Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

rundll error

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

rundll error

Unread postby scholesboy » August 6th, 2007, 11:42 am

hi all :(
when i start my machine i keep getting a rundll error
looks like this , RUNDLL, Error loading c:\windows\system32\j6281932.dll, the specified module could not be found . here is my hijack this log ,
thanks all ;)


Logfile of HijackThis v1.99.1
Scan saved at 16:40:01, on 06/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1991.zip\HijackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {3B19371D-FF9A-4A7A-AEC8-9ECAF70FDDFC} - (no file)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ywydpotg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {9F7EA270-A605-4A93-8AC6-657864C250E3} - (no file)
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O2 - BHO: (no name) - {DC83196A-091B-4032-A6AC-BC5FE6362184} - (no file)
O2 - BHO: (no name) - {EE98A2F7-E5B1-4B55-A670-CDA441CA5874} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [j6281932] rundll32 C:\WINDOWS\system32\j6281932.dll sook
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMP Plugin] C:\Program Files\Windows Media Player Plugin\wmplugin.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: byxyyvu - byxyyvu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\vjyqmwmu.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm
Advertisement
Register to Remove

Unread postby Blade81 » August 6th, 2007, 3:16 pm

Hi

1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

combo fix.exe log

Unread postby scholesboy » August 7th, 2007, 8:07 am

ComboFix 07-08-04.3 - "paul scholes" 2007-08-07 12:54:47.1 [GMT 1:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\PAULSC~1\Desktop\internet.lnk
C:\WINDOWS\system32\ywydpotg.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 13:04 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-07 12:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 18:10 <DIR> d-------- C:\Program Files\I386
2007-08-03 20:26 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-03 20:25 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-03 20:25 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-03 20:25 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-03 20:25 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-03 20:25 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-03 20:25 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-03 20:24 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-03 20:24 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-03 20:24 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-03 20:24 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-03 20:24 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-03 20:24 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-03 20:24 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-03 20:24 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-03 20:24 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-03 20:24 16,925 --a--c--- C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-03 20:23 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-03 20:23 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-03 20:23 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-03 20:23 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-03 20:23 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-03 20:23 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-03 20:23 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-03 20:23 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-03 20:23 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-03 20:23 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-03 20:23 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-03 20:22 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-03 20:22 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-03 20:22 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-03 20:22 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-03 20:22 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-03 20:22 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-03 20:22 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-03 20:22 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-03 20:22 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-03 20:22 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-03 20:22 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-03 20:22 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-03 20:22 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-03 20:22 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-03 20:21 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-03 20:21 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-03 20:21 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-03 20:21 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-08-03 20:21 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-03 20:21 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-03 20:21 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-03 20:21 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-03 20:21 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-03 20:21 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-03 20:21 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-03 20:21 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-03 20:21 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-03 20:21 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-03 20:21 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-03 20:20 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2007-08-03 20:20 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-03 20:20 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-08-03 20:20 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-03 20:20 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-03 20:20 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2007-08-03 20:20 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2007-08-03 20:20 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-03 20:20 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-08-03 20:20 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2007-08-03 20:20 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-08-03 20:20 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2007-08-03 20:20 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2007-08-03 20:20 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-08-03 20:20 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-08-03 20:19 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-03 20:19 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-08-03 20:19 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2007-08-03 20:19 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-08-03 20:19 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-08-03 20:19 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-08-03 20:19 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2007-08-03 20:19 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-08-03 20:19 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-08-03 20:19 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2007-08-03 20:19 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2007-08-03 20:19 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-08-03 20:19 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2007-08-03 20:19 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2007-08-03 20:18 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2007-08-03 20:18 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2007-08-03 20:18 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2007-08-03 20:18 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2007-08-03 20:18 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2007-08-03 20:18 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2007-08-03 20:18 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2007-08-03 20:18 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll
2007-08-03 20:18 28,160 --a--c--- C:\WINDOWS\system32\dllcache\sm91w.dll
2007-08-03 20:18 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2007-08-03 20:18 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 13:02 --------- d-------- C:\Program Files\McAfee
2007-08-03 16:31 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-03 14:34 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\SopCast
2007-08-03 08:49 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\uTorrent
2007-08-03 08:42 --------- d-------- C:\Program Files\BitComet
2007-08-02 15:00 --------- d-------- C:\Program Files\LimeWire
2007-07-30 18:36 --------- d-------- C:\Program Files\Nokia
2007-07-07 23:13 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\SiteAdvisor
2007-07-05 16:44 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2007-07-05 15:48 --------- d-------- C:\Program Files\SiteAdvisor
2007-07-03 16:47 4304 --ahs---- C:\WINDOWS\system32\lhtiifub.ini2
2007-07-03 13:28 --------- d-------- C:\Program Files\Virgin Broadband
2007-07-03 13:17 --------- d-------- C:\Program Files\Common Files\McAfee
2007-07-03 13:15 --------- d-------- C:\Program Files\McAfee.com
2007-06-21 16:29 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\Virgin Broadband
2007-06-13 14:21 --------- d-------- C:\Program Files\MediaCodec
2007-06-12 12:10 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-11 14:49 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\PC Tools
2007-06-08 08:11 831048 --a------ C:\WINDOWS\system32\WudfUpdate_01005.dll
2007-06-07 16:03 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-07 15:53 --------- d-------- C:\Program Files\Ahead


