Win32.TDSS.rtk and Win32.Bredolab.b

R

Rustlr

New member
I was infected night before last with one of the bogus malware removal trojans which complete takes over the computer. I rebooted in safe mode, ran spybot which found the two malware noted above. I rebooted normally with spybot to run on system startup, but spybot appeared to be stalled. I rebooted again in safe mode, ran spybot, found the same files. I rebooted normally with spybot to run on system startup with maximum priority. Spybot has not stalled but is running very, very slowly. It could take days to complete.
As that computer is basically frozen, except for safe mode, I am replying from the other computer on my network.
Your help is appreciated
R2
I posted this yesterday but since then, I have run ERUNT on the infected computer in the safe mode by transfering the file by flash drive. Here is the hijack log.
Your help is really appreciated
R2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:40 PM, on 8/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
E:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [14008434] C:\Documents and Settings\All Users\Application Data\14008434\14008434.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\RUSSEL~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2939] command /c del "C:\WINDOWS\SYSTEM32\drivers\SKYNETlokiwmdv.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4196] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\SKYNETlokiwmdv.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8736] command /c del "C:\WINDOWS\SYSTEM32\drivers\SKYNETlokiwmdv.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1422] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\SKYNETlokiwmdv.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4912] command /c del "C:\WINDOWS\SYSTEM32\SKYNETdqmbmily.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5597] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETdqmbmily.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4036] command /c del "C:\WINDOWS\SYSTEM32\SKYNETdqmbmily.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD611] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETdqmbmily.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9005] command /c del "C:\WINDOWS\SYSTEM32\SKYNETuywreymj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3603] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETuywreymj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9071] command /c del "C:\WINDOWS\SYSTEM32\SKYNETuywreymj.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2637] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETuywreymj.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6955] command /c del "C:\WINDOWS\SYSTEM32\SKYNETlog.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7317] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETlog.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB467] command /c del "C:\WINDOWS\SYSTEM32\SKYNETlog.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1981] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETlog.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2499] command /c del "C:\WINDOWS\SYSTEM32\SKYNETndtvgojr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8455] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETndtvgojr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9414] command /c del "C:\WINDOWS\SYSTEM32\SKYNETndtvgojr.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9731] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETndtvgojr.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5174] command /c del "C:\WINDOWS\SYSTEM32\SKYNETvklnhgoc.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD60] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETvklnhgoc.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4609] command /c del "C:\WINDOWS\SYSTEM32\SKYNETvklnhgoc.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2850] cmd /c del "C:\WINDOWS\SYSTEM32\SKYNETvklnhgoc.dat"
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video Access ActiveX Object\isamntr.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5230/mcfscan.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O21 - SSODL: systemie - {A9B00672-970E-4A98-8128-732145B5C5B5} - systemie.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 14373 bytes
 
Hijack in normal mode

Shaba said:
Hi Rustlr

Please post next HijackThis log taken in normal mode :)
Click to expand...

Guten Tag
First I loaded hijackthis to the desktop from a flashdrive and opened it. The only response I got was when I tried to open it again it said hijackthis was already running but I never got any screen or log.
I have tried several times to do this by loading hijackthis into a folder in mydocs from a flashdrive. I never get any hijackthis screen and eventually the computer logs off by itself or goes to an inactive screen.
I also tried saving hijackthis to the desktop in safe mode but it never showed up in normal mode.
Thanks
Rustlr
 
Please try to rename HijackThis.exe and let me know if it now runs in normal mode :)
 
Renaming hijackthis

Shaba said:
Please try to rename HijackThis.exe and let me know if it now runs in normal mode :)
Click to expand...

Renaming the exe file and uploading this to the infected computer and opening the new file in windows explorer generates no response
Rustlr
 
Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
 
gmer log

Shaba said:
Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Click to expand...

GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-11 18:19:44
Windows 5.1.2600 Service Pack 3

Here is the gmer log. I had to run in safe mode

---- System - GMER 1.0.15 ----

Code 87378180 ZwEnumerateKey
Code 87378148 ZwFlushInstructionCache
Code 873781B6 IofCallDriver
Code 872AC13E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 873781BB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 872AC143
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 87378184
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8737814C

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[228] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\services.exe[276] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\system32\lsass.exe[288] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[592] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0067000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[652] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008B000A
.text ...

