Welcome. Thank you for using Dell Community Forums.
That malware on there was probably what was giving you trouble with IE8.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
We'll need to disable Spyware Doctor so it does not interfere:
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button. Exit by a right-click on the "Spyware Doctor" icon in the system tray and choose "Exit".
To disable PCTools Browser Monitor: If you are running Internet Explorer, click Tools > Manage Add-ons. If PCTools Browser Monitor is on the list, click it & select Disable. You will need to restart your browser after making the change.
[To enable Spyware Doctor in a few days when we are completely are finished, open the program, Settings>Startup Settings> CHECK "Run at Windows Startup">APPLY Exit. Reboot.]
I look forward to your reply so we can begin cleaning.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
I will try and answer the points you made in your message.
1. This issue has not been posted on any other forum
2. System Restore has not been disabled
3.&4. There is no cracked software or filesharing software on this computer to the best of my knowledge. ( I did some checking with the partial list you provided)
5. I have the authority to fix this computer.
6. I have disabled Spyware Doctor as indicated. (I assumed the "OnGuard Tools" you refered to is what PC Tools refers to as "Intelliguard" - the active screening process that can be turned off.)
7. **** I unfortnately neglected to mention that I also run McAfee Internet Security suite in my first post. If there are settings that need to be disabled here as well please advise.
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs
1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
Copy/paste both logs to your reply on the forum.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
Here are the text files you requested. Thank you. I will wait for your reply regarding further action.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 12/4/2005 6:21:13 PM System Uptime: 8/2/2009 10:50:45 PM (22 hours ago)
Motherboard: Dell Inc. | | 0YC523 Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
A: is Removable C: is FIXED (NTFS) - 144 GiB total, 60.279 GiB free. D: is CDROM () E: is CDROM () F: is Removable G: is Removable H: is Removable I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP831: 5/12/2009 5:18:55 PM - System Checkpoint RP832: 5/17/2009 1:30:31 PM - Software Distribution Service 3.0 RP833: 5/18/2009 2:57:56 PM - System Checkpoint RP834: 5/26/2009 1:29:09 PM - System Checkpoint RP835: 5/27/2009 2:24:41 PM - System Checkpoint RP836: 5/28/2009 8:33:10 PM - System Checkpoint RP837: 5/30/2009 12:13:32 AM - System Checkpoint RP838: 6/8/2009 12:41:44 PM - System Checkpoint RP839: 6/9/2009 1:57:10 PM - System Checkpoint RP840: 6/10/2009 1:59:21 PM - System Checkpoint RP841: 6/11/2009 2:23:22 PM - System Checkpoint RP842: 6/12/2009 12:18:25 AM - Software Distribution Service 3.0 RP843: 6/14/2009 5:11:38 PM - System Checkpoint RP844: 6/16/2009 6:01:58 PM - Software Distribution Service 3.0 RP845: 6/18/2009 10:51:23 PM - Software Distribution Service 3.0 RP846: 6/21/2009 2:36:43 PM - System Checkpoint RP847: 6/26/2009 8:11:37 AM - System Checkpoint RP848: 6/28/2009 5:32:06 AM - System Checkpoint RP849: 7/2/2009 9:09:15 AM - System Checkpoint RP850: 7/4/2009 1:39:00 AM - System Checkpoint RP851: 7/5/2009 5:19:37 PM - System Checkpoint RP852: 7/7/2009 7:08:37 AM - System Checkpoint RP853: 7/10/2009 1:17:42 PM - System Checkpoint RP854: 7/11/2009 4:28:51 PM - Software Distribution Service 3.0 RP855: 7/11/2009 4:37:03 PM - Software Distribution Service 3.0 RP856: 7/11/2009 11:23:58 PM - Installed Windows Media Player 10 RP857: 7/11/2009 11:24:39 PM - Software Distribution Service 3.0 RP858: 7/12/2009 1:06:36 AM - Software Distribution Service 3.0 RP859: 7/12/2009 10:18:31 PM - Software Distribution Service 3.0 RP860: 7/13/2009 10:18:34 PM - System Checkpoint RP861: 7/14/2009 9:26:23 PM - Removed NetZeroInstallers RP862: 7/15/2009 2:26:13 AM - Software Distribution Service 3.0 RP863: 7/20/2009 1:08:08 PM - System Checkpoint RP864: 7/23/2009 2:35:42 PM - System Checkpoint RP865: 7/27/2009 7:46:26 PM - System Checkpoint RP866: 7/29/2009 4:43:44 PM - Software Distribution Service 3.0 RP867: 7/30/2009 7:55:39 PM - System Checkpoint RP868: 7/31/2009 2:53:07 PM - Software Distribution Service 3.0 RP869: 8/2/2009 6:05:53 AM - System Checkpoint RP870: 8/3/2009 8:07:08 AM - System Checkpoint
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint Plus Active Disk Adobe Flash Player 10 ActiveX Adobe Reader 7.0 Age of Mythology Age of Mythology - The Titans Expansion America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20040229.1 en) AOLIcon ATI Control Panel ATI Display Driver Bejeweled 2 Deluxe Blasterball 2 CCleaner (remove only) Corel Photo Album 6 Creative MediaSource Critical Update for Windows Media Player 11 (KB959772) Data Lifeguard Deal Info Dell AIO Printer A960 Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Game Console Dell Picture Studio - Dell Image Expert Dell System Restore DellSupport Digital Content Portal EarthLink Common EarthLink FastLane EarthLink IM EarthLink MailBox EarthLink Redistributed EarthLink Setup EarthLink setup files EarthLink Software EarthLink Spyware Blocker EarthLink TaskPanel EarthLink Toolbar EarthLink Update Manager EarthLink Webspace EducateU EPSON Printer Software ESPNMotion FATE GemMaster Mystic Get High Speed Internet! greenstreet National Geographic Photo Browser Hidden & Dangerous 2 High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Ink Monitor Intel Matrix Storage Manager Intel(R) 537EP V9x DF PCI Modem Intel(R) PRO Network Connections Drivers Intel(R) PROSet for Wired Connections Internet Explorer Default Page IomegaWare 4.0.3 Java 2 Runtime Environment, SE v1.4.2_03 Learn2 Player (Uninstall Only) Macromedia Flash Player McAfee SecurityCenter McAfee Shredder MCU Medieval II Total War Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Small Business Edition 2003 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft XML Parser Modem Event Monitor Modem Helper Modem On Hold MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML4 Parser Musicmatch for Windows Media Player Musicmatch® Jukebox MyWay Search Assistant Otto Paint Shop Pro 7 Plaxo Toolbar for Windows Polar Bowler PowerDVD 5.5 Print to Fax QuickBooks Simple Start Special Edition QuickTime RealPlayer Basic Rise Of Legends Savings Bond Wizard Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB973346) Sid Meier's Civilization 4 Sonic DLA Sonic Encoders Sonic MyDVD LE Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Sound Blaster Live! 24-bit Spyware Doctor 6.0 Stronghold 2 The Battle for Middle-earth (tm) II Update for Windows Media Player 10 (KB910393) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update Rollup 2 for Windows XP Media Center Edition 2005 Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebCyberCoach 3.2 Dell WebFldrs XP WildTangent Games WildTangent Web Driver Windows Genuine Advantage Notifications (KB905474) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information] Windows Media Player 11 Windows XP Media Center Edition 2005 KB908246 Windows XP Media Center Edition 2005 KB925766 Windows XP Service Pack 3 WordPerfect Office 12
==== Event Viewer Messages From Past Week ========
