Virtumonde.prx, can't boot

Status
Not open for further replies.

GoPhillies

New member
I started getting a lot of pop-up ads last week, ran Spybot S&D which said I have Virtumonde.prx. I ran "Fix problems," but it was unsuccessful. I ran McAfee Virus Scan (free AOL version), but it didn't identify any problems. I quit using my computer, but left it running, not connected to the Net except McAfee's regular updates. This morning McAfee left a window saying it had picked up and fixed a vundo trojan. I looked at the McAfee log, and it listed a bunch of files that it had quarantined. Hoping that updated McAfee definitions had fixed the problem, I ran Spybot S&D today, but it still identified Virtumonde.prx. I told S&D to "Fix Problems," and it gave me green checkmarks. I had read on the Spybot description of Virtumonde that I needed to disconnect my Internet connection and reboot after running a fix, so I did that, rebooting by cycling the power.

Now I get the blue screen with the message: "STOP: c000021a (Fatal System Error) The Windows Logon Process system process terminated unexpectedly with a status of 0x00000000 (0x00000000 0x00000000)
The system has been shut down."

I am using my laptop for this post, as I can't get past the blue screen on the infected desktop machine. Please help.

Due to work hours, it may take me awhile to respond to your instructions.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Once you get the computer running again, read and follow the directions posted above and pinned (sticky) to the top of this forum, then post a HJT log according to the directions for starters.

http://support.microsoft.com/kb/156669 <<< to troubleshoot the error message you posted.

Thanks
 
Thank you for responding. I will be away from my computer for the next 3 days, and will try to get around the Fatal System Error when I get back. FYI, I am using Windows XP Media Center Edition with SP 2. I do have the OS DVD supplied by Dell, so I should be able to boot using the disk.
 
Ahhh...being from Clearwater/St.Petersburg, I will guess you are in front of the TV watching the series. I suggest you ask questions about Dell to the Dell techs: If the computer is still under warranty, keep in mind about anything you do could invalidate the warranty.

http://support.dell.com/

Thanks...Phil
 
I just read the MS Troubleshooting page, and they advise against a software reinstallation except as a last resort, as I will lose my System Restore recovery points. From what I have read about Virtumonde, I probably have a winlogon.exe problem. I'll get back at it Monday evening.
 
Back from reunion. Good times.

Phillies up 3 games to 1.

Computer booted without the error message.

I have a good feeling about this.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:20 AM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [1cb92e0b] rundll32.exe "C:\WINDOWS\system32\tkggxrnb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O20 - AppInit_DLLs: mgfbkz.dll ixnjtx.dll wbysep.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9242 bytes
 
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I see evidence that the Vundo infection still exists on the computer, let's proceed like this.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed

Please continue as follows:

*Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.
*Click Yes to allow ComboFix to continue scanning for malware.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

When the tool is finished, it will produce a report for you. Post that report and a new HJT log

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Thanks...Phil
 
By the way, my computer booted without the blue screen and Fatal System Error message. Not sure why, as I did not do any of the troubleshooting that MS suggested. I suspect, however, that the winlogon.exe problem is still lurking somewhere.

I will be using my laptop to communicate, and will move files back and forth with a flash drive. The Internet is almost unusable on the infected machine, so I unplugged the cable.
 
As indicated in the above post, I agree with you about the infection. Let's hope that flash drive is not infected!

Thanks for the feedback...
 
When I restarted my computer, I got the blue screen and error message again. I cycled the power button and pressed F12 during startup, got the Boot Menu screen, selected boot from SATA Hard Drive, hit Enter, and it finished the restart.

I have tried to install the Recovery Console, but Windows can't find the file on my Windows XP disk. i386\winnt32.exe is there, but not cmdcon.
 