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq@imagepath \systemroot\system32\drivers\SKYNETlokiwmdv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main@aid 10162
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main@sid 9
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlokiwmdv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETuywreymj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\modules@SKYNETlog.dat \systemroot\system32\SKYNETndtvgojr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdqmbmily.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETiopvpvvq\modules@SKYNET.dat \systemroot\system32\SKYNETvklnhgoc.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq@imagepath \systemroot\system32\drivers\SKYNETlokiwmdv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main@aid 10162
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main@sid 9
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlokiwmdv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETuywreymj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\modules@SKYNETlog.dat \systemroot\system32\SKYNETndtvgojr.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdqmbmily.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETiopvpvvq\modules@SKYNET.dat \systemroot\system32\SKYNETvklnhgoc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq@imagepath \systemroot\system32\drivers\SKYNETlokiwmdv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main@aid 10162
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main@sid 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETlokiwmdv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\modules@SKYNETcmd.dll \systemroot\system32\SKYNETuywreymj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\modules@SKYNETlog.dat \systemroot\system32\SKYNETndtvgojr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdqmbmily.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETiopvpvvq\modules@SKYNET.dat \systemroot\system32\SKYNETvklnhgoc.dat
Reg HKLM\SOFTWARE\Classes\CLSID\{9AC21A8F-76C0-F601-D337-077922215225}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{9AC21A8F-76C0-F601-D337-077922215225}\InprocServer32@InprocServer32 *r=^Vn-}f(YR]eAR6.jiTranslationHidden>BbxH8x=!g(3?!!!_GX=b?
Reg HKLM\SOFTWARE\Classes\CLSID\{9AC21A8F-76C0-F601-D337-077922215225}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\ITIRCL52.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{9AC21A8F-76C0-F601-D337-077922215225}\ProgID@ ITIR.NumberNormalizer.5.2

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SYSTEM32\DRIVERS\SKYNETlokiwmdv.sys 69632 bytes
File C:\WINDOWS\SYSTEM32\SKYNETdqmbmily.dll 18944 bytes
File C:\WINDOWS\SYSTEM32\SKYNETlog.dat 316 bytes
File C:\WINDOWS\SYSTEM32\SKYNETndtvgojr.dat 720907 bytes
File C:\WINDOWS\SYSTEM32\SKYNETuywreymj.dll 43520 bytes
File C:\WINDOWS\SYSTEM32\SKYNETvklnhgoc.dat 91 bytes

---- EOF - GMER 1.0.15 ----
 
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
 
Combo Fix

Shaba said:
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Click to expand...

Do I need to run this in normal mode, the instructions talk about having internet connection for windows recovery console. The internet is not available in safe mode
 
If you are not able to run it in normal mode, please see instructions how to install recovery console manually and run it after that in safe mode.
 
combo fix 2

Rustlr said:
Do I need to run this in normal mode, the instructions talk about having internet connection for windows recovery console. The internet is not available in safe mode
Click to expand...

I have tried to download combofix to a flash drive but I get the cannot copy, access denied, make sure disk is not full or write protected...
I did get one copy but does not run either in normal or safe mode on the infected computer. I get the message that file is corrupted, please download new file. The internet does not appear available on the infected computer in normal mode either as IE never accesses a webpage and the malware keeps trying to block it.
Do I have to disable Macafee and Spybot on this computer in order to down load an uncorrupted copy of combofix? The instructions for combofix say download directly to desktop. I can not do this on the infected computer. Is transferring by flash drive OK?
I am not happy about disabling my protection on this computer to download combofix
HELP
Rustlr
 
recovery console

Rustlr said:
I have tried to download combofix to a flash drive but I get the cannot copy, access denied, make sure disk is not full or write protected...
I did get one copy but does not run either in normal or safe mode on the infected computer. I get the message that file is corrupted, please download new file. The internet does not appear available on the infected computer in normal mode either as IE never accesses a webpage and the malware keeps trying to block it.
Do I have to disable Macafee and Spybot on this computer in order to down load an uncorrupted copy of combofix? The instructions for combofix say download directly to desktop. I can not do this on the infected computer. Is transferring by flash drive OK?
I am not happy about disabling my protection on this computer to download combofix
HELP
Rustlr
Click to expand...

