My computer is ill, I'm hoping not terminally

[WAA4086]

Hello,

My computer is ill, and I'm hoping it is not terminal.

I am running:

Windows XP sp1
McAffee virus protection
Spy sweeper antispyware protection


My antivirus and spyware keep finding multiple viruses and/or trojans. (such as newmalware.j) and tells me they cannot be cleaned, quarrantined or deleted.

My control panel is in accessible now. Message tells me the operation has been canceled due to restrictions in effect. I am logged in as the system administrator.

I get a pop up message: Windows security alert Warning! Potential spyware operation. Your coputer is making unauthorized copies of your system and Internet files. Run fill scan now to prevent any unathorised (yes it is mis-spelled in the message) access to your files! Click yes to download spyware remover... Yes or No. I always select No, because I am suspicious of this.

I have tried to install Spybot Search & Destroy. The computer will not allow me to. (gives me the "this operation is canceled due to restrictions...." message) though I am logged in as the administrator.

I tried to do a system restore and again it will not allow access to it.

I was able to boot in safe mode and install Hijackthis and run a scan. I will post it next and await a reply from you.

Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:52 PM, on 12/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\proper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\proper.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\System32\bronto.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Wendy\LOCALS~1\Temp\14842\gm.exe
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [McRegWiz] "C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" /autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKUS\S-1-5-18\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Malwaredetectedthisautos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sol548.txt
O20 - Winlogon Notify: awvkrtxwr - C:\WINDOWS\SYSTEM32\ejyiuvrm.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: __c00BE241 - C:\WINDOWS\System32\__c00BE241.dat
O21 - SSODL: E404Helper - {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll (file missing)
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\System32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9284 by

 

[Shaba]

Hi WAA4086 and welcome to Safer Networking Forums

Please post next a fresh HijackThis log taken in normal mode, if possible.

 

[WAA4086]

Requested log

Thank you for the quick response. Here is the HijackThis log while running my computer in normal mode.

I have my computer disconnected from the internet otherwise it takes forever to try and do anything. I am using my laptop to post to you. (saving the logs to a USB drive from the infected computer)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:49 AM, on 12/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE
C:\Novell\Messenger\NMCL32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Malwaredetectedthisautos.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\proper.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {d262e70a-7841-4a85-9aa1-8d66aa593c89} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\System32\bronto.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Wendy\LOCALS~1\Temp\14842\gm.exe
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [McRegWiz] "C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\PROGRA~1\AIM\aim.exe" -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" /FU "C:\WINDOWS\TEMP\E_S130.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Wendy\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKUS\S-1-5-18\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Malwaredetectedthisautos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sol548.txt
O20 - Winlogon Notify: awvkrtxwr - C:\WINDOWS\SYSTEM32\ejyiuvrm.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: __c00BE241 - C:\WINDOWS\System32\__c00BE241.dat
O21 - SSODL: E404Helper - {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll (file missing)
O22 - SharedTaskScheduler: sdf4dr4gfdgeetj - {B5AC49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\System32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

[Shaba]

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

 

[WAA4086]

I ran the Combofix, the cpu of my computer stayed at 100% so it took almost four hours to complete. I did verify that none of the processes you listed were running. I will post the log below.

I also ran another Hijackthis log. (I will post in another posting as it makes this message too long)