ComboFix 08-10-29.07 - Dad 2008-10-29 13:47:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1397 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\tempzor
C:\WINDOWS\system32\bllkeuep.dll
C:\WINDOWS\system32\bnrxggkt.ini
C:\WINDOWS\system32\cdrldcfc.ini
C:\WINDOWS\system32\cfcdlrdc.dll
C:\WINDOWS\system32\ebodkfap.dll
C:\WINDOWS\system32\ehqneiut.dll
C:\WINDOWS\system32\iktkawvm.dll
C:\WINDOWS\system32\ixnjtx.dll
C:\WINDOWS\system32\laqnhget.exe
C:\WINDOWS\system32\mgfbkz.dll
C:\WINDOWS\system32\mkxyxu.dll
C:\WINDOWS\system32\mnWvCcdd.ini
C:\WINDOWS\system32\mnWvCcdd.ini2
C:\WINDOWS\system32\pqugsjvm.ini
C:\WINDOWS\system32\pwhwjaup.ini
C:\WINDOWS\system32\rCcKkUvw.ini
C:\WINDOWS\system32\rCcKkUvw.ini2
C:\WINDOWS\system32\snyxvppv.ini
C:\WINDOWS\system32\tdpdzw.dll
C:\WINDOWS\system32\uzdgqg.dll
C:\WINDOWS\system32\vxbnlgdq.dll
C:\WINDOWS\system32\wbysep.dll
C:\WINDOWS\system32\wvUkKcCr.dll
C:\WINDOWS\system32\xcxlricc.ini
C:\WINDOWS\system32\ychsbkau.dll
C:\WINDOWS\system32\yedunhmb.dll
C:\WINDOWS\system32\zgfadk.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-29 11:41 . 2008-10-29 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 11:20 . 2008-10-16 11:20 121 --ahs---- C:\WINDOWS\system32\ueffiasc.ini
2008-10-15 11:20 . 2008-10-15 11:20 120 --ahs---- C:\WINDOWS\system32\ibqdswae.ini
2008-10-15 11:00 . 2008-10-19 20:11 153 --a------ C:\WINDOWS\wininit.ini
2008-10-15 02:05 . 2008-10-15 02:05 29,696 --a------ C:\WINDOWS\system32\opnlMcbx.dll
2008-10-15 02:05 . 2008-10-15 02:05 29,696 --a------ C:\WINDOWS\system32\jkkIXOfD.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-29 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-20 03:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-20 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-05 23:55 --------- d-----w C:\Program Files\Picasa2
2008-09-28 05:55 --------- d-----w C:\Program Files\America Online 9.0b
2008-09-12 12:00 --------- d-----w C:\Program Files\McAfee
2008-09-12 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-12 03:40 --------- d-----w C:\Program Files\Lavasoft
2008-09-12 03:40 --------- d-----w C:\Documents and Settings\Dad\Application Data\Lavasoft
2008-09-12 03:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-12 03:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-11 21:18 --------- d-----w C:\Documents and Settings\Dad\Application Data\HouseCall 6.6
2008-09-06 04:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-11-10 00:35 22,328 ----a-w C:\Documents and Settings\Dad\Application Data\PnkBstrK.sys
2006-05-30 22:09 1 ----a-w C:\Documents and Settings\Pete\SI.bin
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,776 2005-07-12 05:17:42 C:\Program Files\America Online 9.0b\bak\AOL.EXE

----a-w 339,968 2004-07-14 02:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1142944241\ee\bak\AOLSoftware.exe
----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe

----a-w 153,168 2006-11-20 20:42:15 C:\Program Files\Common Files\AOL\1142944241\ee\bak\SSCRun.exe

----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 65,536 2003-05-01 23:44:50 C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe

----a-w 53,248 2005-02-23 20:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 241,664 2004-05-12 20:18:56 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 324 2008-02-21 06:30:36 C:\Program Files\HP\hpcoretech\bak\data\EvntData-1007428232.xml

----a-w 20,480 2007-01-08 16:22:46 C:\Program Files\McAfee\MBK\bak\LogOnHook.exe
----a-w 20,480 2007-01-08 16:22:46 C:\Program Files\McAfee\MBK\LogonHook.exe

----a-w 4,838,952 2007-01-16 18:59:50 C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe
----a-w 4,838,952 2007-01-16 18:59:50 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

----a-w 401,491 2004-02-03 21:42:54 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE

----a-w 99,480 2004-04-05 21:33:54 C:\Program Files\Pure Networks\Port Magic\bak\bak\PortAOL.exe

----a-w 99,480 2004-04-05 21:33:54 C:\Program Files\Pure Networks\Port Magic\bak\bak\PortAOL.exe

----a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-03-29 03:37:20 C:\Program Files\QuickTime\QTTask.exe

----a-w 319,488 2003-07-15 17:36:50 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe

----a-w 868,352 2003-10-21 15:43:12 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe

----a-w 292,152 2007-09-23 17:30:24 C:\Program Files\WinPatrol\bak\winpatrol.exe

----a-w 64,512 2005-08-05 18:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-05 18:56:34 C:\WINDOWS\ehome\ehtray.exe

----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86E7AEDE-F36B-4CCC-8F97-50923DB32982}]
2008-10-15 02:05 29696 --a------ C:\WINDOWS\system32\jkkIXOfD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DD4658C-27E2-422C-90DD-C93BF0015DA5}]
2008-10-29 14:03 313344 --a------ C:\WINDOWS\system32\jkkhiIcY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3f70ce6-888e-4115-9924-ba0d44acad0e}]
2008-10-29 14:05 123904 --a------ C:\WINDOWS\system32\wmxcms.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"AOL Fast Start"="C:\Program Files\America Online 9.0b\AOL.EXE" [N/A]
"Start WingMan Profiler"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HostManager"="C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe" [2006-09-25 50736]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"1cb92e0b"="C:\WINDOWS\system32\cfcdlrdc.dll" [N/A]
"P17Helper"="P17.dll" [2005-05-03 C:\WINDOWS\system32\P17.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{86E7AEDE-F36B-4CCC-8F97-50923DB32982}"= "C:\WINDOWS\system32\jkkIXOfD.dll" [2008-10-15 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIXOfD]
2008-10-15 02:05 29696 C:\WINDOWS\system32\jkkIXOfD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mgfbkz.dll ixnjtx.dll wbysep.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkhiIcY

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0b\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\1142944241\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2004-09-13 198880]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2001-10-29 3712]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2001-10-29 7584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f89b2fe-5e51-11db-80de-00038a000015}]
\Shell\AutoRun\command - explorer.exe http://www.cymbaltamd.com
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-10-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-10-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{26FB4E7B-69EE-4A1E-A64E-B215A6E44D01} - C:\WINDOWS\system32\wvUkKcCr.dll
BHO-{296E9158-78F1-4747-A6FB-A9E262B350EF} - C:\WINDOWS\system32\ddcCvWnm.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\lpyuq3xn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.pcusa.org/cgi-bin/lectiond.cgi
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 13:58:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkIXOfD.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\jkkhiIcY.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wkdmtxqk.exe
.
**************************************************************************
.
Completion time: 2008-10-29 14:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 18:09:19

Pre-Run: 185,860,902,912 bytes free
Post-Run: 185,964,376,064 bytes free

242 --- E O F --- 2008-09-27 18:09:32
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:01 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O20 - AppInit_DLLs: mgfbkz.dll ixnjtx.dll wbysep.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8675 bytes
 
Thanks for returning your information, I am going to post a lot of instructions and I want you to know I am in no way expecting you to rush. Please take the time you need to read carefully and to complete the instructions carefully and in the numbered order.

We have new problems, you also have this infection:
http://research.sunbelt-software.co...jan-Downloader.Win32.Agent.awf&threatid=70517
http://www.google.com/search?hl=en&q=Trojan.AWF+&btnG=Google+Search&aq=f&oq=
This one is a file infector and it has infected some of your programs. combofix will usually fix it, wish us luck, the manual removal is tough.
Do you know how you got this badly infected?

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

2) C:\Program Files\Java\jre1.6.0_02\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

(IT IS VERY IMPORTANT YOU GET EVERYTHING POSTED IN THE NOTEPAD)

4) Open notepad and copy/paste the text in the codebox below into it:

Code:
AWF::
C:\Program Files\America Online 9.0b\bak\AOL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\Common Files\AOL\1142944241\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1142944241\ee\bak\SSCRun.exe
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
C:\Program Files\HP\hpcoretech\bak\data\EvntData-1007428232.xml
C:\Program Files\McAfee\MBK\bak\LogOnHook.exe
C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe
C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE
C:\Program Files\Pure Networks\Port Magic\bak\bak\PortAOL.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe
C:\Program Files\WinPatrol\bak\winpatrol.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\ctfmon.exe

File::
C:\WINDOWS\system32\ueffiasc.ini
C:\WINDOWS\system32\ibqdswae.ini
C:\WINDOWS\system32\opnlMcbx.dll
C:\WINDOWS\system32\jkkIXOfD.dll
C:\WINDOWS\system32\wmxcms.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86E7AEDE-F36B-4CCC-8F97-50923DB32982}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DD4658C-27E2-422C-90DD-C93BF0015DA5}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3f70ce6-888e-4115-9924-ba0d44acad0e}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkIXOfD]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{86E7AEDE-F36B-4CCC-8F97-50923DB32982}"=-

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: mgfbkz.dll ixnjtx.dll wbysep.dll <<< this may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running?

Thanks
 
I have no idea how things got this bad. I had a few unwanted pop-ups about 2 weeks ago, but nothing bad. It really went down the tubes after a session on a college sports forum that I visit every day. I have not heard that any of the other posters have an infection, however, so doubt that was the source.

I will not be able to get back at this until Saturday afternoon.

Thanks for your help. So far, your instructions have been easy to follow for this technophobe.
 
Big problem! I dragged the CFScript.txt file into the ComboFix icon on the desktop, and everything ran as it was supposed to. However, when ComboFix tried to reboot my computer, I got the blue screen with the c000021a Fatal System Error message! I'm now stuck in the midst of ComboFix with nowhere to go. The way I have gotten my computer to boot past this error message in the past was to turn the power button off, then on, and hit the F12 key during the boot, but I don't dare do that in the middle of ComboFix.

The last time I ran ComboFix, I did not get this Error message.
 
Have a look at these link, perhaps you will see something to help.
http://www.google.com/search?hl=en&q=c000021a+Fatal+System+Error+&btnG=Google+Search&aq=f&oq=

Because of the infections you have, and many of your programs are infected, you might want to consider reformatting.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

If you can get that CFScript to run it may clean the AWF infection? We would be able to continue trying to clean the mess?

Thanks
 
OK, I cycled the power, hit F12, "Boot from SATA Hard Drive," and it rebooted, finished ComboFix, and produced a log file. Whew! When ComboFix says to not touch the computer while the program is running, and it also says it is not responsible for any damage done to the computer, I don't like to see anything unexpected! Looks like I'm OK, though. Back soon with the log files.
 
Status
Not open for further replies.
Back
Top