I am not having much luck manually installing the recovery console. I keep getting error messages and instructions that dont seem to work with my Dell reinstallation windows XP CD's. The time difference is killing me. It is now almost midnight PST and I am beat. I will be back at this in about 8 hours
Thanks
Rustlr
 
"Do I have to disable Macafee and Spybot on this computer in order to down load an uncorrupted copy of combofix?"

Yes, I am afraid so. Those need to be disabled anyway when you run combofix.
Instructions don't work with Dell CDs, that is true.
 
Safe Mode with Networking

Shaba said:
"Do I have to disable Macafee and Spybot on this computer in order to down load an uncorrupted copy of combofix?"

Yes, I am afraid so. Those need to be disabled anyway when you run combofix.
Instructions don't work with Dell CDs, that is true.
Click to expand...

Being new to fixing malware problems, I did not know that you could run your computer in Safe Mode with Networking which allows an internet connection. This would have saved lots of time.
I am currently running combo fix in safe mode
Rustlr
 
Combofix 3

Rustlr said:
Being new to fixing malware problems, I did not know that you could run your computer in Safe Mode with Networking which allows an internet connection. This would have saved lots of time.
I am currently running combo fix in safe mode
Rustlr
Click to expand...


Combofix gave me a list of system 32 files to write down, then rebooted into normal mode and is scanning
R2
 
Safe mode with networking isn't recommended as your computer is then vulnerable.

I'll be waiting for results :)
 
combofix log, fresh hijack log

Shaba said:
Safe mode with networking isn't recommended as your computer is then vulnerable.

I'll be waiting for results :)
Click to expand...