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B19371D-FF9A-4A7A-AEC8-9ECAF70FDDFC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F7EA270-A605-4A93-8AC6-657864C250E3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC83196A-091B-4032-A6AC-BC5FE6362184}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE98A2F7-E5B1-4B55-A670-CDA441CA5874}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-06 13:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-06 17:50]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 11:03]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-07-24 21:28]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"WMP Plugin"="C:\Program Files\Windows Media Player Plugin\wmplugin.exe" [2006-08-16 11:40]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyvu]
byxyyvu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
R3 NVENET;NVIDIA nForce MCP Networking Controller Driver;C:\WINDOWS\system32\DRIVERS\NVENET.sys
R3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S0 HWFProt;Hywave File Protector HWFProt;C:\WINDOWS\system32\Drivers\HWFProt.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 nmwcd;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 nmwcdc;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 nmwcdcm;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys


Contents of the 'Scheduled Tasks' folder
2007-08-02 15:44:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-03 12:15:55 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\system32\defrag.exe
2007-07-03 12:15:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 13:03:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 13:06:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 13:06

--- E O F ---
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

hi jack this log

Unread postby scholesboy » August 7th, 2007, 8:08 am

ComboFix 07-08-04.3 - "paul scholes" 2007-08-07 12:54:47.1 [GMT 1:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\PAULSC~1\Desktop\internet.lnk
C:\WINDOWS\system32\ywydpotg.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 13:04 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-07 12:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 18:10 <DIR> d-------- C:\Program Files\I386
2007-08-03 20:26 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-03 20:25 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-03 20:25 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-03 20:25 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-03 20:25 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-03 20:25 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-03 20:25 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-03 20:24 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-03 20:24 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-03 20:24 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-03 20:24 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-03 20:24 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-03 20:24 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-03 20:24 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-03 20:24 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-03 20:24 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-03 20:24 16,925 --a--c--- C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-03 20:23 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-03 20:23 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-03 20:23 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-03 20:23 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-03 20:23 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-03 20:23 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-03 20:23 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-03 20:23 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-03 20:23 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-03 20:23 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-03 20:23 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-03 20:22 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-03 20:22 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-03 20:22 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-08-03 20:22 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-03 20:22 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-03 20:22 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-03 20:22 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2007-08-03 20:22 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-03 20:22 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-03 20:22 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-03 20:22 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2007-08-03 20:22 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2007-08-03 20:22 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-08-03 20:22 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2007-08-03 20:21 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-08-03 20:21 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2007-08-03 20:21 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2007-08-03 20:21 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2007-08-03 20:21 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2007-08-03 20:21 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2007-08-03 20:21 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2007-08-03 20:21 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-08-03 20:21 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-08-03 20:21 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-08-03 20:21 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-08-03 20:21 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-08-03 20:21 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-08-03 20:21 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-08-03 20:21 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-08-03 20:20 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2007-08-03 20:20 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2007-08-03 20:20 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-08-03 20:20 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-08-03 20:20 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-08-03 20:20 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2007-08-03 20:20 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2007-08-03 20:20 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-08-03 20:20 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-08-03 20:20 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2007-08-03 20:20 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-08-03 20:20 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2007-08-03 20:20 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2007-08-03 20:20 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-08-03 20:20 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-08-03 20:19 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-03 20:19 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-08-03 20:19 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2007-08-03 20:19 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-08-03 20:19 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-08-03 20:19 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-08-03 20:19 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2007-08-03 20:19 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-08-03 20:19 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-08-03 20:19 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2007-08-03 20:19 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2007-08-03 20:19 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-08-03 20:19 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2007-08-03 20:19 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2007-08-03 20:18 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2007-08-03 20:18 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2007-08-03 20:18 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2007-08-03 20:18 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2007-08-03 20:18 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2007-08-03 20:18 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2007-08-03 20:18 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2007-08-03 20:18 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll
2007-08-03 20:18 28,160 --a--c--- C:\WINDOWS\system32\dllcache\sm91w.dll
2007-08-03 20:18 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2007-08-03 20:18 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 13:02 --------- d-------- C:\Program Files\McAfee
2007-08-03 16:31 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-03 14:34 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\SopCast
2007-08-03 08:49 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\uTorrent
2007-08-03 08:42 --------- d-------- C:\Program Files\BitComet
2007-08-02 15:00 --------- d-------- C:\Program Files\LimeWire
2007-07-30 18:36 --------- d-------- C:\Program Files\Nokia
2007-07-07 23:13 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\SiteAdvisor
2007-07-05 16:44 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2007-07-05 15:48 --------- d-------- C:\Program Files\SiteAdvisor
2007-07-03 16:47 4304 --ahs---- C:\WINDOWS\system32\lhtiifub.ini2
2007-07-03 13:28 --------- d-------- C:\Program Files\Virgin Broadband
2007-07-03 13:17 --------- d-------- C:\Program Files\Common Files\McAfee
2007-07-03 13:15 --------- d-------- C:\Program Files\McAfee.com
2007-06-21 16:29 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\Virgin Broadband
2007-06-13 14:21 --------- d-------- C:\Program Files\MediaCodec
2007-06-12 12:10 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-11 14:49 --------- d-------- C:\DOCUME~1\PAULSC~1\APPLIC~1\PC Tools
2007-06-08 08:11 831048 --a------ C:\WINDOWS\system32\WudfUpdate_01005.dll
2007-06-07 16:03 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-07 15:53 --------- d-------- C:\Program Files\Ahead


