Infected with Trojan.Win32.Agent.bpgp

P

Polishcool

New member
Hi,

Apparently, I'm infected with Trojan.Win32.Agent.bpgp. It won't let me open or scan with McAfee, Malwarebytes, or Spybot. It also won't let me open HijackThis. However, I was able to scan using Kaspersky online scanner, and got this:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 26, 2009 19:59:20
Records in database: 2551893
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 46903
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:59:48


File name / Threat name / Threats count
C:\WINDOWS\system32\rn.tmp Infected: Trojan.Win32.Agent.bpgp 1

The selected area was scanned.


Hope you guys can help me out, thanks.
 
Thanks for dropping by, Shaba :)

I've tried renaming it and still no luck. I always get "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." So I reinstalled Hjt and when it started scanning, when it's about to finish it just closes. Any way I can find the log?
My McAfee has also stopped working...

In addition, I get redirected to some random sites when I try to google.

Again, thanks for looking...really appreciate it
 
So let's see if this runs:

Download at your desktop DDS from one of the links below:

Link 1
Link 2
  • Double click the tool to run it.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finish it will open 2 reports.
  • Copy/paste both reports back here and remove DDS from your desktop.
 
Here you go,


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 14:49:30.59 on Mon 07/27/2009
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn5\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [McAfee Update] c:\docume~1\owner\locals~1\temp\mcupdate_1245711462.exe /insfin c:\docume~1\owner\locals~1\temp\mcupdate_1245711462.ini /syncfin
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HostManager] c:\program files\common files\aol\1140494753\ee\AOLSoftware.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} - hxxp://mail.lycos.com/hanmail-ax/AttachMail.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\here\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nivunaso.dll,c:\windows\system32\kanupele.dll,c:\windows\system32\ruhegozi.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\here\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\kanupele.dll c:\windows\system32\ruhegozi.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-26 20:16 <DIR> --d-h--- c:\windows\PIF
2009-07-26 20:11 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 20:11 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 19:24 <DIR> --d----- C:\HERE
2009-07-26 19:23 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-26 12:57 0 a------- C:\bhqrjohr.exe
2009-07-26 12:56 2 a------- C:\-734301808
2009-07-26 12:55 11,264 a------- C:\alurm.exe
2009-07-21 20:47 <DIR> --d----- c:\program files\iPod
2009-07-21 20:47 <DIR> --d----- c:\program files\iTunes
2009-07-07 20:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-07 20:03 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-29 06:53 3,532 a------- C:\drmHeader.bin
2007-08-29 10:33 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2007-08-29 10:33 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys

============= FINISH: 14:50:14.90 ===============


==== Installed Programs ======================

AAC Decoder
ABBYY FineReader 6.0 Sprint Plus
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVS DVDMenu Editor 1.2.1.19
AVS Video Converter 5.6
AVS4YOU Software Navigator 1.2
Bonjour
CardRd81
CCHelp
CCleaner (remove only)
CCScore
Compatibility Pack for the 2007 Office system
CR2
Dell Media Experience
Dell Photo AIO Printer 962
Dell ResourceCD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
Flickr Uploadr 2.5.0.15
Google Toolbar for Internet Explorer
H.264 Decoder
HLPCCTR
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 14
K-Lite Codec Pack 4.3.4 (Full)
KSU
Logitech® Camera Driver
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Modem Event Monitor
Modem On Hold
Move Networks Media Player for Internet Explorer
Move Networks Player for Internet Explorer
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
Notifier
OfotoXMI
OTtBP
OTtBPSDK
PCDLNCH
PowerDVD
Print to Fax
PSP Video 9 1.74
QuickTime
RealPlayer
Samsung USB Driver (MCCI 4.16)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SFR
SFR2
Smart Attorney 8.0
Sonic DLA
Sonic RecordNow!
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
Starcraft
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VCAMCEN
Veoh Web Player Beta
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.8a
VPRINTOL
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPatrol 2008
WinRAR archiver
WordPerfect Office 11
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v7
Yahoo! Software Update
Yahoo! Toolbar

==== End Of File ===========================
 
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
 
Just had a minor problem, when Combofix tried to install Windows Recovery Console, it wouldn't let it connect to the internet. But other than that, the scan went well. Should I install the Recovery Console still?

