First Copy and paste the following into NotePad (Not Wordpad)
sc stop MsaSvc sc delete MsaSvc
Click
File ->>
Save as ->>type in
cmd.bat
Under "Save as type" Select " all files" ->>Save it to your Desktop Close Notepad The cmd.bat file should now appear on your Desktop Double Click that file (It will appear that nothing has happened, but that's o.k.)
Next Rerun Hijackthis (scan only) and place checks beside the following entries (if found)
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
Close all other open windows except Hijackthis and Select "
Fix checked"
Next Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following
file
C:\WINDOWS\9129837.exe
Close Windows explorer->>Reboot your PC
Next 1. Download this file -
combofix.exe 2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
The batch file you ran should have removed the 023 line, But I had to include it to make sure. The file went with it. But thanks for keeping me up to date
The last scan indicated a rootkit infection, which I suspected; it may take a couple of tools to expose it all, so let's do this first
and Save to your Desktop Double click the file to run it It will create the "fsbl-xxxxxxx.log" on your desktop. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe". Exit Blacklight and post the contents of the log in your next reply.
i removed the
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
but that was the only one i could find the others were not there.( i did look hard)
i did not have Explorer in my start meun and could not find it. i went to my computer C>windows> and looked for it, could not find it, i did a search for it as well, nothing.
heres the log for combo fix
Nick Larcombe - Thu 11/23/2006 10:59:06.15 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Nick Larcombe\Desktop\Web"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (NICK-Nick Larcombe).job
Completion time: Thu 11/23/2006 10:59:43.03
C:\ComboFix.txt ... 11/23/2006 10:59 AM
Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, Click Options > Change settings Choose the "Scan"-tab, remove the mark at "Heuristic analysis". Back at the main window, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
"Silent Runners.vbs", revision 49,
http://www.silentrunners.org/ Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nick Larcombe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Nick Larcombe" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\Nick Larcombe\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Dell Network Assistant" -> shortcut to: "C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe -systray" [null data]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
Enabled Scheduled Tasks:
------------------------
"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"McAfee.com Scan for Viruses - My Computer (NICK-Nick Larcombe)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
< > "{4D25F926-B9FE-4682-BF72-8AB8210D6D75}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll" ["MyWay.com"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
< >: Suspicious data at a malware launch point.
< >: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 47 seconds, including 18 seconds for message boxes)
Go
HERE and Download
System Repair Engine by smallfrogs
Save it to your Desktop Rt Click sreng2.zip->>Extract all->>Extract it to your desktop Open the sreng folder Double click SREng->>Click Run At the main Window, in the left Pane,Select Smart Scan At the next window make sure all of the boxes are checked and Select Scan When the scan is complete Select Save reports Save it to your desktop and Close the tool Double Click SREngLog.txt copy and paste that log as a reply to this thread
Do not run any other options with this tool unless instructed to do so.