ComboFix 07-12-31.4 - Wendy 2007-12-31 14:53:54.1 - NTFSx86
Running from: C:\Documents and Settings\Wendy\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 24576 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\Ariell\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Ariell\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Ariell\Desktop\Go to Casino.lnk
C:\Documents and Settings\Ariell\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Wendy\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Wendy\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Wendy\Desktop\Go to Casino.lnk
C:\Documents and Settings\Wendy\Start Menu\Programs\Startup\infos.exe
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v6.dll
C:\Program Files\spoolsv.exe
C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\system32\ejyiuvrm.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\RunOnce.t__
C:\WINDOWS\system32\RunOnce.tmp
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\Temp\293851113.exe
C:\xcrashdump.dat
C:\WINDOWS\system32\__c00BE241.dat . . . . failed to delete
C:\WINDOWS\system32\cvmwusyqq.exe . . . . failed to delete
C:\WINDOWS\system32\xpdx.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_FCI
-------\LEGACY_MICROSOFT_INET_SERVICE
-------\LEGACY_NTIO256
-------\LEGACY_RUNTIME
-------\FCI
-------\Microsoft Inet Service
-------\ntio256
-------\protect
-------\runtime
-------\SysLibrary
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 14:36 . 2007-12-30 14:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 14:17 . 2004-08-28 13:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-30 14:17 . 2004-08-28 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-30 14:17 . 2005-06-11 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-12-30 14:16 . 2007-12-30 14:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot
2007-11-29 20:34 . 2007-11-29 20:34 339,968 --a------ C:\WINDOWS\ddubbv.exe
2007-11-29 18:31 . 2007-11-29 20:29 291,328 --a------ C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-29 18:14 . 2007-11-29 18:14 1 --a------ C:\177.tmp
2007-11-27 20:18 . 2007-11-27 20:18 108,760 --a------ C:\wndrcqe.exe
2007-11-27 20:17 . 2007-11-27 20:17 40,506 --a------ C:\Documents and Settings\Wendy\~sys321717.exe
2007-11-27 20:17 . 2007-11-27 20:17 22,528 --a------ C:\WINDOWS\SYSTEM32\ripa.dll
2007-11-27 20:01 . 2007-11-27 20:01 54,218 --a------ C:\WINDOWS\SYSTEM32\xpdx.sys
2007-11-27 19:59 . 2007-11-27 19:59 6,656 --a------ C:\WINDOWS\SYSTEM32\ernel32.dll
2007-11-27 19:59 . 2007-11-27 20:38 8 --a------ C:\4asjojwqeras2384u9jdsfkasdf.dat
2007-11-27 19:58 . 2007-11-27 19:58 50 --a------ C:\WINDOWS\SYSTEM32\rt25.bat
2007-11-27 19:57 . 2007-11-27 19:57 11,991 --a------ C:\WINDOWS\SYSTEM32\pwvnxk
2007-11-27 19:57 . 2007-11-29 18:14 6,144 --a------ C:\Documents and Settings\Wendy\ie_updates3r.exe
2007-11-27 19:57 . 2007-11-27 19:57 0 --a------ C:\WINDOWS\SYSTEM32\gdnrgwh
2007-11-26 05:10 . 2007-11-26 05:10 24,576 --a------ C:\WINDOWS\SYSTEM32\rt27.exe
2007-11-25 13:22 . 2007-11-29 06:03 22,363 --------- C:\WINDOWS\SYSTEM32\__c00BE241.dat
2007-11-25 13:21 . 2007-11-25 13:21 148,593 --a------ C:\Documents and Settings\Jared\p423ck.exe
2007-11-25 09:20 . 2007-11-25 09:20 <DIR> d---s---- C:\Documents and Settings\Ariell\UserData
2007-11-25 06:24 . 2007-11-25 06:24 66,048 --a------ C:\WINDOWS\SYSTEM32\rt26.exe
2007-11-17 18:35 . 2007-11-17 18:36 <DIR> d-------- C:\Documents and Settings\Ariell\Application Data\acccore
2007-11-16 18:57 . 2004-07-09 04:27 1,769,472 --a------ C:\WINDOWS\SYSTEM32\dxdiagn.dll
2007-11-09 10:50 . 2007-11-09 10:50 <DIR> d-------- C:\Novell
2007-11-04 20:53 . 2007-11-06 18:36 <DIR> d-------- C:\Documents and Settings\Wendy\CCAC Photos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 00:14 --------- d-----w C:\Documents and Settings\Wendy\Application Data\U3
2007-11-29 23:25 7,680 ----a-w C:\WINDOWS\SYSTEM32\winter.exe
2007-11-29 23:25 7,680 ----a-w C:\WINDOWS\SYSTEM32\proper.exe
2007-11-29 23:14 12,800 ----a-w C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2007-11-29 23:14 12,800 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2007-11-28 01:43 --------- d-----w C:\Program Files\Opera
2007-11-28 01:17 40,506 ----a-w C:\Documents and Settings\Wendy\~sys321717.exe
2007-11-20 21:59 --------- d-----w C:\Program Files\McAfee.com
2007-11-09 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-25 21:51 8,185,542 ----a-w C:\Documents and Settings\Jared\Jared Room Photos.zip
2005-05-26 00:10 115,376 ----a-w C:\Documents and Settings\Jared\Application Data\GDIPFONTCACHEV1.DAT
2005-03-31 14:55 115,376 ----a-w C:\Documents and Settings\Wendy\Application Data\GDIPFONTCACHEV1.DAT
2006-03-16 16:30 418,041 --sha-w C:\WINDOWS\SYSTEM32\ehhkj.bak1
2006-03-23 21:28 421,808 --sha-w C:\WINDOWS\SYSTEM32\ehhkj.bak2
2006-04-11 00:21 418,497 --sh--w C:\WINDOWS\SYSTEM32\ehhkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]
C:\WINDOWS\System32\bronto.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18 1670144]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2004-09-01 11:26 66672]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"EPSON Stylus Photo R380 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.exe" [2006-05-29 03:00 139264]
"Novell Messenger"="C:\Novell\Messenger\NMCL32.exe" [2007-06-08 16:40 1417293]
"Undefined"="C:\WINDOWS\System32\winter.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-28 13:35 26112]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 14:45 53248]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 14:45 131072]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 18:46 270336]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14 188416]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 13:57 221184]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 16:15 483328]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-01 19:55 155648]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-08-03 19:02 3871744]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-09-02 15:41 135168]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2002-08-29 05:00 375808]
"Undefined"="C:\WINDOWS\System32\winter.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"taskdir"="C:\WINDOWS\System32\taskdir.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BE241]
C:\WINDOWS\System32\__c00BE241.dat 2007-11-29 06:03 22363 C:\WINDOWS\SYSTEM32\__c00BE241.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\sol548.txt

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 02:33:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#240#CN399340P4M9.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe#/#Hewlett-Packard#240#CN399340P4M9
"2007-12-31 22:33:01 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-12-31 21:53:12 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D464HL51-Wendy).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2004-11-22 02:33:06 C:\WINDOWS\Tasks\WebReg 20041121213306.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exea/TaskName 20041121213306 /N
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 17:31:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\ctl_w32.sys 34816 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ctl_w32]
"ImagePath"="\SystemRoot\system32\drivers\ctl_w32.sys"
--

.
Completion time: 2007-12-31 20:50:57 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 01:31:48

 

[WAA4086]

Here is the latest Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:40 AM, on 1/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Novell\Messenger\NMCL32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Malwaredetectedthisautos.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\proper.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\System32\bronto.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" /FU "C:\WINDOWS\TEMP\E_S130.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKUS\S-1-5-18\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Malwaredetectedthisautos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sol548.txt
O20 - Winlogon Notify: __c00BE241 - C:\WINDOWS\System32\__c00BE241.dat
O21 - SSODL: E404Helper - {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - cmd.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10209 bytes

 

[Shaba]

Hi

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

 

[WAA4086]

Hello,

Here is the results from running GMER. **My first attempt states it is too long. I'll divide and post it two separate postings.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-01 12:23:27
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.13 ----

SSDT 823CFC60 ZwAllocateVirtualMemory
SSDT 823B41A8 ZwCreateKey
SSDT 823E9898 ZwCreateProcess
SSDT 8237D100 ZwCreateProcessEx
SSDT 823CFF30 ZwCreateThread
SSDT 823D8020 ZwDeleteKey
SSDT 823AE1E8 ZwDeleteValueKey
SSDT 823CFCD8 ZwQueueApcThread
SSDT 823CFB70 ZwReadVirtualMemory
SSDT 823D0148 ZwRenameKey
SSDT 823CFDC8 ZwSetContextThread
SSDT 82393148 ZwSetInformationKey
SSDT 823EB558 ZwSetInformationProcess
SSDT 823CFE40 ZwSetInformationThread
SSDT 823B23A0 ZwSetValueKey
SSDT 823CFFA8 ZwSuspendProcess
SSDT 823CFD50 ZwSuspendThread
SSDT 823EB5D0 ZwTerminateProcess
SSDT 823CFEB8 ZwTerminateThread
SSDT 823CFBE8 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1208] kernel32.dll!CreateThread + 18 77E7BE6B 4 Bytes [ 4D, 2B, 5D, 88 ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1976] kernel32.dll!CreateThread + 18 77E7BE6B 4 Bytes [ 91, 2F, 5D, 88 ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtCreateKey + 1 77F5B6C9 1 Byte [ 22 ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtCreateKey + 4 77F5B6CC 8 Bytes [ C0, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtCreateProcess + 1 77F5B729 1 Byte [ 22 ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtCreateProcess + 4 77F5B72C 8 Bytes [ C0, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtCreateProcessEx + 1 77F5B739 1 Byte [ 22 ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtCreateProcessEx + 4 77F5B73C 8 Bytes [ C0, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtOpenFile + 1 77F5BB79 1 Byte [ 22 ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtOpenFile + 4 77F5BB7C 8 Bytes [ C0, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtOpenKey + 1 77F5BBA9 1 Byte [ 22 ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] ntdll.dll!NtOpenKey + 4 77F5BBAC 8 Bytes [ C0, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] kernel32.dll!VirtualProtect 77E6169E 5 Bytes JMP 00030670 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] kernel32.dll!VirtualAlloc 77E7AC72 5 Bytes JMP 000305F4 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] kernel32.dll!CreateFileA 77E7B476 5 Bytes JMP 00030444 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] kernel32.dll!LoadLibraryExW 77E7D839 5 Bytes JMP 00030444 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3064] kernel32.dll!VirtualFree 77E815CB 5 Bytes JMP 00030634 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 823CFA00
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 823CFA00
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 823CFA00
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 823CFA00
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 823CFA00
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 823CFAF8
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 823CFA00

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F87BAC1C] SSFS0509.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 82094220
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 821575C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 82061B88
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 822966A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 82131328
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 8215EE78
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 821B9108
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 8212FBB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 8211D0C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 82088108
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 820CE0C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 8218E580
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 82150788
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 821A40C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 821ED218
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 821CC740
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 8226F698
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 8219C0C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 81F62CD8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 82180E98
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 8208CE98
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8207BE98
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8229DE98
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 82085E98
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 820A2E98
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 8207AE98
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 82097E98
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 8208A978
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 82094220
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 821575C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 82061B88
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 822966A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 82131328
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 8215EE78
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 821B9108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 8212FBB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 8211D0C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 82088108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 820CE0C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 8218E580
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 82150788
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 821A40C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 821ED218
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 821CC740
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 8226F698
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 8219C0C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 81F62CD8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 82180E98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 8208CE98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8207BE98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8229DE98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 82085E98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 820A2E98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 8207AE98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 82097E98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 8208A978
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 82094220
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 821575C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 82061B88
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 822966A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 82131328
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 8215EE78
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 821B9108
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 8212FBB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 8211D0C8

 

[WAA4086]

Here is the second half of the Gmer log.

Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 82088108
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 820CE0C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 8218E580
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 82150788
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 821A40C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 821ED218
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 821CC740
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 8226F698
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 8219C0C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 81F62CD8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 82180E98
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 8208CE98
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8207BE98
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8229DE98
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 82085E98
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 820A2E98
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 8207AE98
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 82097E98
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 8208A978
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 82094220
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 821575C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 82061B88
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 822966A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 82131328
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 8215EE78
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 821B9108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 8212FBB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 8211D0C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 82088108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 820CE0C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 8218E580
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 82150788
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 821A40C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 821ED218
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 821CC740
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 8226F698
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 8219C0C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 81F62CD8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 82180E98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 8208CE98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8207BE98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8229DE98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 82085E98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 820A2E98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 8207AE98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 82097E98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 8208A978
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 82094220
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 821575C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 82061B88
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 822966A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 82131328
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 8215EE78
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 821B9108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 8212FBB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 8211D0C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 82088108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 820CE0C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 8218E580
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 82150788
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 821A40C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 821ED218
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 821CC740
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 8226F698
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 8219C0C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 81F62CD8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 82180E98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 8208CE98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8207BE98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8229DE98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 82085E98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 820A2E98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 8207AE98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 82097E98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 8208A978

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F87BAC1C] SSFS0509.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F87BAC1C] SSFS0509.SYS

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EFA45617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EFA45617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EFA45617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EFA45617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [EFA45617] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [EFA4579B] tfsnifs.sys

---- Files - GMER 1.0.13 ----

ADS C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000003.EXE:ext.exe

---- EOF - GMER 1.0.13 ----

 

[Shaba]

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

[WAA4086]

Here is the results from the SDFix and a new Hijackthis log.

SDFix: Version 1.121

Run by Ariell on Tue 01/01/2008 at 01:08 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ctl_w32

Path:
\SystemRoot\system32\drivers\ctl_w32.sys

ctl_w32 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\MSMAPI32.EXE - Deleted
C:\WINDOWS\SYSTEM32\SMARTDRV.EXE - Deleted
C:\WINDOWS\SYSTEM32\INTR32.DLL - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe - Deleted
C:\Documents and Settings\Ariell\Start Menu\Programs\Startup\infos.exe - Deleted
C:\WINDOWS\ddubbv.exe - Deleted
C:\WINDOWS\system32\DAP.exe - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\winter.exe - Deleted
C:\WINDOWS\SYSTEM32\xpdx.sys - Deleted
C:\WINDOWS\system32\drivers\ctl_w32.sys - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 13:14:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 9 Aug 2003 233,553 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Tue 21 Mar 2006 421,101 A.SH. --- "C:\WINDOWS\SYSTEM32\ehhkj.tmp"
Thu 16 Mar 2006 418,041 A.SH. --- "C:\WINDOWS\SYSTEM32\ehhkj.bak1"
Thu 23 Mar 2006 421,808 A.SH. --- "C:\WINDOWS\SYSTEM32\ehhkj.bak2"
Tue 24 May 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 20 Oct 2003 73,688 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Sat 24 Jan 2004 5,120 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 3 Sep 2004 21,504 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\~WRL0001.tmp"
Sat 11 Jan 2003 19,968 A..H. --- "C:\Documents and Settings\Wendy\My Documents\Wendy\Church\~WRL0001.tmp"
Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Fri 26 Aug 2005 30,720 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Farm Information\~WRL0739.tmp"
Tue 16 Mar 2004 20,480 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\House Project\~WRL0026.tmp"
Tue 16 Mar 2004 19,456 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\House Project\~WRL0658.tmp"
Tue 16 Mar 2004 22,528 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\House Project\~WRL1388.tmp"
Tue 16 Mar 2004 21,504 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\House Project\~WRL1393.tmp"
Tue 16 Mar 2004 20,992 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\House Project\~WRL2107.tmp"
Thu 2 Mar 2000 26,624 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\LEAN\~WRL0001.TMP"
Fri 3 Mar 2000 27,648 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\LEAN\~WRL0002.TMP"
Tue 31 Jul 2001 178,176 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Purchase Requesitions\~WRL0001.tmp"
Wed 8 Aug 2001 180,224 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Purchase Requesitions\~WRL2346.tmp"
Tue 9 Mar 2004 20,992 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Tower Replacement\~WRL0003.tmp"
Sun 21 Mar 2004 22,016 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Tower Replacement\~WRL2993.tmp"
Wed 27 Apr 2005 23,040 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Tower Replacement\~WRL3834.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Mon 6 Jun 2005 23,552 A..H. --- "C:\Documents and Settings\Scott\My Documents\Memory Stick One\Memory Stick\Home Plans\Andy Schrauben Designer Home Design\Foundation\~WRL0005.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:47 PM, on 1/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Novell\Messenger\NMCL32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Malwaredetectedthisautos.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\proper.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\System32\bronto.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [McRegWiz] "C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" /autorun
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" /FU "C:\WINDOWS\TEMP\E_S130.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - Startup: infos.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Malwaredetectedthisautos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - Winlogon Notify: __c00BE241 - C:\WINDOWS\System32\__c00BE241.dat
O21 - SSODL: E404Helper - {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - cmd.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10467 bytes

 

[WAA4086]

Here is an additional piece of information.


I only had the choice of logging in under another user while running in safe mode to complete the SDfix. My normal user was not an option. I was able to browse to the SDfix file under C:\SDfix without any issue.

 

[Shaba]

Hi

Looks better

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report

 

[WAA4086]

Re-ran the Combo fix. Process was much, much faster today. Upon the Combo fix preparing the report the following message popped up: Windows cannot find C:\windows\system32\proper.exe (the only option was to select OK)

The report finished and then the following message popped up: Registry editing has been disabled by your administrator. (the only option was to select OK)

The Combo fix is pasted next, followed by a new Hijackthis log.

ComboFix 07-12-31.4 - Wendy 2008-01-01 13:46:33.2 - NTFSx86
Running from: C:\Documents and Settings\Wendy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\Wendy\Start Menu\Programs\Startup\infos.exe
C:\WINDOWS\system32\__c00BE241.dat
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\winter.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32


((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2008-01-01 13:52 . 2007-11-29 18:25 7,680 --a------ C:\WINDOWS\SYSTEM32\winter.exe
2008-01-01 13:52 . 2007-11-29 18:25 7,680 --a------ C:\WINDOWS\SYSTEM32\proper.exe
2008-01-01 13:07 . 2008-01-01 13:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-01 11:53 . 2008-01-01 12:05 250 --a------ C:\WINDOWS\gmer.ini
2007-12-31 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 14:36 . 2007-12-30 14:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 14:17 . 2004-08-28 13:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-30 14:17 . 2004-08-28 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-30 14:17 . 2005-06-11 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 00:14 --------- d-----w C:\Documents and Settings\Wendy\Application Data\U3
2007-11-30 01:29 291,328 ----a-w C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-29 23:14 6,144 ----a-w C:\Documents and Settings\Wendy\ie_updates3r.exe
2007-11-29 23:14 12,800 ----a-w C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2007-11-29 23:14 12,800 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2007-11-28 01:43 --------- d-----w C:\Program Files\Opera
2007-11-28 01:38 8 ----a-w C:\4asjojwqeras2384u9jdsfkasdf.dat
2007-11-28 01:18 108,760 ----a-w C:\wndrcqe.exe
2007-11-28 01:17 40,506 ----a-w C:\Documents and Settings\Wendy\~sys321717.exe
2007-11-28 01:17 22,528 ----a-w C:\WINDOWS\SYSTEM32\ripa.dll
2007-11-28 00:59 6,656 ----a-w C:\WINDOWS\SYSTEM32\ernel32.dll
2007-11-26 10:10 24,576 ----a-w C:\WINDOWS\SYSTEM32\rt27.exe
2007-11-25 18:21 148,593 ----a-w C:\Documents and Settings\Jared\p423ck.exe
2007-11-25 11:24 66,048 ----a-w C:\WINDOWS\SYSTEM32\rt26.exe
2007-11-20 21:59 --------- d-----w C:\Program Files\McAfee.com
2007-11-17 23:36 --------- d-----w C:\Documents and Settings\Ariell\Application Data\acccore
2007-11-09 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-25 21:51 8,185,542 ----a-w C:\Documents and Settings\Jared\Jared Room Photos.zip
2005-05-26 00:10 115,376 ----a-w C:\Documents and Settings\Jared\Application Data\GDIPFONTCACHEV1.DAT
2005-03-31 14:55 115,376 ----a-w C:\Documents and Settings\Wendy\Application Data\GDIPFONTCACHEV1.DAT
2006-03-16 16:30 418,041 --sha-w C:\WINDOWS\SYSTEM32\ehhkj.bak1
2006-03-23 21:28 421,808 --sha-w C:\WINDOWS\SYSTEM32\ehhkj.bak2
2006-04-11 00:21 418,497 --sh--w C:\WINDOWS\SYSTEM32\ehhkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]
C:\WINDOWS\System32\bronto.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18 1670144]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2004-09-01 11:26 66672]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"EPSON Stylus Photo R380 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.exe" [2006-05-29 03:00 139264]
"Novell Messenger"="C:\Novell\Messenger\NMCL32.exe" [2007-06-08 16:40 1417293]
"Undefined"="C:\WINDOWS\System32\winter.exe" [2007-11-29 18:25 7680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-28 13:35 26112]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 14:45 53248]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 14:45 131072]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 18:46 270336]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14 188416]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 13:57 221184]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 16:15 483328]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-01 19:55 155648]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-08-03 19:02 3871744]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-09-02 15:41 135168]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]
"Undefined"="C:\WINDOWS\System32\winter.exe" [2007-11-29 18:25 7680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BE241]
C:\WINDOWS\System32\__c00BE241.dat

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 02:33:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#240#CN399340P4M9.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe#/#Hewlett-Packard#240#CN399340P4M9
"2008-01-01 18:33:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-01-01 18:52:08 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D464HL51-Wendy).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2004-11-22 02:33:06 C:\WINDOWS\Tasks\WebReg 20041121213306.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exea/TaskName 20041121213306 /N
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 13:52:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 13:57:12 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-01 18:57:06
C:\qoobox\ComboFix2.txt 2008-01-01 01:54:59

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:17 PM, on 1/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Novell\Messenger\NMCL32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Malwaredetectedthisautos.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\proper.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\System32\bronto.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [McRegWiz] "C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" /autorun
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" /FU "C:\WINDOWS\TEMP\E_S130.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\System32\winter.exe
O4 - Startup: infos.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Malwaredetectedthisautos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - Winlogon Notify: __c00BE241 - C:\WINDOWS\System32\__c00BE241.dat (file missing)
O21 - SSODL: E404Helper - {67863fb9-04e9-48e6-aebc-fb84875ed091} - e404d.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10197 bytes

 

[Shaba]

Hi

Looks better

See here
how to disable SpySweeper temporarily.

After that:

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\winter.exe
C:\WINDOWS\SYSTEM32\proper.exe
C:\wndrcqe.exe
C:\Documents and Settings\Wendy\~sys321717.exe
C:\WINDOWS\SYSTEM32\ripa.dll
C:\WINDOWS\SYSTEM32\rt27.exe
C:\Documents and Settings\Jared\p423ck.exe
C:\WINDOWS\SYSTEM32\ehhkj.bak1
C:\WINDOWS\SYSTEM32\ehhkj.bak2
C:\WINDOWS\SYSTEM32\ehhkj.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
"NoWindowsUpdate"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BE241]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Undefined"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDFix"=-
"Undefined"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\SYSTEM32\ernel32.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Post:

- a fresh HijackThis log
- combofix report
- jotti/virustotal results

 

[WAA4086]

Here is the Combofix log and a new HijackThis log. I am not able to get through to either the jotti link or the virustotal link. Is there another alternate link or a better time to try?

ComboFix 07-12-31.4 - Wendy 2008-01-02 17:50:14.3 - NTFSx86
Running from: C:\Documents and Settings\Wendy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wendy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Jared\p423ck.exe
C:\Documents and Settings\Wendy\~sys321717.exe
C:\WINDOWS\SYSTEM32\ehhkj.bak1
C:\WINDOWS\SYSTEM32\ehhkj.bak2
C:\WINDOWS\SYSTEM32\ehhkj.ini2
C:\WINDOWS\SYSTEM32\proper.exe
C:\WINDOWS\SYSTEM32\ripa.dll
C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\SYSTEM32\winter.exe
C:\wndrcqe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\Jared\p423ck.exe
C:\Documents and Settings\Wendy\~sys321717.exe
C:\Documents and Settings\Wendy\Start Menu\Programs\Startup\infos.exe
C:\WINDOWS\SYSTEM32\ehhkj.bak1
C:\WINDOWS\SYSTEM32\ehhkj.bak2
C:\WINDOWS\SYSTEM32\ehhkj.ini2
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\SYSTEM32\ripa.dll
C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\SYSTEM32\winter.exe
C:\wndrcqe.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 13:07 . 2008-01-01 13:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-01 11:53 . 2008-01-01 12:05 250 --a------ C:\WINDOWS\gmer.ini
2007-12-31 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 14:36 . 2007-12-30 14:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 14:17 . 2004-08-28 13:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-30 14:17 . 2004-08-28 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-12-30 14:17 . 2005-06-11 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 00:14 --------- d-----w C:\Documents and Settings\Wendy\Application Data\U3
2007-11-30 01:29 291,328 ----a-w C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-29 23:14 6,144 ----a-w C:\Documents and Settings\Wendy\ie_updates3r.exe
2007-11-29 23:14 12,800 ----a-w C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2007-11-29 23:14 12,800 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2007-11-28 01:43 --------- d-----w C:\Program Files\Opera
2007-11-28 01:38 8 ----a-w C:\4asjojwqeras2384u9jdsfkasdf.dat
2007-11-28 00:59 6,656 ----a-w C:\WINDOWS\SYSTEM32\ernel32.dll
2007-11-25 11:24 66,048 ----a-w C:\WINDOWS\SYSTEM32\rt26.exe
2007-11-20 21:59 --------- d-----w C:\Program Files\McAfee.com
2007-11-17 23:36 --------- d-----w C:\Documents and Settings\Ariell\Application Data\acccore
2007-11-09 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-25 21:51 8,185,542 ----a-w C:\Documents and Settings\Jared\Jared Room Photos.zip
2005-05-26 00:10 115,376 ----a-w C:\Documents and Settings\Jared\Application Data\GDIPFONTCACHEV1.DAT
2005-03-31 14:55 115,376 ----a-w C:\Documents and Settings\Wendy\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-01_13.56.14.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-01 18:46:18 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
+ 2008-01-02 22:50:09 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18 1670144]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2004-09-01 11:26 66672]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]
"EPSON Stylus Photo R380 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.exe" [2006-05-29 03:00 139264]
"Novell Messenger"="C:\Novell\Messenger\NMCL32.exe" [2007-06-08 16:40 1417293]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-28 13:35 26112]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 14:45 53248]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 14:45 131072]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 18:46 270336]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14 188416]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 13:57 221184]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-20 16:15 483328]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 14:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-01 19:55 155648]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-09-02 15:41 135168]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 02:33:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#240#CN399340P4M9.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-01-02 22:33:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2008-01-02 22:44:50 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D464HL51-Wendy).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2004-11-22 02:33:06 C:\WINDOWS\Tasks\WebReg 20041121213306.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exea/TaskName 20041121213306 /N
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 17:52:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-02 17:53:06
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 22:52:51
C:\qoobox\ComboFix2.txt 2008-01-01 18:57:13
C:\qoobox\ComboFix3.txt 2008-01-01 01:54:59


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:43 PM, on 1/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Novell\Messenger\NMCL32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE" /FU "C:\WINDOWS\TEMP\E_S130.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Malwaredetectedthisautos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9208 bytes

 

[Shaba]

Hi

Jotti seems to be down but VirusTotal is working.

Please try again

 

[WAA4086]

I have tried again this morning for a half an hour to connect to the virsustotal link. No luck. Gives me the message "this page cannot be displayed".

I am successful in going to other websites such as Spybot and google.

 

[Shaba]

Hi

Then try to access it via this

Type http://www.virustotal.com there.

 

[WAA4086]

I'm am still not sucessful in trying to get to virustotal.

I tried the link via myproxy and this is the message I receive each time I try:

The XML page cannot be displayed
Cannot view XML input using style sheet. Please correct the error and then click the Refresh button, or try again later.


--------------------------------------------------------------------------------

Invalid at the top level of the document. Error processing resource 'http://www.myproxy.ca/q/nph-index.cgi/010110A/687474703a2f2f7777772e7669727573746f74616c2e636f6d2f'. Line 1, Position 45

<!-- resource has been modified by proxy -->