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B19371D-FF9A-4A7A-AEC8-9ECAF70FDDFC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F7EA270-A605-4A93-8AC6-657864C250E3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC83196A-091B-4032-A6AC-BC5FE6362184}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE98A2F7-E5B1-4B55-A670-CDA441CA5874}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-06 13:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-06 17:50]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 11:03]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-07-24 21:28]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"WMP Plugin"="C:\Program Files\Windows Media Player Plugin\wmplugin.exe" [2006-08-16 11:40]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyvu]
byxyyvu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
R3 NVENET;NVIDIA nForce MCP Networking Controller Driver;C:\WINDOWS\system32\DRIVERS\NVENET.sys
R3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S0 HWFProt;Hywave File Protector HWFProt;C:\WINDOWS\system32\Drivers\HWFProt.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 nmwcd;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 nmwcdc;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 nmwcdcm;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys


Contents of the 'Scheduled Tasks' folder
2007-08-02 15:44:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-03 12:15:55 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\system32\defrag.exe
2007-07-03 12:15:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 13:03:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 13:06:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 13:06

--- E O F ---
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

Unread postby Blade81 » August 7th, 2007, 1:18 pm

Hi

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Image

______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter


This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user.



Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\lhtiifub.ini2 

Folder::
C:\WINDOWS\SYSTEM32\G7
C:\WINDOWS\SYSTEM32\G5
C:\WINDOWS\SYSTEM32\G3
C:\WINDOWS\SYSTEM32\G11
C:\WINDOWS\SYSTEM32\G1
C:\WINDOWS\SYSTEM32\b02FdUe
C:\Temp
C:\Tempc2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B19371D-FF9A-4A7A-AEC8-9ECAF70FDDFC}] 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F7EA270-A605-4A93-8AC6-657864C250E3}] 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC83196A-091B-4032-A6AC-BC5FE6362184}] 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE98A2F7-E5B1-4B55-A670-CDA441CA5874}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyvu]



Save this as
CFScript


Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a fresh hjt log and contents of C:\rapport.txt.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

smitfraud fix log

Unread postby scholesboy » August 7th, 2007, 1:52 pm

SmitFraudFix v2.209

Scan done at 18:48:59.73, 07/08/2007
Run from C:\Documents and Settings\paul scholes\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul scholes


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul scholes\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAULSC~1\FAVORI~1

C:\DOCUME~1\PAULSC~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\MediaCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End :shock:
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

Unread postby Blade81 » August 7th, 2007, 1:57 pm

Hi

Before further instructions I'd like to see those other logs too :)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

sorry which other logs ??????

Unread postby scholesboy » August 7th, 2007, 2:13 pm

which other logs do i need ???? :oops:
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

Unread postby Blade81 » August 7th, 2007, 2:17 pm

Then post the resultant log with a fresh hjt log and contents of C:\rapport.txt.