7/30/2009 5:59:05 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 7/30/2009 5:57:44 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service. 7/29/2009 4:43:49 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Internet Explorer 8 for Windows XP. 7/28/2009 10:58:49 AM, error: Dhcp [1002] - The IP address lease 192.168.100.10 for the Network Card with network address 00123F7B8D61 has been denied by the DHCP server 68.87.72.16 (The DHCP Server sent a DHCPNACK message). 7/28/2009 10:58:18 AM, error: Dhcp [1002] - The IP address lease 76.16.95.247 for the Network Card with network address 00123F7B8D61 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). 7/28/2009 10:53:24 AM, error: Print [6161] - The document <<<*** EPSON EBAPI Dummy Document Data ***>>> owned by Cool failed to print on printer Dell AIO Printer A960. Data type: RAW. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\CHRIS. Win32 error code returned by the print processor: 0 (0x0).
==== End Of File ===========================
DDS (Ver_09-07-30.01) - NTFSx86 Run by Cool at 20:51:32.39 on Mon 08/03/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -5:00]
Please make sure Spyware Doctor is disabled before running this and that it stays disabled until we are finished -- or uninstall it and reinstall later after it has been confirmed that the system is clean. Apparently, Spyware Doctor has been no help with this malware. Neither has McAfee.
* If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use the update link mentioned below to manually update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "russell.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the files to the infected computer. Install the "russell.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates,
manually download them fromhere and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report along with a fresh HijackThis log into your next reply and exit MBAM.
Note:-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.
**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE
Memory Processes Infected: (No malicious items detected)
Memory Modules Infected: (No malicious items detected)
Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bzefesubaseb (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c80ndiat.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected: C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected: C:\WINDOWS\c80ndiat.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\126.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\94.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\acemobun.dll (Trojan.Agent) -> Delete on reboot.
--Also, I have a question about my previous post of the DDS attachment. In the text of the log it states "UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT." I did not zip it before attaching. Have I just possibly opened myself up to future hackers by posting this on the forum for all see? Please educate me on my ignorance regarding this subject.
"UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT"
We have specifically requested that be posted, so it would not need to be attached. The reason some forums do not want the log posted is because of the amount of text. It makes the threads too long. A hacker cannot get into your computer by reading the log that is posted. There is no identifying personal information.
Let's clean up Java and then you can let me know how things are running and if you are still getting that Data Execution Prevention message..MBAM found only 4 files, but I have a feeling there may be others still in therethat we should look for.
Please follow these steps to remove older version Java components and update.
Download the latest version of Java SE Runtime Environment (JRE) 6 Update 15 to your Desktop.
Click the "Download" button. Make sure you do not by accident download any of the other programs advertised on that page.
Do not install it yet.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each of the Java versions. Close Add/Remove.
* In Windows Explorer, navigate to C:\Program Files\Java =this folder. Delete any subfolders. * Do NOT delete C:\Program Files\ JavaVM =this folder, if found!
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version. NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.
Thank you for addressing my question on the previous post.
I followed your instructions and uninstalled an older version of Java (Java2 Runtime Environment, SE v1.4.2_03) and then deleted a Java subfolder (jre1.4.2 03) in explorer. Then installed the latest version and rebooted as directed.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe & follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
ComboFix 09-08-04.03 - Cool 08/05/2009 12:24.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.543 [GMT -5:00] Running from: c:\documents and settings\Cool\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091} c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\chrome.manifest c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\chrome\content\_cfg.js c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\chrome\content\overlay.xul c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\install.rdf c:\windows\kb913800.exe c:\windows\system32\bszip.dll c:\windows\system32\Data
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP853\A0090453.dll
. ((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 ))))))))))))))))))))))))))))))) .
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut
271 --- E O F --- 2009-08-05 04:14
****Something to note- the simple way to turn off McAfee in your linked instructions seems not to apply to this computer. Right clicking the McAfee icon in the system tray produces several options, but there is no "Exit" option. To achieve the same effect, I have been using the windows task manager to end processes run by the program. The scan appears to have been successful. If this is a problem please advise.
Here is the HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:22:36 PM, on 8/5/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal
I see that you have made some registry changes with CCleaner. I have no way of knowing what all those changes were, but I'll do my best to get things cleaned up - as far as I can see.
Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.
Otherwise, they may interfere with running ComboFix.
Open Notepad and copy/paste the following text between the lines below.
Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.
It will copy correctly to Notepad if you highlight and copy as is.
Followed the directions above. McAfee kept trying to resume after turning off in the program itself and closing processes in Windows Task manager after they reappeared. The scan appears to be successful- to my novice eyes.
Here is the new combofix log:
ComboFix 09-08-06.01 - Cool 08/06/2009 20:57.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.588 [GMT -5:00] Running from: c:\documents and settings\Cool\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Cool\Desktop\CFScript.txt AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:58 PM, on 8/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal
Also, after the Combofix scan was completed, a message box popped up indicating that "Combofix needs to submit files for further analysis -please ensure you are connected to the internet." I connected so it could be sent. I don't remember if that was the case after the first scan so I thought I should mention it if it was out of the ordinary.