Here's the ComboFix results and a fresh Hjt log:

ComboFix 09-07-26.03 - Owner 07/27/2009 15:56.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.229 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\alurm.exe
C:\bhqrjohr.exe
c:\docume~1\Owner\APPLIC~1\inst.exe
c:\windows\Downloaded Program Files\ijjiPreNotify2.exe
c:\windows\Installer\9e8f4.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wpcap.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-27 00:16 . 2009-07-27 00:16 -------- d--h--w- c:\windows\PIF
2009-07-27 00:12 . 2009-07-27 00:12 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-27 00:11 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 00:11 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 23:24 . 2009-07-27 00:11 -------- d-----w- C:\HERE
2009-07-26 23:23 . 2009-07-26 23:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-26 17:42 . 2009-07-26 17:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-22 00:47 . 2009-07-22 00:47 -------- d-----w- c:\program files\iPod
2009-07-22 00:47 . 2009-07-22 00:48 -------- d-----w- c:\program files\iTunes
2009-07-22 00:35 . 2009-07-22 00:35 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-08 00:04 . 2009-07-08 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-08 00:03 . 2009-07-08 00:03 -------- d-----w- c:\program files\Bonjour
2009-07-08 00:01 . 2009-07-08 00:02 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 20:08 . 2003-07-16 20:38 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-07-27 18:20 . 2007-12-09 07:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-27 18:19 . 2008-12-27 02:30 -------- d-----w- c:\program files\SpywareBlaster
2009-07-27 11:54 . 2006-08-19 03:02 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-27 11:54 . 2006-08-19 03:02 -------- d-----w- c:\program files\McAfee
2009-07-27 11:54 . 2006-08-04 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-27 11:54 . 2006-08-19 03:02 -------- d-----w- c:\program files\McAfee.com
2009-07-27 01:03 . 2008-11-15 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-26 22:58 . 2009-06-23 02:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 17:37 . 2006-06-14 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-26 16:58 . 2006-10-14 15:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\uTorrent
2009-07-26 12:57 . 2007-11-18 02:41 -------- d-----w- c:\program files\Starcraft
2009-07-24 00:27 . 2008-12-02 20:09 -------- d-----w- c:\docume~1\Owner\APPLIC~1\U3
2009-07-22 00:47 . 2008-02-12 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 22:16 . 2009-03-05 02:20 -------- d-----w- c:\docume~1\Owner\APPLIC~1\vlc
2009-07-06 20:47 . 2007-04-18 17:51 -------- d-----w- c:\program files\MSECache
2009-06-23 02:26 . 2009-06-23 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-23 02:25 . 2009-06-23 02:25 -------- d-----w- c:\docume~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2009-06-23 02:21 . 2006-03-29 03:41 -------- d-----w- c:\program files\Java
2009-06-22 23:19 . 2009-06-22 23:19 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-21 22:58 . 2006-04-03 01:52 -------- d-----w- c:\program files\Google
2009-06-17 18:04 . 2009-06-17 17:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-07 16:54 . 2007-08-29 15:09 -------- d-----w- c:\program files\DivX
2009-06-07 16:52 . 2009-04-24 00:07 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 19:09 . 2003-07-16 20:42 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 15:33 . 2008-12-27 03:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 03:25 . 2006-08-19 03:03 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-05-14 03:25 . 2006-08-19 03:03 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-05-14 03:25 . 2006-08-19 03:03 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-05-14 03:25 . 2006-08-19 03:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-14 03:24 . 2006-08-19 03:03 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-13 05:15 . 2005-10-21 20:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-29 10:53 . 2009-04-29 10:53 3532 ----a-w- C:\drmHeader.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-24 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 417792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"HostManager"="c:\program files\Common Files\AOL\1140494753\ee\AOLSoftware.exe" [2006-05-10 50760]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\here\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\here\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140494753\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140494753\\ee\\aim6.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\here\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:51 PM 24652]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 SASENUM;SASENUM;c:\here\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-27 16:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*\OpenWithList]
@Class="Shell"
"a"="elegy.rtf"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*\OpenWithProgids]
"+e_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¿*j%%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¿*j%%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*!#%*÷*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*!#%*÷*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%%*^%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%%*^%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%%*S%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%%*S%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%\OpenWithList]
@Class="Shell"
"a"="WORDPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%\OpenWithProgids]
"¦%¦_auto_file"=hex(0):

[HKEY_LOCAL_MACHINE\software\Classes\.**\%e*]
@="+e_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\.*a%%*b%]
@="¦%¦_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\*\%e*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="\"c:\\Documents and Settings\\Owner\\My Documents\\elegy.rtf\" %1"

[HKEY_LOCAL_MACHINE\software\Classes\a%%*b%_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"\"%ProgramFiles%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\here\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dlbxcoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-07-27 16:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-27 20:23

Pre-Run: 23,514,705,920 bytes free
Post-Run: 24,237,125,632 bytes free

246 --- E O F --- 2009-07-15 14:34









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:47 PM, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Common Files\AOL\1140494753\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140494753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O20 - Winlogon Notify: !SASWinLogon - C:\HERE\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9918 bytes
 
Please see link I gave you about combofix and install recovery console.

After that, please rerun combofix and post back a fresh combofix log.
 
Hi,

The link seems to be not working anymore

Anyhow, I can't find the cd needed to manually install the recovery console....can I somehow proceed w/o it?
 
There are some routing problems.

Try to access that site via myproxy.ca.

You don't need CD for that :)
 
I was able to access the site via myproxy.ca, thanks :eek:

I downloaded the appropriate file for my version of Windows XP, and followed the next step by dragging it on top of the ComboFix icon....it got an error saying that the CFScript was spelt incorrectly. Also, I've uninstalled McAfee since I can no longer open it inorder to disable it....somehow ComboFix still detects it :sad:
 
I got the recovery console installation to work (had to rename the file to WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe).

Here's the fresh combofix log:

ComboFix 09-07-26.03 - Owner 07/28/2009 22:37.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.228 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-28 23:29 . 2009-07-28 23:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-28 03:08 . 2009-07-28 03:08 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-28 03:08 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 03:08 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 03:08 . 2009-07-28 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 20:25 . 2009-07-27 20:25 -------- d-----w- c:\program files\Trend Micro
2009-07-27 00:16 . 2009-07-27 00:16 -------- d--h--w- c:\windows\PIF
2009-07-26 23:24 . 2009-07-28 20:42 -------- d-----w- C:\HERE
2009-07-26 17:42 . 2009-07-26 17:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-22 00:47 . 2009-07-22 00:47 -------- d-----w- c:\program files\iPod
2009-07-22 00:47 . 2009-07-22 00:48 -------- d-----w- c:\program files\iTunes
2009-07-22 00:35 . 2009-07-22 00:35 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-08 00:04 . 2009-07-08 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-08 00:03 . 2009-07-08 00:03 -------- d-----w- c:\program files\Bonjour
2009-07-08 00:01 . 2009-07-08 00:02 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-28 17:17 . 2009-06-17 17:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 17:01 . 2006-06-14 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-27 20:08 . 2003-07-16 20:38 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-07-27 18:20 . 2007-12-09 07:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-27 18:19 . 2008-12-27 02:30 -------- d-----w- c:\program files\SpywareBlaster
2009-07-27 11:54 . 2006-08-04 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-27 01:03 . 2008-11-15 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-26 22:58 . 2009-06-23 02:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 16:58 . 2006-10-14 15:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\uTorrent
2009-07-26 12:57 . 2007-11-18 02:41 -------- d-----w- c:\program files\Starcraft
2009-07-24 00:27 . 2008-12-02 20:09 -------- d-----w- c:\docume~1\Owner\APPLIC~1\U3
2009-07-22 00:47 . 2008-02-12 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 22:16 . 2009-03-05 02:20 -------- d-----w- c:\docume~1\Owner\APPLIC~1\vlc
2009-07-06 20:47 . 2007-04-18 17:51 -------- d-----w- c:\program files\MSECache
2009-06-23 02:26 . 2009-06-23 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-23 02:25 . 2009-06-23 02:25 -------- d-----w- c:\docume~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2009-06-23 02:21 . 2006-03-29 03:41 -------- d-----w- c:\program files\Java
2009-06-22 23:19 . 2009-06-22 23:19 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-21 22:58 . 2006-04-03 01:52 -------- d-----w- c:\program files\Google
2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-07 16:54 . 2007-08-29 15:09 -------- d-----w- c:\program files\DivX
2009-06-07 16:52 . 2009-04-24 00:07 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 19:09 . 2003-07-16 20:42 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 15:33 . 2008-12-27 03:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 03:25 . 2006-08-19 03:03 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-05-14 03:25 . 2006-08-19 03:03 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-05-14 03:25 . 2006-08-19 03:03 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-05-14 03:25 . 2006-08-19 03:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-14 03:24 . 2006-08-19 03:03 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-13 05:15 . 2005-10-21 20:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-27_20.12.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-28 23:32 . 2009-07-28 23:32 16384 c:\windows\Temp\Perflib_Perfdata_3a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-24 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 417792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"HostManager"="c:\program files\Common Files\AOL\1140494753\ee\AOLSoftware.exe" [2006-05-10 50760]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140494753\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140494753\\ee\\aim6.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:51 PM 24652]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-28 22:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*\OpenWithList]
@Class="Shell"
"a"="elegy.rtf"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*\OpenWithProgids]
"+e_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¿*j%%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¿*j%%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*!#%*÷*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*!#%*÷*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%%*^%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%%*^%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%%*S%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%%*S%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%\OpenWithList]
@Class="Shell"
"a"="WORDPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%\OpenWithProgids]
"¦%¦_auto_file"=hex(0):