So, two other logs:
-resultant log after that operation with ComboFix
-a fresh hjt log
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

rapport

Unread postby scholesboy » August 7th, 2007, 3:36 pm

SmitFraudFix v2.209

Scan done at 20:29:40.51, 07/08/2007
Run from C:\Documents and Settings\paul scholes\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul scholes


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\paul scholes\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PAULSC~1\FAVORI~1

C:\DOCUME~1\PAULSC~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\MediaCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

hjt

Unread postby scholesboy » August 7th, 2007, 3:37 pm

Logfile of HijackThis v1.99.1
Scan saved at 20:14:13, on 07/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1991.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {3B19371D-FF9A-4A7A-AEC8-9ECAF70FDDFC} - (no file)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {9F7EA270-A605-4A93-8AC6-657864C250E3} - (no file)
O2 - BHO: (no name) - {DC83196A-091B-4032-A6AC-BC5FE6362184} - (no file)
O2 - BHO: (no name) - {EE98A2F7-E5B1-4B55-A670-CDA441CA5874} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMP Plugin] C:\Program Files\Windows Media Player Plugin\wmplugin.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: byxyyvu - byxyyvu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

hi

Unread postby scholesboy » August 7th, 2007, 3:39 pm

could not find combifix file to drag cfscript into , was not on /c drive
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

Unread postby Blade81 » August 7th, 2007, 4:17 pm

Hi

Surely Combofix.exe should be somewhere there if you downloaded it :o

Well, we can do this in other way without ComboFix too.


Before doing anything we need to move hjt to permanent place.

HJT in it's own folder
------------------------

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.


Downloading needed applications
-------------------------------


Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run ATF yet. Will do it a bit later.


Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a
    keyboard error
    message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted :
Registry cleaning - Do you want to clean the registry ?
answer Yes by typing Y and hit Enter.


The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question
Replace infected file ?
by typing Y and hit Enter. Reboot into normal mode.


Running HijackThis
-------------------

Start HijackThis, click do a system scan only, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {3B19371D-FF9A-4A7A-AEC8-9ECAF70FDDFC} - (no file)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {9F7EA270-A605-4A93-8AC6-657864C250E3} - (no file)
O2 - BHO: (no name) - {DC83196A-091B-4032-A6AC-BC5FE6362184} - (no file)
O2 - BHO: (no name) - {EE98A2F7-E5B1-4B55-A670-CDA441CA5874} - (no file)
O20 - Winlogon Notify: byxyyvu - byxyyvu.dll (file missing)

Close all browsers & other windows and click fix checked.



Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Deleting files & folders
------------------------

Delete following files if found:
C:\WINDOWS\system32\lhtiifub.ini2

and following folders if found:
C:\WINDOWS\SYSTEM32\G7
C:\WINDOWS\SYSTEM32\G5
C:\WINDOWS\SYSTEM32\G3
C:\WINDOWS\SYSTEM32\G11
C:\WINDOWS\SYSTEM32\G1
C:\WINDOWS\SYSTEM32\b02FdUe
C:\Temp
C:\Tempc2




Running temp cleaner & AVG Anti-Spyware
---------------------------------------



Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Unselect Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the
    Save Scan Report
    button before you did hit the
    Apply all Actions
    button.

    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot.


Post:
-contents of c:\rapport.txt
-AVG Anti-Spyware log
- a fresh HJT log.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

sorry about the delay

Unread postby scholesboy » August 12th, 2007, 4:16 pm

rapport.txt

SmitFraudFix v2.209

Scan done at 19:34:06.31, 12/08/2007
Run from C:\Documents and Settings\paul scholes\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\PAULSC~1\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\MediaCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D3AD549-09BE-4073-9D82-57C4BFEA25BF}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:05:35 12/08/2007

+ Scan result:



HKU\S-1-5-21-606747145-839522115-1660549827-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202A961F-23AE-42B1-9505-FFE3C818D717} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\paul scholes\Cookies\paul scholes@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@7search[2].txt -> TrackingCookie.7search : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@adengage[1].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@adviva[1].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@connextra[3].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@connextra[5].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@ehg-fastweb.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@ehg-capitalgroup.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@server.lon.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@auto.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@auto.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@www.paypal[2].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia_harvey@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\patricia harvey\Cookies\patricia harvey@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\paul scholes\Cookies\paul scholes@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 21:15:23, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis1991.zip\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMP Plugin] C:\Program Files\Windows Media Player Plugin\wmplugin.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
scholesboy
Regular Member
 
Posts: 20
Joined: June 10th, 2007, 12:12 pm

Unread postby Blade81 » August 13th, 2007, 12:39 am

Hi

Fix this one too with hjt:
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please do an online scan with
[url=http://www.kaspersky.com/virusscanner]Kaspersky
WebScanner
[/url]

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest
    definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise
      Standard)

    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been
    infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a fresh hjt log (if Kaspersky report is very long then you can upload it to http://rapidshare.com).




Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware