
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (ProtoView DataTable Control 7.0 (OLEDB)) - http://exweb.exchange.uk.com/clientbinaries/pvdt70.CAB
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

tashi
2010-03-16, 00:48
Hello CJALFA,

What happened here: http://forums.spybot.info/showthread.php?p=355739#post355739

Best regards. :)

CJALFA
2010-03-16, 02:04
Combo fix report as requested

ComboFix 10-03-15.04 - Chris 15/03/2010 23:35:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.279 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-14 20:06 . 2010-03-14 20:06 88205 --sh--r- c:\windows\infocard.exe
2010-03-11 18:39 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 18:43 . 2010-03-10 18:43 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-28 09:56 . 2010-02-28 15:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-02-28 09:51 . 2010-02-28 09:51 -------- dc----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-02-28 09:45 . 2009-11-11 11:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-28 09:45 . 2009-11-11 11:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-28 09:45 . 2009-11-11 11:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-28 09:45 . 2009-07-16 12:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-02-28 09:44 . 2010-02-28 09:44 -------- d-----w- c:\program files\McAfee.com
2010-02-28 09:37 . 2009-11-11 11:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-28 09:29 . 2010-02-28 09:29 135 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fusioncache.dat
2010-02-28 09:29 . 2010-02-28 09:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ApplicationHistory
2010-02-28 09:26 . 2010-02-28 09:26 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-02-28 09:10 . 2010-02-28 09:10 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-28 09:09 . 2010-02-28 09:09 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-02-28 09:08 . 2010-02-28 09:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2010-02-28 09:08 . 2010-02-28 09:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
2010-02-27 19:31 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 18:45 . 2010-03-10 18:45 300616 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 18:45 . 2010-03-10 18:45 329312 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 18:44 . 2004-12-30 04:08 -------- d-----w- c:\program files\Common Files\Real
2010-03-10 18:43 . 2004-12-30 04:08 -------- d-----w- c:\program files\Real
2010-03-10 18:41 . 2004-12-30 04:07 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-02 18:17 . 2009-02-14 13:51 -------- d-----w- c:\program files\McAfee
2010-02-28 09:52 . 2007-02-14 12:07 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-28 09:45 . 2009-02-14 13:52 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-23 21:11 . 2009-12-08 12:42 -------- d-----w- c:\program files\Zynga
2010-02-23 20:58 . 2005-01-05 15:13 34713 ----a-w- c:\windows\system32\nvModes.dat
2010-01-20 18:27 . 2009-03-13 20:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 15:11 . 2009-08-06 16:20 -------- d-----w- c:\documents and settings\Chris\Application Data\Spotify
2010-01-05 18:04 . 2009-02-14 13:55 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 18:48 . 2009-12-19 18:48 545 ----a-w- c:\documents and settings\Chris\KiweeChatbarCleanup.bat
2009-12-19 18:39 . 2009-12-19 18:39 310 ----a-w- c:\documents and settings\Chris\UnifiedToolbarCleanup.bat
2009-12-16 18:43 . 2004-08-04 05:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2006-11-28 20:23 . 2005-08-02 08:26 386 -c-ha-w- c:\program files\AppUpdate.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-02-23 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-23 21:11 2349592 ----a-w- c:\program files\Zynga\tbZyn1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-02-23 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-02-23 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-21 155648]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-30 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-05 647520]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BTTray.lnk - c:\program files\Dell\Bluetooth Software\BTTray.exe [2004-4-8 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-30 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\helpctr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [01/10/2009 22:15 222968]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [28/02/2010 09:50 93320]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\SYSTEM32\DRIVERS\nx6000.sys [27/06/2009 08:53 34136]
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-28 12:22]

2010-02-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-28 12:22]