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 1st, 2009 14:00
Welcome. Thank you for using Dell Community Forums.
That malware on there was probably what was giving you trouble with IE8.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
We'll need to disable Spyware Doctor so it does not interfere:
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button. Exit by a right-click on the "Spyware Doctor" icon in the system tray and choose "Exit".
To disable PCTools Browser Monitor: If you are running Internet Explorer, click Tools > Manage Add-ons. If PCTools Browser Monitor is on the list, click it & select Disable. You will need to restart your browser after making the change.
[To enable Spyware Doctor in a few days when we are completely are finished, open the program, Settings>Startup Settings> CHECK "Run at Windows Startup">APPLY Exit. Reboot.]
I look forward to your reply so we can begin cleaning.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
russelldave
13 Posts
0
August 3rd, 2009 10:00
Hello, and thank you for your response.
I will try and answer the points you made in your message.
1. This issue has not been posted on any other forum
2. System Restore has not been disabled
3.&4. There is no cracked software or filesharing software on this computer to the best of my knowledge. ( I did some checking with the partial list you provided)
5. I have the authority to fix this computer.
6. I have disabled Spyware Doctor as indicated. (I assumed the "OnGuard Tools" you refered to is what PC Tools refers to as "Intelliguard" - the active screening process that can be turned off.)
7. **** I unfortnately neglected to mention that I also run McAfee Internet Security suite in my first post. If there are settings that need to be disabled here as well please advise.
Thanks for your assistance
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 3rd, 2009 11:00
If I were you, I'd disable McAfee before doing this next scan. [Don't forget to enable when finished.]
We need to see some additional information about what is happening in your machine.
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
russelldave
13 Posts
0
August 3rd, 2009 20:00
Here are the text files you requested. Thank you. I will wait for your reply regarding further action.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/4/2005 6:21:13 PM
System Uptime: 8/2/2009 10:50:45 PM (22 hours ago)
Motherboard: Dell Inc. | | 0YC523
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 144 GiB total, 60.279 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP831: 5/12/2009 5:18:55 PM - System Checkpoint
RP832: 5/17/2009 1:30:31 PM - Software Distribution Service 3.0
RP833: 5/18/2009 2:57:56 PM - System Checkpoint
RP834: 5/26/2009 1:29:09 PM - System Checkpoint
RP835: 5/27/2009 2:24:41 PM - System Checkpoint
RP836: 5/28/2009 8:33:10 PM - System Checkpoint
RP837: 5/30/2009 12:13:32 AM - System Checkpoint
RP838: 6/8/2009 12:41:44 PM - System Checkpoint
RP839: 6/9/2009 1:57:10 PM - System Checkpoint
RP840: 6/10/2009 1:59:21 PM - System Checkpoint
RP841: 6/11/2009 2:23:22 PM - System Checkpoint
RP842: 6/12/2009 12:18:25 AM - Software Distribution Service 3.0
RP843: 6/14/2009 5:11:38 PM - System Checkpoint
RP844: 6/16/2009 6:01:58 PM - Software Distribution Service 3.0
RP845: 6/18/2009 10:51:23 PM - Software Distribution Service 3.0
RP846: 6/21/2009 2:36:43 PM - System Checkpoint
RP847: 6/26/2009 8:11:37 AM - System Checkpoint
RP848: 6/28/2009 5:32:06 AM - System Checkpoint
RP849: 7/2/2009 9:09:15 AM - System Checkpoint
RP850: 7/4/2009 1:39:00 AM - System Checkpoint
RP851: 7/5/2009 5:19:37 PM - System Checkpoint
RP852: 7/7/2009 7:08:37 AM - System Checkpoint
RP853: 7/10/2009 1:17:42 PM - System Checkpoint
RP854: 7/11/2009 4:28:51 PM - Software Distribution Service 3.0
RP855: 7/11/2009 4:37:03 PM - Software Distribution Service 3.0
RP856: 7/11/2009 11:23:58 PM - Installed Windows Media Player 10
RP857: 7/11/2009 11:24:39 PM - Software Distribution Service 3.0
RP858: 7/12/2009 1:06:36 AM - Software Distribution Service 3.0
RP859: 7/12/2009 10:18:31 PM - Software Distribution Service 3.0
RP860: 7/13/2009 10:18:34 PM - System Checkpoint
RP861: 7/14/2009 9:26:23 PM - Removed NetZeroInstallers
RP862: 7/15/2009 2:26:13 AM - Software Distribution Service 3.0
RP863: 7/20/2009 1:08:08 PM - System Checkpoint
RP864: 7/23/2009 2:35:42 PM - System Checkpoint
RP865: 7/27/2009 7:46:26 PM - System Checkpoint
RP866: 7/29/2009 4:43:44 PM - Software Distribution Service 3.0
RP867: 7/30/2009 7:55:39 PM - System Checkpoint
RP868: 7/31/2009 2:53:07 PM - Software Distribution Service 3.0
RP869: 8/2/2009 6:05:53 AM - System Checkpoint
RP870: 8/3/2009 8:07:08 AM - System Checkpoint
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint Plus
Active Disk
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Age of Mythology
Age of Mythology - The Titans Expansion
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOLIcon
ATI Control Panel
ATI Display Driver
Bejeweled 2 Deluxe
Blasterball 2
CCleaner (remove only)
Corel Photo Album 6
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Data Lifeguard
Deal Info
Dell AIO Printer A960
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Picture Studio - Dell Image Expert
Dell System Restore
DellSupport
Digital Content Portal
EarthLink Common
EarthLink FastLane
EarthLink IM
EarthLink MailBox
EarthLink Redistributed
EarthLink Setup
EarthLink setup files
EarthLink Software
EarthLink Spyware Blocker
EarthLink TaskPanel
EarthLink Toolbar
EarthLink Update Manager
EarthLink Webspace
EducateU
EPSON Printer Software
ESPNMotion
FATE
GemMaster Mystic
Get High Speed Internet!
greenstreet National Geographic Photo Browser
Hidden & Dangerous 2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Ink Monitor
Intel Matrix Storage Manager
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
IomegaWare 4.0.3
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Macromedia Flash Player
McAfee SecurityCenter
McAfee Shredder
MCU
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
Musicmatch for Windows Media Player
Musicmatch® Jukebox
MyWay Search Assistant
Otto
Paint Shop Pro 7
Plaxo Toolbar for Windows
Polar Bowler
PowerDVD 5.5
Print to Fax
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
Rise Of Legends
Savings Bond Wizard
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Sid Meier's Civilization 4
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster Live! 24-bit
Spyware Doctor 6.0
Stronghold 2
The Battle for Middle-earth (tm) II
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
WebFldrs XP
WildTangent Games
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WordPerfect Office 12
==== Event Viewer Messages From Past Week ========
7/30/2009 5:59:05 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/30/2009 5:57:44 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
7/29/2009 4:43:49 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Internet Explorer 8 for Windows XP.