Windows XP Home Edition Service Pack 2 (Build 2600)
- Administrative User - Completed Functions Allowed
Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File
==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
First Go
here and Download
AVG Anti-Spyware (
30 day free trial version) Save it to Your Desktop
Double Click
AVG Anti-Spyware-setup (It will create its own folder)
Once the program starts You will be at the
Status menu
Under "Your computers Security" Click change status on Resident shield to inactive Click Update now (next to last update) After the update loads Under Automatic updates Uncheck download and install updates automatically(recommended) (you can always select maual updates the next day)
At the top toolbar Click
Scanner Then the
settings tab
Under How to act? Set default action for detected malwareTo Quarantine Under how to scan All boxes should be checked Under Possibly unwanted software All boxes should be checked Under reports Select Automatically generate report after every scan Uncheck Only if threats were found Under what to scan Scan every file should be highlited
Exit AVG(But do not run it yet)
Reboot into
Safe Mode This can be done by
Restart your PC, and after it starts, but before you see the Windows Splash screen Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices) Use your arrow keys and select Safe Mode and then Enter
Run AVG Anti-Spyware
Click scanner Select Complete system scan
Once the scan finishes
Select Apply all actions (The items found will be quarantined) Click save report as (Another window will open) Save it to your desktop (By default It will be saved in the AVG folder as) C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
Exit AVG
Reboot your PC in
Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
Double click the report-scan txt. you saved to your desktop It will open in Notepad Copy and paste that report as a reply to this thread
Your reply should include
a fresh Hijackthis log your report_scan.txt log from AVG
Logfile of HijackThis v1.99.1
Scan saved at 9:31:38 AM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
bamajim
10.4K Posts
0
November 22nd, 2006 18:00
Welcome to DCF:smileyhappy:
First Copy and paste the following into NotePad (Not Wordpad)
- sc stop MsaSvc
Click File ->> Save as ->>type in cmd.batsc delete MsaSvc
- Under "Save as type" Select " all files" ->>Save it to your Desktop
Next Rerun Hijackthis (scan only) and place checks beside the following entries (if found)Close Notepad
The cmd.bat file should now appear on your Desktop
Double Click that file (It will appear that nothing has happened, but that's o.k.)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
Close all other open windows except Hijackthis and Select " Fix checked"
Next Using Windows Explorer
- (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following file- C:\WINDOWS\9129837.exe
Close Windows explorer->>Reboot your PCNext 1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
NickL210
13 Posts
0
November 23rd, 2006 01:00
11/23/06 11:49:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/23/06 11:49:14 [Note]: 7019 4
11/23/06 11:49:14 [Note]: 7005 0
11/23/06 11:49:16 [Note]: 7006 0
11/23/06 11:49:16 [Note]: 7011 1872
11/23/06 11:49:17 [Note]: 7026 0
11/23/06 11:49:17 [Note]: 7026 0
11/23/06 11:49:22 [Note]: FSRAW library version 1.7.1020
11/23/06 11:53:12 [Note]: 7007 0
bamajim
10.4K Posts
0
November 23rd, 2006 01:00
The batch file you ran should have removed the 023 line, But I had to include it to make sure. The file went with it. But thanks for keeping me up to date
The last scan indicated a rootkit infection, which I suspected; it may take a couple of tools to expose it all, so let's do this first
Please download F-Secure Blacklight (blbeta.exe)
Double click the file to run it
It will create the "fsbl-xxxxxxx.log" on your desktop.
The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
Exit Blacklight and post the contents of the log in your next reply.
NickL210
13 Posts
0
November 23rd, 2006 01:00
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Nick Larcombe\Desktop\Web"
((((((((((((((((((((((((((((((( Files Created from 2011-22-06 to 2011/23/2006 ))))))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Installed"="1"
"Installed"="1"
"NoChange"="1"
"Installed"="1"
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"NoDriveTypeAutoRun"=dword:00000091
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"NoDriveTypeAutoRun"=dword:00000091
"NoDriveTypeAutoRun"=dword:00000091
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (NICK-Nick Larcombe).job
C:\ComboFix.txt ... 11/23/2006 10:59 AM
bamajim
10.4K Posts
0
November 24th, 2006 13:00
It's there, we just have to find it, let's do this
Download Dr.Web CureIt to the desktop:
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
NickL210
13 Posts
0
November 24th, 2006 23:00
Cannot open C:\Documents and Settings\Nick Larcombe\Desktop\drweb-cureit.exe
bamajim
10.4K Posts
0
November 25th, 2006 00:00
Hm, being difficult
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As" ) to download Silent Runners.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
NickL210
13 Posts
0
November 25th, 2006 06:00
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["McAfee, Inc."]
"DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["McAfee Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}\(Default) = (no title provided)
-> {HKLM...CLSID} = "McAfee AntiPhishing Filter"
\InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]
{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll" ["MyWay.com"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{64BC5640-700F-4E7E-8462-D3092DD74B0F}" = "VDMSound LaunchPad"
-> {HKLM...CLSID} = "LaunchPadShellEx Class"
\InProcServer32\(Default) = "C:\Program Files\VDMSound\LaunchPad.dll" [empty string]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
< > igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
Group Policies {policy setting}:
--------------------------------
{Shutdown: Allow system to be shut down without having to log on}
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nick Larcombe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Startup items in "Nick Larcombe" & "All Users" startup folders:
---------------------------------------------------------------
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Dell Network Assistant" -> shortcut to: "C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe -systray" [null data]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
Enabled Scheduled Tasks:
------------------------
"McAfee.com Scan for Viruses - My Computer (NICK-Nick Larcombe)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
"MenuText" = "McAfee AntiPhishing Filter"
"CLSIDExtension" = "{7DD73374-7187-4103-8F29-622AA25E7C40}"
-> {HKLM...CLSID} = "MyCfgDlgCmdTarget Class"
\InProcServer32\(Default) = "c:\program files\mcafee\spamkiller\mcapfbho.dll" ["McAfee, Inc."]
"ButtonText" = "Real.com"
"ButtonText" = "Run IMVU"
"Exec" = "C:\Documents and Settings\Nick Larcombe\Start Menu\Programs\IMVU\Run IMVU.lnk" [null data]
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
< > "{4D25F926-B9FE-4682-BF72-8AB8210D6D75}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll" ["MyWay.com"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee SpamKiller Server, MskService, "C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe" ["McAfee Inc."]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
Print Monitors:
---------------
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
----------
< >: Suspicious data at a malware launch point.
< >: Suspicious data at a browser hijack point.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 47 seconds, including 18 seconds for message boxes)
bamajim
10.4K Posts
0
November 25th, 2006 23:00
Nope not there either.
Go HERE and Download System Repair Engine by smallfrogs
Rt Click sreng2.zip->>Extract all->>Extract it to your desktop
Open the sreng folder
Double click SREng->>Click Run
At the main Window, in the left Pane,Select Smart Scan
At the next window make sure all of the boxes are checked and Select Scan
When the scan is complete Select Save reports
Save it to your desktop and Close the tool
Double Click SREngLog.txt copy and paste that log as a reply to this thread
NickL210
13 Posts
0
November 26th, 2006 11:00
Smallfrogs ( http://www.KZTechs.com)
- Administrative User - Completed Functions Allowed
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File
Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<"C:\Program Files\Dell Support\DSAgnt.exe" /startup> [Gteko Ltd.]
<"C:\Program Files\Messenger\msmsgs.exe" /background> [(Verified)Microsoft Corporation]
<"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background> [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[(Verified)Intel Corporation]
[(Verified)Intel Corporation]
[(Verified)Intel Corporation]
<"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Corporation]
[(Verified)N/A]
[(Verified)Microsoft Corporation]
[(Verified)Microsoft Corporation]
[Sun Microsystems, Inc.]
[N/A]
<"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask> [McAfee, Inc.]
[McAfee, Inc.]
[McAfee, Inc]
[McAfee, Inc]
[McAfee, Inc.]
[Sonic Solutions]
[InstallShield Software Corporation]
<"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start> [InstallShield Software Corporation]
[McAfee Inc.]
[McAfee, Inc.]
[(Verified)McAfee Security]
<"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"> [Adobe Systems Incorporated]
<%systemroot%\system32\dumprep 0 -k> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Corporation]
[(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
[(Verified)Intel Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
[(Verified)Microsoft Corporation]
Startup Folders
[Adobe Reader Speed Launch]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [Adobe Systems Incorporated]>
[Dell Network Assistant]
C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [N/A]>
[Digital Line Detect]
C:\PROGRA~1\DIGITA~1\DLG.exe [BVRP Software]>
[Adobe Gamma]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]>
Services
[Adobe LM Service / Adobe LM Service]
<"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe">
[Application Management / AppMgmt]
%SystemRoot%\System32\appmgmts.dll>
[ASP.NET State Service / aspnet_state]
[Belkin Wireless USB Network Adapter / Belkin Wireless USB Network Adapter Service]
[Human Interface Device Access / HidServ]
%SystemRoot%\System32\hidserv.dll>
[LexBce Server / LexBceS]
[McAfee.com McShield / McShield]
[McAfee SecurityCenter Update Manager / mcupdmgr.exe]
[McAfee Personal Firewall Service / MpfService]
[McAfee SpamKiller Server / MskService]
[Intel NCS NetService / NetSvc]
Drivers
[abp480n5 / abp480n5]
<\SystemRoot\system32\DRIVERS\ABP480N5.SYS>
[adpu160m / adpu160m]
<\SystemRoot\system32\DRIVERS\adpu160m.sys>
[AEGIS Protocol (IEEE 802.1x) v3.4.3.0 / AegisP]
[Aha154x / Aha154x]
<\SystemRoot\system32\DRIVERS\aha154x.sys>
[aic78u2 / aic78u2]
<\SystemRoot\system32\DRIVERS\aic78u2.sys>
[aic78xx / aic78xx]
<\SystemRoot\system32\DRIVERS\aic78xx.sys>
[AliIde / AliIde]
<\SystemRoot\system32\DRIVERS\aliide.sys>
[AMD AGP Bus Filter Driver / amdagp]
<\SystemRoot\system32\DRIVERS\amdagp.sys>
[asc / asc]
<\SystemRoot\system32\DRIVERS\asc.sys>
[asc3350p / asc3350p]
<\SystemRoot\system32\DRIVERS\asc3350p.sys>
[asc3550 / asc3550]
<\SystemRoot\system32\DRIVERS\asc3550.sys>
[ASCTRM / ASCTRM]
[cd20xrnt / cd20xrnt]
<\SystemRoot\system32\DRIVERS\cd20xrnt.sys>
[CmdIde / CmdIde]
<\SystemRoot\system32\DRIVERS\cmdide.sys>
[dac2w2k / dac2w2k]
<\SystemRoot\system32\DRIVERS\dac2w2k.sys>
[DLABOIOM / DLABOIOM]
[DLACDBHM / DLACDBHM]
[DLADResN / DLADResN]
[DLAIFS_M / DLAIFS_M]
[DLAOPIOM / DLAOPIOM]
[DLAPoolM / DLAPoolM]
[DLARTL_N / DLARTL_N]
[DLAUDFAM / DLAUDFAM]
[DLAUDF_M / DLAUDF_M]
[dpti2o / dpti2o]
<\SystemRoot\system32\DRIVERS\dpti2o.sys>
[DRVMCDB / DRVMCDB]
<\SystemRoot\System32\Drivers\DRVMCDB.SYS>
[DRVNDDM / DRVNDDM]
[Intel(R) PRO Network Connection Driver / E100B]
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus]
[HomeNet Manager Wireless Protocol / hnmwrlspkt]
[HSFHWBS2 / HSFHWBS2]
[HSF_DP / HSF_DP]
[ialm / ialm]
[ini910u / ini910u]
<\SystemRoot\system32\DRIVERS\ini910u.sys>
[mdmxsdk / mdmxsdk]
[MPFIREWL / MPFIREWL]
[mraid35x / mraid35x]
<\SystemRoot\system32\DRIVERS\mraid35x.sys>
[NaiAvFilter1 / NaiAvFilter1]
[nv / nv]
[Auto Internet Protocol / Packet]
[Direct Parallel Link Driver / Ptilink]
[PxHelp20 / PxHelp20]
<\SystemRoot\System32\Drivers\PxHelp20.sys>
[ql1080 / ql1080]
<\SystemRoot\system32\DRIVERS\ql1080.sys>
[Ql10wnt / Ql10wnt]
<\SystemRoot\system32\DRIVERS\ql10wnt.sys>
[ql12160 / ql12160]
<\SystemRoot\system32\DRIVERS\ql12160.sys>
[ql1280 / ql1280]
<\SystemRoot\system32\DRIVERS\ql1280.sys>
[Belkin USB Network Adapter / RT73]
[Secdrv / Secdrv]
[SIS AGP Bus Filter / sisagp]
<\SystemRoot\system32\DRIVERS\sisagp.sys>
[Sparrow / Sparrow]
<\SystemRoot\system32\DRIVERS\sparrow.sys>
[SigmaTel High Definition Audio CODEC / STHDA]
[symc810 / symc810]
<\SystemRoot\system32\DRIVERS\symc810.sys>
[symc8xx / symc8xx]
<\SystemRoot\system32\DRIVERS\symc8xx.sys>
[sym_hi / sym_hi]
<\SystemRoot\system32\DRIVERS\sym_hi.sys>
[sym_u3 / sym_u3]
<\SystemRoot\system32\DRIVERS\sym_u3.sys>
[TosIde / TosIde]
<\SystemRoot\system32\DRIVERS\toside.sys>
[ultra / ultra]
<\SystemRoot\system32\DRIVERS\ultra.sys>
NickL210
13 Posts
0
November 26th, 2006 11:00
Browser Add-ons
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
[McAfee AntiPhishing Filter]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}
[]
{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
[DriveLetterAccess]
{5CA3D70E-1895-11CF-8E15-001234567890}
[SSVHelper Class]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
[Windows Live Sign-in Helper]
{9030D464-4C02-4ABF-8ECC-5164760863C6}
[Windows Live Toolbar Helper]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
[Java Plug-in]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
[MyCfgDlgCmdTarget Class]
{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}
[Real.com]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
[Run IMVU]
{d9288080-1baa-4bc4-9cf8-a92d743db949}
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683}
[McAfee VirusScan]
{BA52B914-B692-46c4-B683-905236F6F655}
[Windows Live Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
[Checkers Class]
{00B71CFB-6864-4346-A978-C0A14556272C}
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000}
[Minesweeper Flags Class]
{2917297F-F02B-4B9D-81DF-494B6333150B}
[McAfee.com Operating System Class]
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C}
[Java Plug-in]
{8AD9C840-044E-11D1-B3E9-00805F499D93}
[MessengerStatsClient Class]
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
[Java Plug-in]
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
[Java Plug-in]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
[Java Plug-in 1.5.0_06]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000}
[Solitaire Showdown Class]
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF}
[Yahoo! Toolbar Helper]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} <, N/A>
[Adobe PDF Reader Link Helper]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000}
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700}
[Windows Media Player]
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}
[Shockwave ActiveX Control]
{233C1507-6A77-46A4-9443-F871F945D258}
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
[Tabular Data Control]
{333C7BC4-460F-11D0-BC04-0080C7055A83}
[McAfee.com Download+Installer Class]
{36C417C6-13C6-448B-9784-DD73A93B0582}
[McAfee AntiPhishing Filter]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}
[XML Document]
{48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, N/A>
[McAfee.com Registry Class]
{4C29D864-C55A-46DD-865C-17A1B7CC1A1A}
[]
{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
[McAfee.com Operating System Class]
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
[Microsoft Licensed Class Manager 1.0]
{5220CB21-C88D-11CF-B347-00AA00A28331}
[Shell Name Space]
{55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[McAfee.com File System Class]
{5940894F-4BA9-4FAC-ACFD-2F56F7CE0E3B}
[DriveLetterAccess]
{5CA3D70E-1895-11CF-8E15-001234567890}
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C}
[DivXBrowserPlugin Object]
{67DABFBF-D0AB-41FA-9C46-CC0F21721616}
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6}
[SSVHelper Class]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
[Microsoft Web Browser]
{8856F961-340A-11D0-A96B-00C04FD705A2}
[Windows Live Sign-in Helper]
{9030D464-4C02-4ABF-8ECC-5164760863C6}
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[McAfee VirusScan]
{BA52B914-B692-46C4-B683-905236F6F655}
[DwnldGroupMgr Class]
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
[Windows Live Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
[Windows Live Toolbar Helper]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
[McAfee.com Shell Helper Class]
{CA145D71-4BCB-461D-BCBE-C01C42867380}
[AUDIO__WAV Moniker Class]
{CD3AFA7B-B84F-48F0-9393-7EDC34128127}
[Windows Live Sign-in Control]
{D2517915-48CE-4286-970F-921E881B8C5C}
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000}
[McAfee.com Application Helper Class]
{D2D8D3C0-C750-4703-A6AD-75D6B578FFE6}
[Yahoo! Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} <, N/A>
[]
{F06608C7-1874-4EEA-B3B2-DF99EBB144B8}
[&Windows Live Search]
[Open in new background tab]
[Open in new foreground tab]
Running Processes