[HKEY_LOCAL_MACHINE\software\Classes\.**\%e*]
@="+e_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\.*a%%*b%]
@="¦%¦_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\*\%e*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="\"c:\\Documents and Settings\\Owner\\My Documents\\elegy.rtf\" %1"

[HKEY_LOCAL_MACHINE\software\Classes\a%%*b%_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"\"%ProgramFiles%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-07-29 22:52
ComboFix-quarantined-files.txt 2009-07-29 02:52
ComboFix2.txt 2009-07-27 20:23

Pre-Run: 24,181,448,704 bytes free
Post-Run: 24,286,633,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

218 --- E O F --- 2009-07-15 14:34
 
Please do a search for proquota.exe and let me know where it is located if anywhere.
 
Hi,

Search results found 2 items:

1) proquota.exe

C:\WINDOWS\ServicePackFiles\i386

2) proquota.exe.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem
 
Filename: proquota.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 16 Jun 2009 07:18:37 (CET)
 
Good so we can use that one.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\WINDOWS\ServicePackFiles\i386\proquota.exe | c:\windows\system32\proquota.exe
Click to expand...

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
Hi,

Here you go :)

ComboFix 09-07-26.03 - Owner 07/29/2009 7:34.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.209 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 11:34 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-29 11:34 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-28 23:29 . 2009-07-28 23:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-28 03:08 . 2009-07-28 03:08 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-28 03:08 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 03:08 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 03:08 . 2009-07-28 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 20:25 . 2009-07-27 20:25 -------- d-----w- c:\program files\Trend Micro
2009-07-27 00:16 . 2009-07-27 00:16 -------- d--h--w- c:\windows\PIF
2009-07-26 23:24 . 2009-07-28 20:42 -------- d-----w- C:\HERE
2009-07-26 17:42 . 2009-07-26 17:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-22 00:47 . 2009-07-22 00:47 -------- d-----w- c:\program files\iPod
2009-07-22 00:47 . 2009-07-22 00:48 -------- d-----w- c:\program files\iTunes
2009-07-22 00:35 . 2009-07-22 00:35 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-08 00:04 . 2009-07-08 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-08 00:03 . 2009-07-08 00:03 -------- d-----w- c:\program files\Bonjour
2009-07-08 00:01 . 2009-07-08 00:02 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-28 17:17 . 2009-06-17 17:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 17:01 . 2006-06-14 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-27 20:08 . 2003-07-16 20:38 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-07-27 18:20 . 2007-12-09 07:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-27 18:19 . 2008-12-27 02:30 -------- d-----w- c:\program files\SpywareBlaster
2009-07-27 11:54 . 2006-08-04 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-27 01:03 . 2008-11-15 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-26 22:58 . 2009-06-23 02:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 16:58 . 2006-10-14 15:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\uTorrent
2009-07-26 12:57 . 2007-11-18 02:41 -------- d-----w- c:\program files\Starcraft
2009-07-24 00:27 . 2008-12-02 20:09 -------- d-----w- c:\docume~1\Owner\APPLIC~1\U3
2009-07-22 00:47 . 2008-02-12 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 22:16 . 2009-03-05 02:20 -------- d-----w- c:\docume~1\Owner\APPLIC~1\vlc
2009-07-06 20:47 . 2007-04-18 17:51 -------- d-----w- c:\program files\MSECache
2009-06-23 02:26 . 2009-06-23 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-23 02:25 . 2009-06-23 02:25 -------- d-----w- c:\docume~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2009-06-23 02:21 . 2006-03-29 03:41 -------- d-----w- c:\program files\Java
2009-06-22 23:19 . 2009-06-22 23:19 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-06-21 22:58 . 2006-04-03 01:52 -------- d-----w- c:\program files\Google
2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-07 16:54 . 2007-08-29 15:09 -------- d-----w- c:\program files\DivX
2009-06-07 16:52 . 2009-04-24 00:07 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 19:09 . 2003-07-16 20:42 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 15:33 . 2008-12-27 03:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 03:25 . 2006-08-19 03:03 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-05-14 03:25 . 2006-08-19 03:03 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-05-14 03:25 . 2006-08-19 03:03 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-05-14 03:25 . 2006-08-19 03:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-14 03:24 . 2006-08-19 03:03 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-05-13 05:15 . 2005-10-21 20:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-27_20.12.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-28 23:32 . 2009-07-28 23:32 16384 c:\windows\Temp\Perflib_Perfdata_3a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-24 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 417792]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"HostManager"="c:\program files\Common Files\AOL\1140494753\ee\AOLSoftware.exe" [2006-05-10 50760]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140494753\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140494753\\ee\\aim6.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 6:51 PM 24652]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 07:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*\OpenWithList]
@Class="Shell"
"a"="elegy.rtf"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**\%e*\OpenWithProgids]
"+e_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¿*j%%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¿*j%%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*!#%*÷*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*!#%*÷*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%%*^%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%%*^%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%%*S%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%%*S%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%\OpenWithList]
@Class="Shell"
"a"="WORDPAD.EXE"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-1935655697-1844237615-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a%%*b%\OpenWithProgids]
"¦%¦_auto_file"=hex(0):

[HKEY_LOCAL_MACHINE\software\Classes\.**\%e*]
@="+e_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\.*a%%*b%]
@="¦%¦_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\*\%e*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="\"c:\\Documents and Settings\\Owner\\My Documents\\elegy.rtf\" %1"

[HKEY_LOCAL_MACHINE\software\Classes\a%%*b%_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"\"%ProgramFiles%\\Windows NT\\Accessories\\WORDPAD.EXE\" \"%1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-07-29 7:54
ComboFix-quarantined-files.txt 2009-07-29 11:54
ComboFix2.txt 2009-07-29 02:52
ComboFix3.txt 2009-07-27 20:23

Pre-Run: 24,296,194,048 bytes free
Post-Run: 24,266,878,976 bytes free

216 --- E O F --- 2009-07-15 14:34



I still can't figure out why McAfee is still there. I've uninstalled it via add/remove, searched and deleted its remaining files/folders. Security center still shows it to be enabled..any way to fix this?
 
That is because of repository hasn't been flushed. No need to worry about that :)

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
 
That's good to know :)

Here are the Kaspersky and Hjt logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 29, 2009 18:24:50
Records in database: 2561503
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 90446
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:38:08


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\netlogon.dll.vir Infected: Trojan.Win32.Crot.a 1
C:\System Volume Information\_restore{B45444B2-9B57-4292-9AE4-053A9A102ED5}\RP167\A0027302.dll Infected: Trojan.Win32.Crot.a 1
C:\WINDOWS\system32\rn.tmp Infected: Trojan.Win32.Agent.bpgp 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:49 PM, on 7/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Common Files\AOL\1140494753\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140494753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\System32\dlbxcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9271 bytes
 
You must log in or register to reply here.
Back
Top