It was the easiest way. I will log out into regular safe mode after this transmission
ComboFix 09-08-10.06 - Russell Radcliffe 08/12/2009 9:17.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.615 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\14008434
c:\documents and settings\All Users\Application Data\14008434\14008434
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\Russell Radcliffe\Desktop\System Security 2009.lnk
c:\documents and settings\Russell Radcliffe\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\Helper
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Installer\12c13cc8.msi
c:\windows\Installer\4cf066a.a295.msi
c:\windows\Installer\76b0ed.msi
c:\windows\RM.exe
c:\windows\system32\5U363bpI.exe.a_a
c:\windows\system32\drivers\SKYNETlokiwmdv.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\ywmrpblkntqaty.sys
c:\windows\system32\SKYNETdqmbmily.dll
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETndtvgojr.dat
c:\windows\system32\SKYNETuywreymj.dll
c:\windows\system32\SKYNETvklnhgoc.dat
c:\windows\system32\system
c:\windows\system32\system\CsLsp.dll
c:\windows\system32\system\mcafeepf.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETiopvpvvq
-------\Legacy_SKYNETiopvpvvq
-------\Legacy_NPF
-------\Legacy_OULZERYOUDMYT
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD
-------\Legacy_WS2_32SIK
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2100-02-23 22:35 . 2001-02-22 17:54 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-23 21:35 . 2001-02-22 16:54 768 -c--a-w- c:\windows\x73_lut.dat
2100-02-09 00:03 . 2001-05-11 19:39 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2009-08-12 06:17 . 2009-08-12 06:17 616448 ---ha-w- C:\StashIMAPI.bin
2009-08-08 21:31 . 2009-08-08 21:31 -------- d-----w- c:\program files\ERUNT
2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-08-08 20:26 . 2009-08-08 20:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-07-29 22:48 . 2009-07-29 22:48 -------- d-----w- c:\program files\Zone Labs
2009-07-29 22:48 . 2009-07-29 22:48 -------- d-----w- c:\windows\Internet Logs
2009-07-14 18:05 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Russell Radcliffe\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-14 18:02 . 2009-07-14 18:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 17:39 . 2009-07-14 18:00 8303545 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\air_compressed.exe
2009-07-14 17:39 . 2009-07-14 17:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-14 17:38 . 2009-07-15 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-14 17:38 . 2009-07-15 15:59 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 16:33 . 2003-04-06 19:01 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000007-00001102-00000002-80221102}.dat
2009-08-12 16:33 . 2003-04-06 19:01 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000007-00001102-00000002-80221102}.dat
2009-08-08 16:57 . 2001-12-22 16:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-08 16:55 . 2005-02-20 22:08 -------- d-----w- c:\program files\DAZZLE
2009-08-08 16:54 . 2006-02-01 20:26 -------- d-----w- c:\program files\Stamps.com Internet Postage
2009-08-08 16:52 . 2005-11-19 00:23 -------- d-----w- c:\program files\Atari
2009-08-08 16:48 . 2008-08-07 17:21 -------- d-----w- c:\program files\LimeWire
2009-08-02 18:53 . 2007-10-20 17:29 -------- d-----w- c:\documents and settings\Russell Radcliffe\Application Data\SiteAdvisor
2009-07-29 15:16 . 2005-10-02 15:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 22:23 . 2008-04-05 23:56 -------- d-----w- c:\documents and settings\Russell Radcliffe\Application Data\LimeWire
2009-07-14 18:26 . 2006-05-23 16:18 -------- d-----w- c:\program files\LexmarkX73
2009-07-14 18:04 . 2003-04-06 20:23 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 23:40 . 2007-10-20 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-09 21:06 . 2007-10-20 17:22 -------- d-----w- c:\program files\McAfee
2009-06-30 15:51 . 2001-12-22 16:50 -------- d-----w- c:\program files\PhoneTools
2009-06-25 04:10 . 2007-07-10 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-25 03:01 . 2009-06-25 03:00 -------- d-----w- c:\program files\iTunes
2009-06-25 03:00 . 2009-06-25 03:00 -------- d-----w- c:\program files\iPod
2009-06-25 03:00 . 2007-07-10 13:34 -------- d-----w- c:\program files\Common Files\Apple
2009-06-25 02:57 . 2002-01-15 00:49 -------- d-----w- c:\program files\QuickTime
2009-06-25 02:48 . 2009-06-25 02:48 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-23 03:45 . 2006-12-15 01:38 -------- d-----w- c:\documents and settings\Russell Radcliffe\Application Data\Apple Computer
2009-06-05 18:42 . 2009-05-07 23:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2007-12-30 21:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 19:30 . 2009-05-16 22:45 100 --s-a-w- c:\windows\system32\2092623811.dat
2005-12-30 22:09 . 2005-12-30 22:09 774144 -c--a-w- c:\program files\RngInterstitial.dll
2001-07-27 00:58 . 2000-01-11 20:50 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 20:46 . 2001-07-20 18:48 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-09 00:36 . 2000-12-05 23:56 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 22:22 . 2100-02-08 23:53 1437 -c--a-w- c:\program files\gtx73.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIEW"="nview.dll" - c:\windows\SYSTEM32\nview.dll [2003-07-28 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"FLMK08KB"="c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE" [2005-07-28 207360]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"MWLExe"="c:\progra~1\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"au"="c:\program files\Dealio\DealioAU.exe" [2008-05-27 595296]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [12/31/1979 11:00 PM 28672]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [12/22/2001 9:51 AM 6656]
S1 e740e0ab;e740e0ab;c:\windows\system32\drivers\e740e0ab.sys --> c:\windows\system32\drivers\e740e0ab.sys [?]
S2 oulzeryoudmyt;oulzeryoudmyt;\??\c:\windows\system32\drivers\ywmrpblkntqaty.sys --> c:\windows\system32\drivers\ywmrpblkntqaty.sys [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [6/2/2002 12:40 PM 15576]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-20 18:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-20 18:53]

2009-08-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-02-15 23:31]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6A048BB7-E017-4326-B207-AA996C77BBCB} - (no file)
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
HKCU-Run-McAfee.InstantUpdate.Monitor - c:\program files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKLM-Run-Imonitor - c:\program files\McAfee\QuickClean\Plguni.exe
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-RunOnce-DELDIR0.EXE - c:\docume~1\RUSSEL~1\LOCALS~1\Temp\DELDIR0.EXE
SSODL-systemie-{A9B00672-970E-4A98-8128-732145B5C5B5} - systemie.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 09:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???x???????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A? ?????B???@?????P???$?@?? ??????~?B~??????????@???????????????????B?????,?????????????????????????????B
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
DELDIR0.EXE = "c:\docume~1\RUSSEL~1\LOCALS~1\Temp\DELDIR0.EXE" "c:\program files\McAfee\McAfee Shared Components\Guardian\"??w????T??w?}?w???????????w???????????w????O??wT??w???????w????L??????w????<??????????w? ?q??w???????w? ?????|???????v???C?:?\?P?r?o?g?r?a?m? ?F?i?l?e?s?\?M?c?A?f?e?e?\?M?c?A?f?e?e? ?S?h?a?r?e?d? ?C?o?m?p?o?n?e?n?t?s?\?G?u?a?r?d?i?a?n?\?????????????????|???????????????? ??????$?w?T?w???????w?%?w?????$?wd??????????? ?@v????,2?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(192)
c:\windows\system32\nView.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DRIVERS\CDAC11BA.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Multimedia keyboard utility\1.3\KBDAP32A.EXE
c:\program files\Creative\ShareDLL\Mediadet.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\McAfee\MWL\MwlGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\McAfee\MWL\MwlSvc.exe
.
**************************************************************************
.
Completion time: 2009-08-12 9:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 16:50

Pre-Run: 4,269,264,896 bytes free
Post-Run: 4,776,472,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

261 --- E O F --- 2009-05-13 14:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:05 AM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russell Radcliffe\Desktop\HiJackThis.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5230/mcfscan.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.tripcheck.com/roadcams/cams/WillamettePass_pid658.jpg

--
End of file - 12912 bytes
 
No need, combofix did its job :)

Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
Note: You - will - need to use Internet Explorer for this scan!
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click "Start"
  3. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  4. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Scan unwanted applications is CHECKED
  5. Click "Scan"
  6. Wait for the scan to finish... it may take a while... please be patient. When the scan is finished...
  7. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste the contents of log.txt in your next reply.
 
eset scanner

Rustlr said:
It was the easiest way. I will log out into regular safe mode after this transmission
ComboFix 09-08-10.06 - Russell Radcliffe 08/12/2009 9:17.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.615 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\14008434
c:\documents and settings\All Users\Application Data\14008434\14008434
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\Russell Radcliffe\Desktop\System Security 2009.lnk
c:\documents and settings\Russell Radcliffe\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\Helper
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Installer\12c13cc8.msi
c:\windows\Installer\4cf066a.a295.msi
c:\windows\Installer\76b0ed.msi
c:\windows\RM.exe
c:\windows\system32\5U363bpI.exe.a_a
c:\windows\system32\drivers\SKYNETlokiwmdv.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\ywmrpblkntqaty.sys
c:\windows\system32\SKYNETdqmbmily.dll
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETndtvgojr.dat
c:\windows\system32\SKYNETuywreymj.dll
c:\windows\system32\SKYNETvklnhgoc.dat
c:\windows\system32\system
c:\windows\system32\system\CsLsp.dll
c:\windows\system32\system\mcafeepf.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETiopvpvvq
-------\Legacy_SKYNETiopvpvvq
-------\Legacy_NPF
-------\Legacy_OULZERYOUDMYT
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD
-------\Legacy_WS2_32SIK
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2100-02-23 22:35 . 2001-02-22 17:54 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-23 21:35 . 2001-02-22 16:54 768 -c--a-w- c:\windows\x73_lut.dat
2100-02-09 00:03 . 2001-05-11 19:39 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2009-08-12 06:17 . 2009-08-12 06:17 616448 ---ha-w- C:\StashIMAPI.bin
2009-08-08 21:31 . 2009-08-08 21:31 -------- d-----w- c:\program files\ERUNT
2009-08-08 20:32 . 2009-08-08 20:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-08-08 20:26 . 2009-08-08 20:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-07-29 22:48 . 2009-07-29 22:48 -------- d-----w- c:\program files\Zone Labs
2009-07-29 22:48 . 2009-07-29 22:48 -------- d-----w- c:\windows\Internet Logs
2009-07-14 18:05 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Russell Radcliffe\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-14 18:02 . 2009-07-14 18:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 17:39 . 2009-07-14 18:00 8303545 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\air_compressed.exe
2009-07-14 17:39 . 2009-07-14 17:39 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-14 17:38 . 2009-07-15 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-14 17:38 . 2009-07-15 15:59 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 16:33 . 2003-04-06 19:01 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000007-00001102-00000002-80221102}.dat
2009-08-12 16:33 . 2003-04-06 19:01 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000007-00001102-00000002-80221102}.dat
2009-08-08 16:57 . 2001-12-22 16:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-08 16:55 . 2005-02-20 22:08 -------- d-----w- c:\program files\DAZZLE
2009-08-08 16:54 . 2006-02-01 20:26 -------- d-----w- c:\program files\Stamps.com Internet Postage
2009-08-08 16:52 . 2005-11-19 00:23 -------- d-----w- c:\program files\Atari
2009-08-08 16:48 . 2008-08-07 17:21 -------- d-----w- c:\program files\LimeWire
2009-08-02 18:53 . 2007-10-20 17:29 -------- d-----w- c:\documents and settings\Russell Radcliffe\Application Data\SiteAdvisor
2009-07-29 15:16 . 2005-10-02 15:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 22:23 . 2008-04-05 23:56 -------- d-----w- c:\documents and settings\Russell Radcliffe\Application Data\LimeWire
2009-07-14 18:26 . 2006-05-23 16:18 -------- d-----w- c:\program files\LexmarkX73
2009-07-14 18:04 . 2003-04-06 20:23 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 23:40 . 2007-10-20 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-09 21:06 . 2007-10-20 17:22 -------- d-----w- c:\program files\McAfee
2009-06-30 15:51 . 2001-12-22 16:50 -------- d-----w- c:\program files\PhoneTools
2009-06-25 04:10 . 2007-07-10 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-25 03:01 . 2009-06-25 03:00 -------- d-----w- c:\program files\iTunes
2009-06-25 03:00 . 2009-06-25 03:00 -------- d-----w- c:\program files\iPod
2009-06-25 03:00 . 2007-07-10 13:34 -------- d-----w- c:\program files\Common Files\Apple
2009-06-25 02:57 . 2002-01-15 00:49 -------- d-----w- c:\program files\QuickTime
2009-06-25 02:48 . 2009-06-25 02:48 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-23 03:45 . 2006-12-15 01:38 -------- d-----w- c:\documents and settings\Russell Radcliffe\Application Data\Apple Computer
2009-06-05 18:42 . 2009-05-07 23:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 18:42 . 2007-12-30 21:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-26 19:30 . 2009-05-16 22:45 100 --s-a-w- c:\windows\system32\2092623811.dat
2005-12-30 22:09 . 2005-12-30 22:09 774144 -c--a-w- c:\program files\RngInterstitial.dll
2001-07-27 00:58 . 2000-01-11 20:50 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 20:46 . 2001-07-20 18:48 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-09 00:36 . 2000-12-05 23:56 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 22:22 . 2100-02-08 23:53 1437 -c--a-w- c:\program files\gtx73.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIEW"="nview.dll" - c:\windows\SYSTEM32\nview.dll [2003-07-28 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"FLMK08KB"="c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE" [2005-07-28 207360]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"MWLExe"="c:\progra~1\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 206184]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 36640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"au"="c:\program files\Dealio\DealioAU.exe" [2008-05-27 595296]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [12/31/1979 11:00 PM 28672]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [12/22/2001 9:51 AM 6656]
S1 e740e0ab;e740e0ab;c:\windows\system32\drivers\e740e0ab.sys --> c:\windows\system32\drivers\e740e0ab.sys [?]
S2 oulzeryoudmyt;oulzeryoudmyt;\??\c:\windows\system32\drivers\ywmrpblkntqaty.sys --> c:\windows\system32\drivers\ywmrpblkntqaty.sys [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [6/2/2002 12:40 PM 15576]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-20 18:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-20 18:53]

2009-08-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-02-15 23:31]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6A048BB7-E017-4326-B207-AA996C77BBCB} - (no file)
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
HKCU-Run-McAfee.InstantUpdate.Monitor - c:\program files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKLM-Run-Imonitor - c:\program files\McAfee\QuickClean\Plguni.exe
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-RunOnce-DELDIR0.EXE - c:\docume~1\RUSSEL~1\LOCALS~1\Temp\DELDIR0.EXE
SSODL-systemie-{A9B00672-970E-4A98-8128-732145B5C5B5} - systemie.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 09:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???x???????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A? ?????B???@?????P???$?@?? ??????~?B~??????????@???????????????????B?????,?????????????????????????????B
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
DELDIR0.EXE = "c:\docume~1\RUSSEL~1\LOCALS~1\Temp\DELDIR0.EXE" "c:\program files\McAfee\McAfee Shared Components\Guardian\"??w????T??w?}?w???????????w???????????w????O??wT??w???????w????L??????w????<??????????w? ?q??w???????w? ?????|???????v???C?:?\?P?r?o?g?r?a?m? ?F?i?l?e?s?\?M?c?A?f?e?e?\?M?c?A?f?e?e? ?S?h?a?r?e?d? ?C?o?m?p?o?n?e?n?t?s?\?G?u?a?r?d?i?a?n?\?????????????????|???????????????? ??????$?w?T?w???????w?%?w?????$?wd??????????? ?@v????,2?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(192)
c:\windows\system32\nView.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\DRIVERS\CDAC11BA.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Multimedia keyboard utility\1.3\KBDAP32A.EXE
c:\program files\Creative\ShareDLL\Mediadet.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\McAfee\MWL\MwlGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\McAfee\MWL\MwlSvc.exe
.
**************************************************************************
.
Completion time: 2009-08-12 9:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 16:50

Pre-Run: 4,269,264,896 bytes free
Post-Run: 4,776,472,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

261 --- E O F --- 2009-05-13 14:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:05 AM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mcafee\MWL\MwlGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russell Radcliffe\Desktop\HiJackThis.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [MWLExe] C:\PROGRA~1\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games – Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games – Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5230/mcfscan.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.tripcheck.com/roadcams/cams/WillamettePass_pid658.jpg

--
End of file - 12912 bytes
Click to expand...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16827 (vista_gdr.090226-1506)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=7ff3b1316d115e4b9ecde5f0b5b20087
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-12 06:58:24
# local_time=2009-08-12 11:58:24 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 37 83 88 114825168906250
# scanned=131411
# found=13
# cleaned=0
# scan_time=3279
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\gay boyfriend.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\Korpiklaani - Korven Kuningas (2008).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\maniquin kary perry.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\summer crush shirubon live.snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\summer crush shirubon.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\wolves unicorn kid.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\Laurins music\caramelladasen - high quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\Laurins music\squeeze box who.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Russell Radcliffe\My Documents\Danny\Laurins music\tier swing kimya dawson - high quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Program Files\YSFLIGHT.COM\YSFLIGHT\bundle\jwv_for_PA005354.exe a variant of Win32/CnsMin application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ywmrpblkntqaty.sys.vir a variant of Win32/Rootkit.Agent.NMM trojan 00000000000000000000000000000000 I
C:\WINDOWS\iedisco.exe a variant of Win32/Dialer.Egroup application 00000000000000000000000000000000 I
C:\WINDOWS\otstuk.bat Win32/Ransom.A trojan 00000000000000000000000000000000 I
 
Do you recognize this?

C:\Program Files\YSFLIGHT.COM\YSFLIGHT\bundle\jwv_for_PA005354.exe
 
You must log in or register to reply here.
Back
Top