[PID: 704][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 760][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 788][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 840][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 852][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1052][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1140][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1284][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1376][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1584][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1884][C:\WINDOWS\system32\LEXBCES.EXE] [Lexmark International, Inc., 8.16]
[C:\WINDOWS\system32\lexp2p32.dll] [Lexmark International, Inc., 8.16]
[C:\WINDOWS\system32\lex2kusb.dll] [Lexmark International, Inc., 8.16]
[PID: 1932][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\LEXLMPM.DLL] [Lexmark International, Inc., 8.16]
[C:\WINDOWS\system32\LexBce.dll] [Lexmark International, Inc., 8.16]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\LXBKPP5C.dll] [, 1.0.0.0]
[PID: 1940][C:\WINDOWS\system32\LEXPPS.EXE] [Lexmark International, Inc., 8.16]
[C:\WINDOWS\system32\LEXBCE.DLL] [Lexmark International, Inc., 8.16]
[PID: 156][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200]
[C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll] [MyWay.com, 1, 0, 1, 16]
[C:\WINDOWS\System32\DLA\DLASHX_W.DLL] [Sonic Solutions, 5.20.08a]
[C:\WINDOWS\system32\DLAAPI_W.DLL] [Sonic Solutions, 5.20.08a]
[C:\WINDOWS\System32\DLA\DLACResW.dll] [Sonic Solutions, 5.20.08a]
[C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll] [Sun Microsystems, Inc., 5.0.60.5]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[c:\progra~1\mcafee.com\vso\mcvsshl.dll] [McAfee, Inc., 10, 0, 0, 19]
[c:\progra~1\mcafee.com\vso\ShlRes.dll] [McAfee, Inc., 10, 0, 0, 19]
[C:\Program Files\WinAce\arcext.dll] [e-merge GmbH, 2.5.1.0]
[C:\Program Files\WinAce\acev2.dll] [ACE Compression Software, 2.6.0.0]
[C:\Program Files\VDMSound\LaunchPad.dll] [, 1, 0, 1, 3]
[C:\WINDOWS\system32\CmdLineExt03.dll] [N/A, N/A]
[PID: 224][C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe] [N/A, N/A]
[PID: 232][C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe] [, 1, 0, 7, 4]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\PINGDLL.dll] [N/A, N/A]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\ProcNICs.dll] [, 1, 0, 0, 7]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\Ralinktek.dll] [GemTK, 1, 0, 1, 5]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\GEMWEP.DLL] [, 1, 0, 0, 1]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\Security.dll] [, 1, 0, 2, 8]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\RM_DEV_CODE.dll] [, 1, 0, 1, 2]
[C:\Program Files\Belkin\Belkin Wireless Network Utility\0004\AegisE5.dll] [Meetinghouse Data Communications, 3, 3, 3, 0]
[PID: 236][C:\WINDOWS\system32\cisvc.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 288][c:\PROGRA~1\mcafee.com\vso\mcshield.exe] [McAfee Inc., 11.0.0.151]
[c:\PROGRA~1\mcafee.com\vso\RES00\McShield.DLL] [McAfee Inc., 11.0.0.141]
[c:\PROGRA~1\mcafee.com\vso\FTL.Dll] [McAfee Inc., 11.0.0.151]
[c:\PROGRA~1\mcafee.com\vso\naiann.dll] [McAfee, Inc., 10, 0, 0, 21]
[c:\PROGRA~1\mcafee.com\vso\mytilus.dll] [McAfee Inc., 11.0.0.151]
[C:\Program Files\McAfee.com\VSO\MCSCAN32.DLL] [McAfee, Inc., 5.1.00]
[c:\program files\mcafee.com\agent\mcagntps.dll] [McAfee, Inc, 5, 0, 0, 0]
[c:\progra~1\mcafee.com\vso\naiannps.dll] [McAfee, Inc, 10, 0, 0, 0]
[PID: 356][C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe] [McAfee Corporation, 7.1.0.113]
[C:\WINDOWS\system32\MPFAPI.dll] [McAfee, 7.1.0.113]
[PID: 392][c:\PROGRA~1\mcafee.com\vso\OasClnt.exe] [McAfee, Inc., 10, 0, 0, 24]
[c:\program files\mcafee.com\agent\mcagntps.dll] [McAfee, Inc, 5, 0, 0, 0]
[c:\progra~1\mcafee.com\vso\naiannps.dll] [McAfee, Inc, 10, 0, 0, 0]
[c:\progra~1\mcafee.com\vso\mcvsps.dll] [McAfee, Inc, 10, 0, 0, 17]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[PID: 396][C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe] [McAfee Inc., 7.0.1.3]
[C:\PROGRA~1\McAfee\SPAMKI~1\borlndmm.dll] [Borland Software Corporation, 6.0.6.163]
[C:\PROGRA~1\McAfee\SPAMKI~1\MskRescs.dll] [McAfee, Inc., 7.0.1.6]
[C:\PROGRA~1\McAfee\SPAMKI~1\McAbImp.dll] [McAfee, Inc., 7.0.1.9]
[c:\program files\mcafee.com\agent\submgr\6,0,0,15\mcsubmgr.dll] [McAfee, Inc, 6, 0, 0, 15]
[PID: 672][c:\program files\mcafee.com\vso\mcvsshld.exe] [McAfee, Inc., 10, 0, 0, 22]