7/28/2009 10:58:49 AM, error: Dhcp [1002] - The IP address lease 192.168.100.10 for the Network Card with network address 00123F7B8D61 has been denied by the DHCP server 68.87.72.16 (The DHCP Server sent a DHCPNACK message).
7/28/2009 10:58:18 AM, error: Dhcp [1002] - The IP address lease 76.16.95.247 for the Network Card with network address 00123F7B8D61 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/28/2009 10:53:24 AM, error: Print [6161] - The document <<<*** EPSON EBAPI Dummy Document Data ***>>> owned by Cool failed to print on printer Dell AIO Printer A960. Data type: RAW. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\CHRIS. Win32 error code returned by the print processor: 0 (0x0).
==== End Of File ===========================
DDS (Ver_09-07-30.01) - NTFSx86
Run by Cool at 20:51:32.39 on Mon 08/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -5:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Cool\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PnIEBrowserHelperObj Class: {4b5f2e08-6f39-479a-b547-b2026e4c7edf} - c:\program files\earthlink totalaccess\PnEL.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: EarthLink Toolbar: {d7f30b62-8269-41af-9539-b2697fa7d77e} - c:\program files\earthlink totalaccess\PnEL.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Dell AIO Printer A960] "c:\program files\dell aio printer a960\dlbfbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [Bzefesubaseb] rundll32.exe "c:\windows\acemobun.dll",e
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: thestreet.com\www
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c80ndiat.dll
============= SERVICES / DRIVERS ===============
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-28 130936]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-26 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-26 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-26 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-28 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-28 1095560]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-26 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-26 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-26 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-26 40552]
S3 lac97inf;lac97inf;\??\c:\docume~1\cool\locals~1\temp\lac97inf.sys --> c:\docume~1\cool\locals~1\temp\lac97inf.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-26 34216]
=============== Created Last 30 ================
2009-08-03 11:39 3,245 a------- c:\windows\imufecujof.dll
2009-08-03 07:27 3,221 a------- c:\windows\ameyipoxazigu.dll
2009-08-03 05:21 3,229 a------- c:\windows\ihajanilerihehaf.dll
2009-08-03 03:15 3,261 a------- c:\windows\umazuhovehulato.dll
2009-08-03 01:09 3,253 a------- c:\windows\enayejamiyumih.dll
2009-08-02 23:03 3,229 a------- c:\windows\olitejigucinep.dll
2009-08-02 03:54 3,237 a------- c:\windows\upukukaseg.dll
2009-08-02 02:16 3,229 a------- c:\windows\erigimogoyineba.dll
2009-08-02 00:10 3,117 a------- c:\windows\asepiguy.dll
2009-08-01 06:47 3,221 a------- c:\windows\abuxejiv.dll
2009-08-01 04:41 3,253 a------- c:\windows\ivenafaz.dll
2009-08-01 02:35 3,213 a------- c:\windows\olazuzesesuzu.dll
2009-08-01 00:29 3,213 a------- c:\windows\obumijigoki.dll
2009-07-31 22:23 3,245 a------- c:\windows\ocitefesufiyasom.dll
2009-07-31 19:45 3,221 a------- c:\windows\ubohevurij.dll
2009-07-31 17:39 3,245 a------- c:\windows\eyudimeni.dll
2009-07-31 15:33 3,229 a------- c:\windows\ozaximiba.dll
2009-07-31 15:14 3,213 a------- c:\windows\abebevami.dll
2009-07-31 14:56 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-31 14:56 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-07-31 14:02 3,213 a------- c:\windows\iruculenela.dll
2009-07-30 23:12 3,237 a------- c:\windows\osufiwuz.dll
2009-07-30 22:37 3,229 a------- c:\windows\exapetoz.dll
2009-07-30 21:44
2009-07-30 18:25 3,213 a------- c:\windows\imixoyenevud.dll
2009-07-30 17:58 3,205 a------- c:\windows\ojamewobeyi.dll
2009-07-30 03:32 3,221 a------- c:\windows\umorebanu.dll
2009-07-30 01:26 3,213 a------- c:\windows\axamogud.dll
2009-07-29 23:20 3,221 a------- c:\windows\iwuhamirolu.dll
2009-07-29 17:02 3,213 a------- c:\windows\oqezimimi.dll
2009-07-29 16:45 3,237 a------- c:\windows\amixoyenevud.dll
2009-07-29 04:07 3,221 a------- c:\windows\aqubokogikewejo.dll
2009-07-29 03:18 3,101 a------- c:\windows\ikuconisixe.dll
2009-07-29 01:12 3,245 a------- c:\windows\ewagutagesa.dll
2009-07-28 23:06 3,213 a------- c:\windows\isovugiyar.dll
2009-07-28 12:47 3,229 a------- c:\windows\upituyihitamaga.dll
2009-07-28 11:32 3,237 a------- c:\windows\isofaxacumiruxe.dll
2009-07-28 11:04 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-28 11:04 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-28 11:04 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-28 11:04 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-28 11:04
2009-07-28 11:04
2009-07-28 10:59 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-07-28 10:59 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-07-28 10:59 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-07-28 10:59 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-07-28 10:59
2009-07-28 10:59
2009-07-27 18:59 3,213 a------- c:\windows\uqovapuzegix.dll
2009-07-27 05:10 3,229 a------- c:\windows\uxuxaxet.dll
2009-07-27 03:04 3,221 a------- c:\windows\ogogepuwido.dll
2009-07-27 01:13 120 a------- c:\windows\Cruxafisequp.dat
2009-07-14 23:34 77,824 a------- c:\windows\system32\94.tmp
2009-07-14 23:34 0 a------- c:\windows\system32\93.tmp
2009-07-14 21:26
2009-07-11 23:28
2009-07-11 23:26
2009-07-11 16:23
2009-07-11 00:55 82,432 a------- c:\windows\system32\dllcache\ws2_32.dll
2009-07-11 00:55 77,824 a------- c:\windows\system32\126.tmp
2009-07-05 12:06
==================== Find3M ====================
2009-07-19 08:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 a------- c:\windows\system32\dllcache\ieframe.dll
2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 06:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 03:35 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 03:33 2,452,872 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 03:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 05:12 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2008-02-24 19:45 56 ---shr-- c:\windows\system32\FB0A15A9AE.sys
2008-02-24 19:45 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
============= FINISH: 20:53:08.15 ===============
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 3rd, 2009 20:00
Yikes. :emotion-40:
Please make sure Spyware Doctor is disabled before running this and that it stays disabled until we are finished -- or uninstall it and reinstall later after it has been confirmed that the system is clean. Apparently, Spyware Doctor has been no help with this malware. Neither has McAfee.
These are still running:
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
Let's try scanning with MBAM.
* If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use the update link mentioned below to manually update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "russell.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the files to the infected computer. Install the "russell.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.
alternate download link 1
alternate download link 2
MBAM will automatically start and you will be asked to update the program before performing a scan.
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Back at the main Scanner screen:
Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.
**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE
russelldave
13 Posts
0
August 4th, 2009 01:00
I stopped the spyware doctor processes that were still running and followed the remaining instructions. Here is the Malwarebytes log:
Malwarebytes' Anti-Malware 1.40
Database version: 2556
Windows 5.1.2600 Service Pack 3
8/4/2009 1:34:32 AM
mbam-log-2009-08-04 (01-34-32).txt
Scan type: Quick Scan
Objects scanned: 100249
Time elapsed: 8 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bzefesubaseb (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c80ndiat.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\c80ndiat.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\126.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\94.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\acemobun.dll (Trojan.Agent) -> Delete on reboot.
--Also, I have a question about my previous post of the DDS attachment. In the text of the log it states "UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT." I did not zip it before attaching. Have I just possibly opened myself up to future hackers by posting this on the forum for all see? Please educate me on my ignorance regarding this subject.
Thank you very much.
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 4th, 2009 07:00
"UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT"
We have specifically requested that be posted, so it would not need to be attached. The reason some forums do not want the log posted is because of the amount of text. It makes the threads too long. A hacker cannot get into your computer by reading the log that is posted. There is no identifying personal information.
Let's clean up Java and then you can let me know how things are running and if you are still getting that Data Execution Prevention message.. MBAM found only 4 files, but I have a feeling there may be others still in there that we should look for.
Please follow these steps to remove older version Java components and update.
Close Add/Remove.
* In Windows Explorer, navigate to C:\Program Files\Java =this folder. Delete any subfolders.
* Do NOT delete C:\Program Files\ JavaVM =this folder, if found!
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
russelldave
13 Posts
0
August 4th, 2009 22:00
Thank you for addressing my question on the previous post.
I followed your instructions and uninstalled an older version of Java (Java2 Runtime Environment, SE v1.4.2_03) and then deleted a Java subfolder (jre1.4.2 03) in explorer. Then installed the latest version and rebooted as directed.
Thanks, and will wait for further instructions.
russelldave
13 Posts
0
August 4th, 2009 22:00
Addendum to the previous post:
I still receive the data execution prevention error after installing IE8 when trying to run. I have uninstalled and am using IE7 again.
Thanks.
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 5th, 2009 04:00
Please visit this webpage for download links, and instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe & follow the prompts.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 5th, 2009 12:00
You did well turning off McAfee.
McAfee VirusScan *On-access scanning disabled*
I'm glad because that can be a real problem if there is a conflict.
I will have to go through those logs line-by-line and write some script for you to run, but I will try to reply within 24-48 hours.
russelldave
13 Posts
0
August 5th, 2009 12:00
Here is the Combofix log:
ComboFix 09-08-04.03 - Cool 08/05/2009 12:24.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.543 [GMT -5:00]
Running from: c:\documents and settings\Cool\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}
c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\chrome.manifest
c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\chrome\content\_cfg.js
c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\chrome\content\overlay.xul
c:\documents and settings\Cool\Local Settings\Application Data\{152D93B1-9C3D-413E-981F-4EAB9B17A091}\install.rdf
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\Data
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP853\A0090453.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.
2009-08-05 04:12 . 2009-06-29 16:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-05 04:12 . 2009-06-29 16:12 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-08-05 03:50 . 2009-08-05 03:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-04 05:57 . 2009-08-04 05:57 3213 ----a-w- c:\windows\elovugiyarikom.dll
2009-08-04 05:57 . 2009-08-04 05:57 -------- d-----w- c:\documents and settings\Cool\Application Data\Malwarebytes
2009-08-04 05:57 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 05:57 . 2009-08-04 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-04 05:57 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 05:57 . 2009-08-04 05:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-04 05:15 . 2009-08-04 05:15 3229 ----a-w- c:\windows\itaqopacaju.dll
2009-08-04 03:09 . 2009-08-04 03:09 3221 ----a-w- c:\windows\ubimocin.dll
2009-08-03 16:39 . 2009-08-03 16:39 3245 ----a-w- c:\windows\imufecujof.dll
2009-08-03 12:27 . 2009-08-03 12:27 3221 ----a-w- c:\windows\ameyipoxazigu.dll
2009-08-03 10:21 . 2009-08-03 10:21 3229 ----a-w- c:\windows\ihajanilerihehaf.dll
2009-08-03 08:15 . 2009-08-03 08:15 3261 ----a-w- c:\windows\umazuhovehulato.dll
2009-08-03 06:09 . 2009-08-03 06:09 3253 ----a-w- c:\windows\enayejamiyumih.dll
2009-08-03 04:03 . 2009-08-03 04:03 3229 ----a-w- c:\windows\olitejigucinep.dll
2009-08-02 08:54 . 2009-08-02 08:54 3237 ----a-w- c:\windows\upukukaseg.dll
2009-08-02 07:16 . 2009-08-02 07:16 3229 ----a-w- c:\windows\erigimogoyineba.dll
2009-08-02 05:10 . 2009-08-02 05:10 3117 ----a-w- c:\windows\asepiguy.dll
2009-08-01 11:47 . 2009-08-01 11:47 3221 ----a-w- c:\windows\abuxejiv.dll
2009-08-01 09:41 . 2009-08-01 09:41 3253 ----a-w- c:\windows\ivenafaz.dll
2009-08-01 07:35 . 2009-08-01 07:35 3213 ----a-w- c:\windows\olazuzesesuzu.dll
2009-08-01 05:29 . 2009-08-01 05:29 3213 ----a-w- c:\windows\obumijigoki.dll
2009-08-01 03:23 . 2009-08-01 03:23 3245 ----a-w- c:\windows\ocitefesufiyasom.dll
2009-08-01 00:45 . 2009-08-01 00:45 3221 ----a-w- c:\windows\ubohevurij.dll
2009-07-31 22:39 . 2009-07-31 22:39 3245 ----a-w- c:\windows\eyudimeni.dll
2009-07-31 20:33 . 2009-07-31 20:33 3229 ----a-w- c:\windows\ozaximiba.dll
2009-07-31 20:14 . 2009-07-31 20:14 3213 ----a-w- c:\windows\abebevami.dll
2009-07-31 19:02 . 2009-07-31 19:02 3213 ----a-w- c:\windows\iruculenela.dll
2009-07-31 04:12 . 2009-07-31 04:12 3237 ----a-w- c:\windows\osufiwuz.dll
2009-07-31 03:37 . 2009-07-31 03:37 3229 ----a-w- c:\windows\exapetoz.dll
2009-07-31 02:44 . 2009-07-31 02:44 -------- d-----w- c:\program files\Trend Micro
2009-07-30 23:25 . 2009-07-30 23:25 3213 ----a-w- c:\windows\imixoyenevud.dll
2009-07-30 22:58 . 2009-07-30 22:58 3205 ----a-w- c:\windows\ojamewobeyi.dll
2009-07-30 08:32 . 2009-07-30 08:32 3221 ----a-w- c:\windows\umorebanu.dll
2009-07-30 06:26 . 2009-07-30 06:26 3213 ----a-w- c:\windows\axamogud.dll
2009-07-30 04:20 . 2009-07-30 04:20 3221 ----a-w- c:\windows\iwuhamirolu.dll
2009-07-29 22:02 . 2009-07-29 22:02 3213 ----a-w- c:\windows\oqezimimi.dll
2009-07-29 21:45 . 2009-07-29 21:45 3237 ----a-w- c:\windows\amixoyenevud.dll
2009-07-29 09:07 . 2009-07-29 09:07 3221 ----a-w- c:\windows\aqubokogikewejo.dll
2009-07-29 08:18 . 2009-07-29 08:18 3101 ----a-w- c:\windows\ikuconisixe.dll
2009-07-29 06:12 . 2009-07-29 06:12 3245 ----a-w- c:\windows\ewagutagesa.dll
2009-07-29 04:06 . 2009-07-29 04:06 3213 ----a-w- c:\windows\isovugiyar.dll
2009-07-28 17:47 . 2009-07-28 17:47 3229 ----a-w- c:\windows\upituyihitamaga.dll
2009-07-28 16:32 . 2009-07-28 16:32 3237 ----a-w- c:\windows\isofaxacumiruxe.dll
2009-07-28 16:04 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-28 16:04 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-28 16:04 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-28 16:04 . 2009-07-28 16:08 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-28 16:04 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-28 16:04 . 2009-07-28 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-28 15:59 . 2008-06-11 02:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-07-28 15:59 . 2008-06-02 20:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-07-28 15:59 . 2008-06-02 20:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-07-28 15:59 . 2008-06-02 20:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-07-28 15:59 . 2009-08-05 04:08 -------- d-----w- c:\program files\Spyware Doctor
2009-07-28 15:59 . 2009-07-28 15:59 -------- d-----w- c:\documents and settings\Cool\Application Data\PC Tools
2009-07-27 23:59 . 2009-07-27 23:59 3213 ----a-w- c:\windows\uqovapuzegix.dll
2009-07-27 10:10 . 2009-07-27 10:10 3229 ----a-w- c:\windows\uxuxaxet.dll
2009-07-27 08:04 . 2009-07-27 08:04 3221 ----a-w- c:\windows\ogogepuwido.dll
2009-07-27 06:13 . 2009-08-04 05:39 120 ----a-w- c:\windows\Cruxafisequp.dat
2009-07-13 03:35 . 2009-07-30 23:12 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-13 03:34 . 2009-07-30 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-12 04:35 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-07-12 04:28 . 2009-07-12 04:28 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-12 04:26 . 2009-07-12 04:27 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-07-12 04:26 . 2009-07-12 04:26 -------- d-----w- c:\windows\system32\LogFiles
2009-07-11 21:59 . 2009-07-11 21:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-11 21:23 . 2009-07-11 21:24 -------- d-----w- C:\Registry changes Ccleaner
2009-07-11 05:55 . 2008-04-14 00:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 17:33 . 2008-06-16 15:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-05 17:32 . 2009-03-12 22:21 -------- d-----w- c:\program files\Plaxo
2009-08-05 03:49 . 2005-11-29 14:59 -------- d-----w- c:\program files\Java
2009-07-28 15:56 . 2005-11-29 15:06 -------- d-----w- c:\program files\Common Files\AOL
2009-07-28 15:56 . 2005-11-29 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-15 04:34 . 2009-07-15 04:34 0 ----a-w- c:\windows\system32\93.tmp
2009-07-11 05:12 . 2008-01-26 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-10 20:27 . 2008-01-26 05:06 -------- d-----w- c:\program files\McAfee
2009-07-05 17:07 . 2009-07-05 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-07-05 17:06 . 2005-11-29 15:12 -------- d-----w- c:\program files\WildTangent
2009-06-29 16:12 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-02-25 00:45 . 2006-07-31 02:51 56 --sh--r- c:\windows\system32\FB0A15A9AE.sys
2008-02-25 00:45 . 2006-07-31 02:51 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="c:\program files\Plaxo\3.17.0.16\PlaxoHelper_en.exe" [2008-11-19 369223]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2004-06-19 913408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-29 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-29 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-11-29 156784]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-1-3 127488]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/28/2009 11:04 AM 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/28/2009 10:59 AM 348752]
S3 lac97inf;lac97inf;\??\c:\docume~1\Cool\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Cool\LOCALS~1\Temp\lac97inf.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-26 15:53]
2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-26 15:53]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
HKCU-Run-PlaxoSysTray - c:\program files\Plaxo\3.17.0.16\PlaxoSysTray.exe
HKCU-Run-SpySweeper - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: thestreet.com\www
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 12:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4924)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\program files\Plaxo\3.17.0.16\plx_hook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Dell AIO Printer A960\dlbfbmon.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsmap.exe
.
**************************************************************************
.
Completion time: 2009-08-05 12:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 17:44
Pre-Run: 64,119,164,928 bytes free
Post-Run: 64,176,222,208 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut
271 --- E O F --- 2009-08-05 04:14
****Something to note- the simple way to turn off McAfee in your linked instructions seems not to apply to this computer. Right clicking the McAfee icon in the system tray produces several options, but there is no "Exit" option.
To achieve the same effect, I have been using the windows task manager to end processes run by the program. The scan appears to have been successful. If this is a problem please advise.
Here is the HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:36 PM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Plaxo\3.17.0.16\PlaxoHelper_en.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.17.0.16\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 11038 bytes
Thanks.
Bugbatter
3 Apprentice
•
20.5K Posts
0
August 5th, 2009 19:00
I see that you have made some registry changes with CCleaner. I have no way of knowing what all those changes were, but I'll do my best to get things cleaned up - as far as I can see.
Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.
Otherwise, they may interfere with running ComboFix.
Open Notepad and copy/paste the following text between the lines below.
Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.
It will copy correctly to Notepad if you highlight and copy as is.
-----------------------------------------------------------------------------------
File::
c:\windows\elovugiyarikom.dll
c:\windows\itaqopacaju.dll
c:\windows\ubimocin.dll
c:\windows\imufecujof.dll
c:\windows\ameyipoxazigu.dll
c:\windows\ihajanilerihehaf.dll
c:\windows\umazuhovehulato.dll
c:\windows\enayejamiyumih.dll
c:\windows\olitejigucinep.dll
c:\windows\upukukaseg.dll
c:\windows\erigimogoyineba.dll
c:\windows\asepiguy.dll
c:\windows\abuxejiv.dll
c:\windows\ivenafaz.dll
c:\windows\olazuzesesuzu.dll
c:\windows\obumijigoki.dll
c:\windows\ocitefesufiyasom.dll
c:\windows\ubohevurij.dll
c:\windows\eyudimeni.dll
c:\windows\ozaximiba.dll
c:\windows\abebevami.dll
c:\windows\iruculenela.dll
c:\windows\osufiwuz.dll
c:\windows\exapetoz.dll
c:\windows\imixoyenevud.dll
c:\windows\ojamewobeyi.dll
c:\windows\umorebanu.dll
c:\windows\axamogud.dll
c:\windows\iwuhamirolu.dll
c:\windows\oqezimimi.dll
c:\windows\amixoyenevud.dll
c:\windows\aqubokogikewejo.dll
c:\windows\ikuconisixe.dll
c:\windows\ewagutagesa.dll
c:\windows\isovugiyar.dll
c:\windows\upituyihitamaga.dll
c:\windows\isofaxacumiruxe.dll
c:\windows\uqovapuzegix.dll
c:\windows\uxuxaxet.dll
c:\windows\ogogepuwido.dll
c:\windows\Cruxafisequp.dat
c:\windows\system32\93.tmp
----------------------------------------------------------------------------
Save this as CFScript.txt
Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again.
Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
In your next reply, please post that log along with a new HijackThis log.
russelldave
13 Posts
0
August 6th, 2009 20:00
Followed the directions above. McAfee kept trying to resume after turning off in the program itself and closing processes in Windows Task manager after they reappeared. The scan appears to be successful- to my novice eyes.
Here is the new combofix log:
ComboFix 09-08-06.01 - Cool 08/06/2009 20:57.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.588 [GMT -5:00]
Running from: c:\documents and settings\Cool\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cool\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FILE ::
"c:\windows\abebevami.dll"
"c:\windows\abuxejiv.dll"
"c:\windows\ameyipoxazigu.dll"
"c:\windows\amixoyenevud.dll"
"c:\windows\aqubokogikewejo.dll"
"c:\windows\asepiguy.dll"
"c:\windows\axamogud.dll"
"c:\windows\Cruxafisequp.dat"
"c:\windows\elovugiyarikom.dll"
"c:\windows\enayejamiyumih.dll"
"c:\windows\erigimogoyineba.dll"
"c:\windows\ewagutagesa.dll"
"c:\windows\exapetoz.dll"
"c:\windows\eyudimeni.dll"
"c:\windows\ihajanilerihehaf.dll"
"c:\windows\ikuconisixe.dll"
"c:\windows\imixoyenevud.dll"
"c:\windows\imufecujof.dll"
"c:\windows\iruculenela.dll"
"c:\windows\isofaxacumiruxe.dll"
"c:\windows\isovugiyar.dll"
"c:\windows\itaqopacaju.dll"
"c:\windows\ivenafaz.dll"
"c:\windows\iwuhamirolu.dll"
"c:\windows\obumijigoki.dll"
"c:\windows\ocitefesufiyasom.dll"
"c:\windows\ogogepuwido.dll"
"c:\windows\ojamewobeyi.dll"
"c:\windows\olazuzesesuzu.dll"
"c:\windows\olitejigucinep.dll"
"c:\windows\oqezimimi.dll"
"c:\windows\osufiwuz.dll"
"c:\windows\ozaximiba.dll"
"c:\windows\system32\93.tmp"
"c:\windows\ubimocin.dll"
"c:\windows\ubohevurij.dll"
"c:\windows\umazuhovehulato.dll"
"c:\windows\umorebanu.dll"
"c:\windows\upituyihitamaga.dll"
"c:\windows\upukukaseg.dll"
"c:\windows\uqovapuzegix.dll"
"c:\windows\uxuxaxet.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\abebevami.dll
c:\windows\abuxejiv.dll
c:\windows\ameyipoxazigu.dll
c:\windows\amixoyenevud.dll
c:\windows\aqubokogikewejo.dll
c:\windows\asepiguy.dll
c:\windows\axamogud.dll
c:\windows\Cruxafisequp.dat
c:\windows\elovugiyarikom.dll
c:\windows\enayejamiyumih.dll
c:\windows\erigimogoyineba.dll
c:\windows\ewagutagesa.dll
c:\windows\exapetoz.dll
c:\windows\eyudimeni.dll
c:\windows\ihajanilerihehaf.dll
c:\windows\ikuconisixe.dll
c:\windows\imixoyenevud.dll
c:\windows\imufecujof.dll
c:\windows\iruculenela.dll
c:\windows\isofaxacumiruxe.dll
c:\windows\isovugiyar.dll
c:\windows\itaqopacaju.dll
c:\windows\ivenafaz.dll
c:\windows\iwuhamirolu.dll
c:\windows\obumijigoki.dll
c:\windows\ocitefesufiyasom.dll
c:\windows\ogogepuwido.dll
c:\windows\ojamewobeyi.dll
c:\windows\olazuzesesuzu.dll
c:\windows\olitejigucinep.dll
c:\windows\oqezimimi.dll
c:\windows\osufiwuz.dll
c:\windows\ozaximiba.dll
c:\windows\system32\93.tmp
c:\windows\ubimocin.dll
c:\windows\ubohevurij.dll
c:\windows\umazuhovehulato.dll
c:\windows\umorebanu.dll
c:\windows\upituyihitamaga.dll
c:\windows\upukukaseg.dll
c:\windows\uqovapuzegix.dll
c:\windows\uxuxaxet.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.
2009-08-05 04:12 . 2009-06-29 16:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-05 04:12 . 2009-06-29 16:12 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-08-05 03:50 . 2009-08-05 03:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-04 05:57 . 2009-08-04 05:57 -------- d-----w- c:\documents and settings\Cool\Application Data\Malwarebytes
2009-08-04 05:57 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 05:57 . 2009-08-04 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-04 05:57 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 05:57 . 2009-08-04 05:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 02:44 . 2009-07-31 02:44 -------- d-----w- c:\program files\Trend Micro
2009-07-28 16:04 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-28 16:04 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-28 16:04 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-28 16:04 . 2009-07-28 16:08 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-28 16:04 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-28 16:04 . 2009-07-28 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-07-28 15:59 . 2008-06-11 02:22 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-07-28 15:59 . 2008-06-02 20:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-07-28 15:59 . 2008-06-02 20:19 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-07-28 15:59 . 2008-06-02 20:19 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-07-28 15:59 . 2009-08-06 23:11 -------- d-----w- c:\program files\Spyware Doctor
2009-07-28 15:59 . 2009-07-28 15:59 -------- d-----w- c:\documents and settings\Cool\Application Data\PC Tools
2009-07-13 03:35 . 2009-07-30 23:12 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-13 03:34 . 2009-07-30 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-12 04:35 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-07-12 04:28 . 2009-07-12 04:28 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-12 04:26 . 2009-07-12 04:27 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-07-12 04:26 . 2009-07-12 04:26 -------- d-----w- c:\windows\system32\LogFiles
2009-07-11 21:59 . 2009-07-11 21:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-11 21:23 . 2009-07-11 21:24 -------- d-----w- C:\Registry changes Ccleaner
2009-07-11 05:55 . 2008-04-14 00:12 82432 ----a-w- c:\windows\system32\dllcache\ws2_32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 23:11 . 2008-06-16 15:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 22:40 . 2009-03-12 22:21 -------- d-----w- c:\program files\Plaxo
2009-08-05 03:49 . 2005-11-29 14:59 -------- d-----w- c:\program files\Java
2009-07-28 15:56 . 2005-11-29 15:06 -------- d-----w- c:\program files\Common Files\AOL
2009-07-28 15:56 . 2005-11-29 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-11 05:12 . 2008-01-26 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-10 20:27 . 2008-01-26 05:06 -------- d-----w- c:\program files\McAfee
2009-07-05 17:07 . 2009-07-05 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-07-05 17:06 . 2005-11-29 15:12 -------- d-----w- c:\program files\WildTangent
2009-06-29 16:12 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-02-25 00:45 . 2006-07-31 02:51 56 --sh--r- c:\windows\system32\FB0A15A9AE.sys
2008-02-25 00:45 . 2006-07-31 02:51 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-05_17.35.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-06 22:40 . 2009-08-06 22:40 16384 c:\windows\Temp\Perflib_Perfdata_a70.dat
+ 2009-08-05 17:52 . 2009-08-06 22:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-12-04 23:02 . 2009-08-06 22:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-04 23:02 . 2009-08-05 17:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-12-04 23:02 . 2009-08-06 22:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-04 23:02 . 2009-08-05 17:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="c:\program files\Plaxo\3.17.0.16\PlaxoHelper_en.exe" [2008-11-19 369223]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2004-06-19 913408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Ink Monitor"="c:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2001-10-16 258118]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-29 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-29 98304]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 149280]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-11-29 156784]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-1-3 127488]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/28/2009 11:04 AM 130936]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/28/2009 10:59 AM 348752]
S3 lac97inf;lac97inf;\??\c:\docume~1\Cool\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Cool\LOCALS~1\Temp\lac97inf.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-26 15:53]
2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-26 15:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: thestreet.com\www
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 21:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2009-08-07 21:07
ComboFix-quarantined-files.txt 2009-08-07 02:07
ComboFix2.txt 2009-08-05 17:44
Pre-Run: 64,199,151,616 bytes free
Post-Run: 64,163,930,112 bytes free
259 --- E O F --- 2009-08-05 04:14
Here is the HijakThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:58 PM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Plaxo\3.17.0.16\PlaxoHelper_en.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehRec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.17.0.16\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 11559 bytes
Thanks.
russelldave
13 Posts
0
August 6th, 2009 20:00
Also, after the Combofix scan was completed, a message box popped up indicating that "Combofix needs to submit files for further analysis -please ensure you are connected to the internet." I connected so it could be sent. I don't remember if that was the case after the first scan so I thought I should mention it if it was out of the ordinary.