2010-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2520105511-3077478486-2101950113-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-03-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2520105511-3077478486-2101950113-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-03-15 c:\windows\Tasks\User_Feed_Synchronization-{B69062F3-9127-4A7A-97A5-D7ADA32A556A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.postarticles.net
mStart Page = hxxp://uk.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
Trusted Zone: ifaengine.com\www
Trusted Zone: intelligent-office.net\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: thecheshire.co.uk\intermediaries
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} - hxxp://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
DPF: {034DA761-EDB7-11D7-A20A-000802318089} - hxxp://exweb.exchange.uk.com/clientbinaries/EWGPHI.CAB
DPF: {090EC279-1378-44B7-B521-888980212E7E} - hxxp://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl3.CAB
DPF: {16DF9B46-AA2C-4E7B-B594-6CA477463E19} - hxxp://195.10.116.33/scotprov/download/sa/v6_06a/install.cab
DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} - hxxp://exweb.exchange.uk.com/clientbinaries/EWGPensions.CAB
DPF: {511835FF-EDC9-11D7-A20A-000802318089} - hxxp://exweb.exchange.uk.com/clientbinaries/EWGWholeLife.CAB
DPF: {61DA056C-EDE7-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGBonds.CAB
DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} - hxxps://www.unipass.co.uk/trustwise/vspcakm.cab
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxp://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB
DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/texnbshell.cab
DPF: {9DAB9AB1-5498-418B-A8F6-4A528392CF43} - hxxp://195.10.116.33/scotprov/download/pe/v6_09/install.cab
DPF: {A74D724A-AB17-11D2-A96A-006097E20477} - hxxp://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB
DPF: {B1283429-F6B4-4BAE-9C11-F061FE9A5A6D} - hxxp://195.10.116.33/scotprov/download/sa/v6_08/install.cab
DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} - hxxp://exweb.exchange.uk.com/clientbinaries/printdll.CAB
DPF: {E735D3EB-05D1-4459-B374-AAFC4E65151C} - hxxp://195.10.116.33/scotprov/download/pe/v6_06a/install.cab
DPF: {E7FF5332-854E-11D2-A952-006097E20477} - hxxp://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB
DPF: {E95B7E5E-14F8-483E-A5C3-0564CA3E6226} - hxxp://195.10.116.33/scotprov/download/pe/v6_08/install.cab
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxp://exweb.exchange.uk.com/clientbinaries/pvdt70.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-15 23:59:26
ComboFix-quarantined-files.txt 2010-03-15 23:59
ComboFix2.txt 2010-01-08 16:44

Pre-Run: 14,112,915,456 bytes free
Post-Run: 14,320,136,192 bytes free

- - End Of File - - A332FA20A5F45AFBE2DFDB365600300A

tashi
2010-03-16, 02:10
Hi CJALFA,


Hello CJALFA,

What happened here: http://forums.spybot.info/showthread.php?p=355739#post355739

Best regards. :)

I didn't ask for a log. :lip:

CJALFA
2010-03-16, 03:15
All seemed to clear up then, i didn't realise there had been another post

1. the ComboFix log(C:\ComboFix.txt)


ComboFix 10-03-15.04 - Chris 16/03/2010 0:45.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.171 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"C:\umgwljsb.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Local Settings\Application Data\xlfcvj
c:\documents and settings\Joe\Local Settings\Application Data\Conduit
c:\documents and settings\Joe\Local Settings\Application Data\Conduit\Community Alerts\Feeds\http___alert_services_conduit_com_Alerts_AlertServices_asmx_GetHostedFeedRss_alertID=832836&alertFeedId=828639.xml
c:\documents and settings\Joe\Local Settings\Application Data\Conduit\Community Alerts\LanguagePacks\en.xml
c:\documents and settings\Joe\Local Settings\Application Data\mkndna

.
((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-14 20:06 . 2010-03-14 20:06 88205 --sh--r- c:\windows\infocard.exe
2010-03-11 18:39 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 18:43 . 2010-03-10 18:43 -------- d-----w- c:\program files\Common Files\xing shared
2010-02-28 09:56 . 2010-02-28 15:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-02-28 09:51 . 2010-02-28 09:51 -------- dc----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-02-28 09:45 . 2009-11-11 11:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-28 09:45 . 2009-11-11 11:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-28 09:45 . 2009-11-11 11:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-28 09:45 . 2009-07-16 12:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-02-28 09:44 . 2010-02-28 09:44 -------- d-----w- c:\program files\McAfee.com
2010-02-28 09:37 . 2009-11-11 11:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-28 09:29 . 2010-02-28 09:29 135 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\fusioncache.dat
2010-02-28 09:29 . 2010-02-28 09:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ApplicationHistory
2010-02-28 09:26 . 2010-02-28 09:26 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-02-28 09:10 . 2010-02-28 09:10 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-28 09:09 . 2010-02-28 09:09 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-02-28 09:08 . 2010-02-28 09:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2010-02-28 09:08 . 2010-02-28 09:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
2010-02-27 19:31 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 18:45 . 2010-03-10 18:45 300616 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 18:45 . 2010-03-10 18:45 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 18:45 . 2010-03-10 18:45 329312 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 18:44 . 2004-12-30 04:08 -------- d-----w- c:\program files\Common Files\Real
2010-03-10 18:43 . 2004-12-30 04:08 -------- d-----w- c:\program files\Real
2010-03-10 18:41 . 2004-12-30 04:07 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-02 18:17 . 2009-02-14 13:51 -------- d-----w- c:\program files\McAfee
2010-02-28 09:52 . 2007-02-14 12:07 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-28 09:45 . 2009-02-14 13:52 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-23 21:11 . 2009-12-08 12:42 -------- d-----w- c:\program files\Zynga
2010-02-23 20:58 . 2005-01-05 15:13 34713 ----a-w- c:\windows\system32\nvModes.dat
2010-01-20 18:27 . 2009-03-13 20:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 15:11 . 2009-08-06 16:20 -------- d-----w- c:\documents and settings\Chris\Application Data\Spotify
2010-01-05 18:04 . 2009-02-14 13:55 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 18:48 . 2009-12-19 18:48 545 ----a-w- c:\documents and settings\Chris\KiweeChatbarCleanup.bat
2009-12-19 18:39 . 2009-12-19 18:39 310 ----a-w- c:\documents and settings\Chris\UnifiedToolbarCleanup.bat
2009-12-16 18:43 . 2004-08-04 05:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2006-11-28 20:23 . 2005-08-02 08:26 386 -c-ha-w- c:\program files\AppUpdate.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-02-23 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-23 21:11 2349592 ----a-w- c:\program files\Zynga\tbZyn1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-02-23 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-02-23 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-21 155648]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 86016]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-30 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-08-05 647520]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BTTray.lnk - c:\program files\Dell\Bluetooth Software\BTTray.exe [2004-4-8 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-30 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\helpctr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [01/10/2009 22:15 222968]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [28/02/2010 09:50 93320]
S3 MSHUSBVideo;NX6000/NX3000/VX7000 Filter Driver;c:\windows\SYSTEM32\DRIVERS\nx6000.sys [27/06/2009 08:53 34136]
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-28 12:22]

2010-02-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-28 12:22]

2010-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2520105511-3077478486-2101950113-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-03-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2520105511-3077478486-2101950113-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-03-15 c:\windows\Tasks\User_Feed_Synchronization-{B69062F3-9127-4A7A-97A5-D7ADA32A556A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.postarticles.net
mStart Page = hxxp://uk.yahoo.com
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
Trusted Zone: ifaengine.com\www
Trusted Zone: intelligent-office.net\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: thecheshire.co.uk\intermediaries
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} - hxxp://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
DPF: {034DA761-EDB7-11D7-A20A-000802318089} - hxxp://exweb.exchange.uk.com/clientbinaries/EWGPHI.CAB
DPF: {090EC279-1378-44B7-B521-888980212E7E} - hxxp://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl3.CAB
DPF: {16DF9B46-AA2C-4E7B-B594-6CA477463E19} - hxxp://195.10.116.33/scotprov/download/sa/v6_06a/install.cab
DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} - hxxp://exweb.exchange.uk.com/clientbinaries/EWGPensions.CAB
DPF: {511835FF-EDC9-11D7-A20A-000802318089} - hxxp://exweb.exchange.uk.com/clientbinaries/EWGWholeLife.CAB
DPF: {61DA056C-EDE7-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGBonds.CAB
DPF: {70D86F3C-BA4D-11D2-80F5-006008B066EE} - hxxps://www.unipass.co.uk/trustwise/vspcakm.cab
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxp://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB
DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} - hxxp://exweb.exchange.uk.com/texonline/core_services/new_business_processing/texnbshell.cab
DPF: {9DAB9AB1-5498-418B-A8F6-4A528392CF43} - hxxp://195.10.116.33/scotprov/download/pe/v6_09/install.cab
DPF: {A74D724A-AB17-11D2-A96A-006097E20477} - hxxp://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB
DPF: {B1283429-F6B4-4BAE-9C11-F061FE9A5A6D} - hxxp://195.10.116.33/scotprov/download/sa/v6_08/install.cab
DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} - hxxp://exweb.exchange.uk.com/clientbinaries/printdll.CAB
DPF: {E735D3EB-05D1-4459-B374-AAFC4E65151C} - hxxp://195.10.116.33/scotprov/download/pe/v6_06a/install.cab
DPF: {E7FF5332-854E-11D2-A952-006097E20477} - hxxp://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB
DPF: {E95B7E5E-14F8-483E-A5C3-0564CA3E6226} - hxxp://195.10.116.33/scotprov/download/pe/v6_08/install.cab
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxp://exweb.exchange.uk.com/clientbinaries/pvdt70.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 00:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-16 01:10:10
ComboFix-quarantined-files.txt 2010-03-16 01:10
ComboFix2.txt 2010-03-15 23:59
ComboFix3.txt 2010-01-08 16:44

Pre-Run: 14,259,298,304 bytes free
Post-Run: 14,214,520,832 bytes free

- - End Of File - - 6197B575D40ED3B580E7AC2187DBC247

tashi
2010-03-16, 03:53
Hello CJALFA,

Please see this forum's FAQ: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic providing a fresh HJT log from the correct version, not v1.99.1.

When a helper responds please follow up until informed the computer is clean.

Best regards.