[C:\Program Files\McAfee.com\VSO\VsCfgW32.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\program files\mcafee.com\vso\ashldres.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\program files\mcafee.com\agent\submgr\6,0,0,15\mcsubmgr.dll] [McAfee, Inc, 6, 0, 0, 15]
[c:\program files\mcafee.com\agent\mcagntps.dll] [McAfee, Inc, 5, 0, 0, 0]
[c:\progra~1\mcafee.com\vso\mcvsps.dll] [McAfee, Inc, 10, 0, 0, 17]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[PID: 768][c:\program files\mcafee.com\agent\mcagent.exe] [McAfee, Inc, 6, 0, 0, 16]
[c:\program files\mcafee.com\agent\SCRes.dll] [McAfee, Inc, 6, 0, 0, 7]
[c:\program files\mcafee.com\agent\mcagntps.dll] [McAfee, Inc, 5, 0, 0, 0]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[PID: 808][c:\progra~1\mcafee.com\vso\mcvsescn.exe] [McAfee, Inc., 10, 0, 0, 20]
[c:\progra~1\mcafee.com\vso\ashldres.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\progra~1\mcafee.com\vso\EmScnRes.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\PROGRA~1\mcafee.com\vso\vsoupd.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\progra~1\mcafee.com\vso\McVsWorm.dll] [McAfee, Inc., 10, 0, 0, 19]
[C:\Program Files\McAfee.com\VSO\VsCfgW32.dll] [McAfee, Inc., 10, 0, 0, 26]
[c:\progra~1\mcafee.com\vso\WormRes.dll] [McAfee, Inc., 10, 0, 0, 19]
[c:\program files\mcafee.com\agent\mcagntps.dll] [McAfee, Inc, 5, 0, 0, 0]
[PID: 3748][C:\WINDOWS\system32\wuauclt.exe] [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[PID: 3148][C:\WINDOWS\system32\cidaemon.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1548][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll] [Adobe Systems Incorporated, 7.0.7.2006011200]
[c:\program files\mcafee\spamkiller\mcapfbho.dll] [McAfee, Inc., 7.0.2.3]
[C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll] [MyWay.com, 1, 0, 1, 16]
[C:\WINDOWS\System32\DLA\DLASHX_W.DLL] [Sonic Solutions, 5.20.08a]
[C:\WINDOWS\system32\DLAAPI_W.DLL] [Sonic Solutions, 5.20.08a]
[C:\WINDOWS\System32\DLA\DLACResW.dll] [Sonic Solutions, 5.20.08a]
[C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll] [Sun Microsystems, Inc., 5.0.60.5]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[PID: 404][C:\Program Files\WinAce\WinAce.exe] [e-merge GmbH, 2.6.5.0]
[C:\Program Files\WinAce\acev2.dll] [ACE Compression Software, 2.6.0.0]
[C:\Program Files\WinAce\unrar3.dll] [N/A, N/A]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
[PID: 988][C:\Documents and Settings\Nick Larcombe\Desktop\sreng2\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]
[c:\progra~1\mcafee.com\vso\McVSSkt.dll] [McAfee, Inc., 10, 0, 0, 26]
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
Winsock Provider
N/A
Autorun.Inf
N/A
HOSTS File
127.0.0.1 localhost
bamajim
10.4K Posts
0
November 28th, 2006 13:00
Sorry for the delay in replying
First Go here and Download AVG Anti-Spyware
( 30 day free trial version) Save it to Your Desktop
Double Click AVG Anti-Spyware-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
- Under "Your computers Security"
At the top toolbar Click Scanner Then the settings tabClick change status on Resident shield to inactive
Click Update now (next to last update)
After the update loads
Under Automatic updates Uncheck download and install updates automatically(recommended)
(you can always select maual updates the next day)
- Under How to act? Set default action for detected malwareTo Quarantine
Exit AVG(But do not run it yet)Under how to scan All boxes should be checked
Under Possibly unwanted software All boxes should be checked
Under reports Select Automatically generate report after every scan
Uncheck Only if threats were found
Under what to scan Scan every file should be highlited
Reboot into Safe Mode
This can be done by
- Restart your PC, and after it starts, but before you see the Windows Splash screen
Run AVG Anti-SpywareBegin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter
- Click scanner
Once the scan finishesSelect Complete system scan
- Select Apply all actions (The items found will be quarantined)
Exit AVGClick save report as (Another window will open)
Save it to your desktop
(By default It will be saved in the AVG folder as)
C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
Reboot your PC in Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
- Double click the report-scan txt. you saved to your desktop
Your reply should includeIt will open in Notepad
Copy and paste that report as a reply to this thread
your report_scan.txt log from AVG
bamajim
10.4K Posts
0
November 28th, 2006 23:00
Looking good
A couple to clean up:
Rerun Hijackthis (scan only) and place a check beside the following entries
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
Close Hijackthis->>Reboot your PC->>Rerun Hijackthis and post one more log.
Also give me an update on how your PC is running?
NickL210
13 Posts
0
November 28th, 2006 23:00
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015016.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015017.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015050.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015051.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0020943.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0020944.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0042079.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP155\A0042080.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015041.exe -> Backdoor.Agent.aim : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0015134.rbf -> Backdoor.Agent.aim : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015049.exe -> Downloader.Harnig.dk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015022.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015054.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0016261.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0020945.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015029.exe -> Downloader.VB.apw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0016191.exe -> Downloader.VB.apw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0016195.exe -> Downloader.VB.apw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0020948.exe -> Downloader.VB.apw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP138\A0024994.sys -> Hijacker.Costrat.q : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@meetupcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@ehg-gamespot.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Nick Larcombe\Cookies\nick larcombe@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015026.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015158.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015159.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015160.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015161.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP131\A0017423.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP131\A0017424.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP131\A0017422.dll -> Trojan.Sinowal.bl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015042.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0015146.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015157.exe -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015172.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0015184.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0016186.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0016208.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0016279.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP131\A0016393.exe -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP131\A0016408.sys -> Trojan.Small. : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP123\A0015027.exe -> Worm.VB.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0016190.exe -> Worm.VB.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0016194.exe -> Worm.VB.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0020949.exe -> Worm.VB.ar : Cleaned with backup (quarantined).
::Report end
NickL210
13 Posts
0
November 28th, 2006 23:00
Scan saved at 9:31:38 AM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/default.aspx?c=au&l=en&s=gen
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?88ac059969704a75bc11fe6644ad340a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?88ac059969704a75bc11fe6644ad340a
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nick Larcombe\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152335492250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe