Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Detected Generic.f McAfee detected infected file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan Detected Generic.f McAfee detected infected file

Unread postby aphdes » September 11th, 2007, 12:16 pm

This window keeps running and disabling my computer please tell me how to remove this, I disabled system restore, but my computer will not start in safe mode

here is the hijack file
Logfile of HijackThis v1.99.1
Scan saved at 12:03:18 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\nefpbowo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cjxtpoxv.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/i ... 36ade56825
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: GPBvNXbNVTAOVtD - {140105DC-BEAB-AF76-95CA-8678539685C0} - C:\WINDOWS\system32\yymgp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmFvbWk\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\nefpbowo.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts
Advertisement
Register to Remove

Unread postby km2357 » September 11th, 2007, 4:16 pm

Hello aphdes and welcome to The Malware Removal Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

Since I am still in training, I have to let experts check the content of my fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

update on Generic.F trojan and new Hijack file

Unread postby aphdes » September 11th, 2007, 8:52 pm

I hope I am replying properly to the same thread,
I used McAfee removal tool and got rid of the Trojan warning, then installed SUPERAntiSpyware, but I still have Trojans, here is the new Hijack file:

Logfile of HijackThis v1.99.1
Scan saved at 8:24:50 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wgcwltrg.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\mcokepkv.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/i ... 36ade56825
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: GPBvNXbNVTAOVtD - {140105DC-BEAB-AF76-95CA-8678539685C0} - C:\WINDOWS\system32\yymgp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\wgcwltrg.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts

Mcafee Trojan Generic.f is back how long for help

Unread postby aphdes » September 13th, 2007, 6:17 pm

I have been trying to fix this myself, which was a very bad idea.
So I am posting this again.
Here is my new hijack file after I reloaded Mcafee, and the Trojan warning window came back
Also I get a message that I have low disk space.
Also, when I try to reboot in safe mode I lose my start menu so I can't do anything.
am I saving this hijack file correctly?
can you let me know how long I should wait for help, is this fixable?
Should I pay for help from McAfee?


Logfile of HijackThis v1.99.1
Scan saved at 5:59:14 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\clnyueoi.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\xfnbxjqyajdoc.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/i ... 36ade56825
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: GPBvNXbNVTAOVtD - {140105DC-BEAB-AF76-95CA-8678539685C0} - C:\WINDOWS\system32\yymgp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts

Unread postby km2357 » September 13th, 2007, 8:20 pm

Hi Aphdes.

I will be helping you in this topic. Please do not start any more new topics. When you want to reply, use the post reply button and not the new topic one.

I'm currently working on a fix for you and will get to you as soon as possible.

Thanks.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Unread postby km2357 » September 13th, 2007, 11:30 pm

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.


You need to renable System Restore. It is better to have an infected restore point than none at all.

Please right-click on my computer, go properties and then System Restore tab.
Remove the tick from the Turn off System Restore and click apply and OK.


Step # 1: Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Step # 2: Download and Run LSPFix

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

  • Please download LSPFix from here.
  • Disconnect from the internet and run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of xfnbxjqyajdoc.dll.
  • Select every instance of xfnbxjqyajdoc.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.

Step # 3: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


Step # 4 ADS SPY

Start Hijackthis
Click "open misc tools section"
Click "open ADSSpy"
UNcheck "quick scan"
Click "scan"
Wait till scan is done.

Once done if any results click "save log"
Save the log someplace. By default it should save to your hijackthis folder.

Boot back to normal mode and post the results here.


Step # 5: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Step # 6 Post Logs

In your next post/reply, I'd like to see the following:

    1. ComboFix Log
    2. Uninstall List
    3. ADSSpy Log
    4. A fresh Hijackthis Log


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

THANK YOU, here are the results

Unread postby aphdes » September 14th, 2007, 5:52 pm

I Have 2 files the first is the combofix text file and then the log file

ComboFix 07-09-14.2 - "Amy" 2007-09-14 16:44:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.319 [GMT -4:00]
.
ADS - svchost.exe: deleted 51200 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.tmp
C:\DOCUME~1\Cam\APPLIC~1\Starware
C:\DOCUME~1\Cam\APPLIC~1\Starware\MasterOptions.xml
C:\DOCUME~1\Cam\APPLIC~1\Starware\ToolbarOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\MasterOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ProductOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ToolbarOptions.xml
C:\DOCUME~1\Naomi\APPLIC~1\DOBE~1
C:\DOCUME~1\Naomi\APPLIC~1\Starware
C:\DOCUME~1\Naomi\APPLIC~1\Starware\MasterOptions.xml
C:\DOCUME~1\Naomi\APPLIC~1\Starware\ProductOptions.xml
C:\DOCUME~1\Naomi\APPLIC~1\Starware\ToolbarOptions.xml
C:\DOCUME~1\Naomi\MYDOCU~1\CROSOF~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Images\006CDCC6.urr
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive2.dll
C:\Program Files\ISM\BndDrive3.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\ISM\syncupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_bfeats.dat
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\ystem3~1
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\deskcfg.tmp
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\clnyueoi.dll
C:\WINDOWS\system32\cvjjupxt.exe
C:\WINDOWS\SYSTEM32\elbehvto.ini
C:\WINDOWS\system32\fojtttpt.dll
C:\WINDOWS\SYSTEM32\ggxvwvbp.ini
C:\WINDOWS\SYSTEM32\ioeuynlc.ini
C:\WINDOWS\system32\jpnnhxhe.dll
C:\WINDOWS\system32\kkactdkg.exe
C:\WINDOWS\system32\nlxgolev.dll
C:\WINDOWS\system32\otvheble.dll
C:\WINDOWS\system32\pbvwvxgg.dll
C:\WINDOWS\system32\pftfdjlf.dll
C:\WINDOWS\system32\prrdynpv.dll
C:\WINDOWS\system32\qfoprudu.exe
C:\WINDOWS\system32\simp_dll.dll
C:\WINDOWS\system32\supsyqiv.dll
C:\WINDOWS\system32\tmossqba.exe
C:\WINDOWS\SYSTEM32\tptttjof.ini
C:\WINDOWS\SYSTEM32\ttstv.bak1
C:\WINDOWS\SYSTEM32\ttstv.bak2
C:\WINDOWS\SYSTEM32\ttstv.ini
C:\WINDOWS\SYSTEM32\ttstv.ini2
C:\WINDOWS\SYSTEM32\ttstv.tmp
C:\WINDOWS\system32\unnxvtbb.exe
C:\WINDOWS\system32\uoldbqaw.dll
C:\WINDOWS\SYSTEM32\viqyspus.ini
C:\WINDOWS\system32\vojppjow.exe
C:\WINDOWS\SYSTEM32\vpnydrrp.ini
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\SYSTEM32\waqbdlou.ini
C:\WINDOWS\wr.txt
C:\WINDOWS\ymbols~1

Infected copy of C:\WINDOWS\system32\ntoskrnl.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\ntoskrnl.exe


Infected copy of C:\WINDOWS\system32\ntkrnlpa.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\ntkrnlpa.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC355
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_ICF
-------\asc355
-------\DomainService
-------\ICF


((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-14 16:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 18:47 1,330 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-13 18:46 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-13 18:46 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-13 18:46 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-12 21:21 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-12 21:16 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-09-12 21:16 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-09-12 21:16 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-09-12 21:16 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-09-12 21:16 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-09-12 21:15 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-09-12 21:12 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-12 21:12 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-12 21:11 <DIR> d-------- C:\Program Files\McAfee
2007-09-12 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-09-12 20:10 <DIR> d-------- C:\DOCUME~1\Naomi\APPLIC~1\Aim
2007-09-12 20:08 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-12 15:40 <DIR> d-------- C:\WINDOWS\Profiles
2007-09-12 15:11 <DIR> d-------- C:\DOCUME~1\Naomi\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 16:05 76,285 --a------ C:\Program Files\setup.exe
2007-09-11 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 16:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-11 16:00 <DIR> d-------- C:\DOCUME~1\Amy\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 15:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-04 20:45 24,064 --------- C:\WINDOWS\SYSTEM32\xfnbxjqyajdoc.dll
2007-09-03 16:21 <DIR> d-------- C:\Program Files\Words
2007-08-30 10:34 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData
2007-08-19 09:58 <DIR> d-------- C:\WINDOWS\wokk
2007-08-19 09:58 <DIR> d-------- C:\Program Files\Common Files\wokk
2007-08-19 09:45 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-18 18:20 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-18 18:19 <DIR> d--hs---- C:\WINDOWS\TmFvbWk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-13 20:21 --------- d-------- C:\Program Files\AIM
2007-09-12 20:21 --------- d-------- C:\DOCUME~1\Naomi\APPLIC~1\Viewpoint
2007-09-12 20:08 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-12 20:08 --------- d-------- C:\Program Files\AOD
2007-09-12 20:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-11 19:08 --------- d--h----- C:\DOCUME~1\Amy\APPLIC~1\Gtek
2007-09-11 11:29 --------- d-------- C:\Program Files\NetWaiting
2007-09-07 17:48 --------- d-------- C:\Program Files\LimeWire
2007-08-31 18:46 --------- d-------- C:\Program Files\Common Files\Real
2007-07-29 19:58 --------- d-------- C:\Program Files\Dell
2007-07-29 19:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 19:57 --------- d-------- C:\Program Files\Canon
2007-07-29 18:28 --------- d-------- C:\Program Files\EarthLink Setup
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 05:50 C:\WINDOWS\LOGI_MWX.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2006-05-14 19:58:25]
DESKTOP.INI [2004-08-10 15:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-02 15:15:24]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2006-10-30 20:01:07]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2005-04-02 15:14:43]

C:\DOCUME~1\Amy\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\DOCUME~1\Cam\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\DOCUME~1\Naomi\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"GPBvNXbNVTAOVtD"= {140105DC-BEAB-AF76-95CA-8678539685C0} - C:\WINDOWS\system32\yymgp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IPNEPT]
IPNEPT.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\vtstt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 01:14:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-09-13 01:14:16 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 17:11:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 17:13:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 17:13
.
--- E O F ---


LOG FILE:

ComboFix 07-09-14.2 - "Amy" 2007-09-14 16:44:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.319 [GMT -4:00]
.
ADS - svchost.exe: deleted 51200 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6.tmp
C:\DOCUME~1\Cam\APPLIC~1\Starware
C:\DOCUME~1\Cam\APPLIC~1\Starware\MasterOptions.xml
C:\DOCUME~1\Cam\APPLIC~1\Starware\ToolbarOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\MasterOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ProductOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ToolbarOptions.xml
C:\DOCUME~1\Naomi\APPLIC~1\DOBE~1
C:\DOCUME~1\Naomi\APPLIC~1\Starware
C:\DOCUME~1\Naomi\APPLIC~1\Starware\MasterOptions.xml
C:\DOCUME~1\Naomi\APPLIC~1\Starware\ProductOptions.xml
C:\DOCUME~1\Naomi\APPLIC~1\Starware\ToolbarOptions.xml
C:\DOCUME~1\Naomi\MYDOCU~1\CROSOF~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Images\006CDCC6.urr
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive2.dll
C:\Program Files\ISM\BndDrive3.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\ISM\syncupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_bfeats.dat
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\ystem3~1
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\deskcfg.tmp
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\clnyueoi.dll
C:\WINDOWS\system32\cvjjupxt.exe
C:\WINDOWS\SYSTEM32\elbehvto.ini
C:\WINDOWS\system32\fojtttpt.dll
C:\WINDOWS\SYSTEM32\ggxvwvbp.ini
C:\WINDOWS\SYSTEM32\ioeuynlc.ini
C:\WINDOWS\system32\jpnnhxhe.dll
C:\WINDOWS\system32\kkactdkg.exe
C:\WINDOWS\system32\nlxgolev.dll
C:\WINDOWS\system32\otvheble.dll
C:\WINDOWS\system32\pbvwvxgg.dll
C:\WINDOWS\system32\pftfdjlf.dll
C:\WINDOWS\system32\prrdynpv.dll
C:\WINDOWS\system32\qfoprudu.exe
C:\WINDOWS\system32\simp_dll.dll
C:\WINDOWS\system32\supsyqiv.dll
C:\WINDOWS\system32\tmossqba.exe
C:\WINDOWS\SYSTEM32\tptttjof.ini
C:\WINDOWS\SYSTEM32\ttstv.bak1
C:\WINDOWS\SYSTEM32\ttstv.bak2
C:\WINDOWS\SYSTEM32\ttstv.ini
C:\WINDOWS\SYSTEM32\ttstv.ini2
C:\WINDOWS\SYSTEM32\ttstv.tmp
C:\WINDOWS\system32\unnxvtbb.exe
C:\WINDOWS\system32\uoldbqaw.dll
C:\WINDOWS\SYSTEM32\viqyspus.ini
C:\WINDOWS\system32\vojppjow.exe
C:\WINDOWS\SYSTEM32\vpnydrrp.ini
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\SYSTEM32\waqbdlou.ini
C:\WINDOWS\wr.txt
C:\WINDOWS\ymbols~1

Infected copy of C:\WINDOWS\system32\ntoskrnl.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\ntoskrnl.exe


Infected copy of C:\WINDOWS\system32\ntkrnlpa.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\ntkrnlpa.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC355
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_ICF
-------\asc355
-------\DomainService
-------\ICF


((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-14 16:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 18:47 1,330 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-13 18:46 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-13 18:46 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-13 18:46 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-12 21:21 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-12 21:16

There were no results to ADSPY log
Here is Uninstall list:

AOL Instant Messenger
AOL Toolbar 2.0
APC PowerChute Personal Edition
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Conexant D850 56K V.9x DFVc Modem
Dell Media Experience
DellSupport
Digital Line Detect
EarthLink setup files
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Internet Speed Monitor
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Logitech MouseWare 9.79.1
Macromedia Flash Player
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NETGEAR RangeMax(TM) Wireless USB 2.0 Adapter WPN111
QuickBooks Simple Start Special Edition
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
USB 2.0 Wireless LAN Card Utility
Viewpoint Media Player
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WordPerfect Office 12

And here is new Hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 5:38:12 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/i ... 36ade56825
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IPNEPT - IPNEPT.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: GPBvNXbNVTAOVtD - {140105DC-BEAB-AF76-95CA-8678539685C0} - C:\WINDOWS\system32\yymgp.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts

Unread postby km2357 » September 15th, 2007, 4:28 pm

Step # 1 Upload Files


Please visit Jotti or Virustotal

To upload files at Jotti:

Click on Browse... and navigate to the following file:
C:\Program Files\setup.exe
Click Open




To upload files at Virustotal:


  • Click the Browse... button
  • Navigate to the file C:\Program Files\setup.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.



Please let me know the results.


Step # 2 Remove WildTangent

I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system including
  1. Operating System Version
  2. CPU Type and Speed
  3. Memory Amount
    Video Card type and Driver Version
  4. Sound Card type and Driver Version
  5. DirectX Version
    Location that the Web Driver was installed from
  6. It is also a MAJOR resource hog.
For more information, see WildTangent Removal Instructions and Help and Inside Wild Tangent-Delivering High-End 3-D Content To A Web Site Near You.
Unless you are an extremely avid games player, I recommend you uninstall Wild Tangent: To uninstall Wild Tangent:
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight WildTangent Web Driver, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.


Step # 3 Remove Viewpoint

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Viewpoint Media Player, click Remove.
  4. Do the same for each Viewpoint component.

Step # 4: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    Internet Explorer Default Page

    Internet Speed Monitor

Reboot your computer.


Step # 5: Run CFScript



  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    
    C:\WINDOWS\SYSTEM32\xfnbxjqyajdoc.dll
    C:\\WINDOWS\\system32\\vtstt
    C:\WINDOWS\system32\yymgp.dll
    
    Folder::
    
    C:\WINDOWS\wokk 
    C:\Program Files\Common Files\wokk 
    C:\WINDOWS\TmFvbWk
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 
    "GPBvNXbNVTAOVtD"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IPNEPT]


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step # 6: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)

    09 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... 0.0.15.cab

    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/i ... 36ade56825

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Step # 7 Post Logs

In your next post/reply, I'd like to see the following:

    1. Jotti/Virustotal Results
    2. ComboFix Log
    3. Fresh HijackThis Log


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

thanks here are my files

Unread postby aphdes » September 15th, 2007, 7:41 pm

FROM VIRUSTOTAL:

File setup.exe received on 09.16.2007 00:42:57 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.9.14.0 2007.09.14 -
AntiVir 7.6.0.10 2007.09.14 DR/Zlob.Gen
Authentium 4.93.8 2007.09.15 -
Avast 4.7.1043.0 2007.09.15 Win32:Zlob-ZZ
AVG 7.5.0.485 2007.09.15 -
BitDefender 7.2 2007.09.16 Trojan.Downloader.Zlob.AAOA
CAT-QuickHeal 9.00 2007.09.15 -
ClamAV 0.91.2 2007.09.15 Trojan.Dropper-2529
DrWeb 4.33 2007.09.15 -
eSafe 7.0.15.0 2007.09.13 Win32.Zlob.cgm
eTrust-Vet 31.1.5136 2007.09.14 -
Ewido 4.0 2007.09.15 -
FileAdvisor 1 2007.09.16 -
Fortinet 3.11.0.0 2007.09.15 W32/Zlob.CME!tr.dldr
F-Prot 4.3.2.48 2007.09.15 -
F-Secure 6.70.13030.0 2007.09.15 Trojan-Downloader.Win32.Zlob.cme
Ikarus T3.1.1.12 2007.09.15 -
Kaspersky 4.0.2.24 2007.09.16 Trojan-Downloader.Win32.Zlob.cme
McAfee 5120 2007.09.14 -
Microsoft 1.2803 2007.09.15 TrojanDownloader:Win32/Zlob!28C2
NOD32v2 2531 2007.09.15 Win32/TrojanDownloader.Zlob.BDU
Norman 5.80.02 2007.09.14 -
Panda 9.0.0.4 2007.09.15 -
Prevx1 V2 2007.09.16 -
Rising 19.40.52.00 2007.09.15 -
Sophos 4.21.0 2007.09.15 Mal/Generic-A
Sunbelt 2.2.907.0 2007.09.15 -
Symantec 10 2007.09.15 -
TheHacker 6.2.5.060 2007.09.14 -
VBA32 3.12.2.4 2007.09.15 Trojan-Downloader.Win32.Zlob.cme
VirusBuster 4.3.26:9 2007.09.15 Trojan.DR.Zlob.CKW!Pac
Webwasher-Gateway 6.0.1 2007.09.14 Trojan.Zlob.Gen
Additional information
File size: 76285 bytes
MD5: 15bce5cc843c83bda0ff1643a1f8569c
SHA1: fdc6d47f31bb29a694244d87df11ce8f1c26266d
packers: BINARYRES

COMBOFIX LOG;

ComboFix 07-09-14.2 - "Amy" 2007-09-15 19:12:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.465 [GMT -4:00]
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\xfnbxjqyajdoc.dll
C:\\WINDOWS\\system32\\vtstt
C:\WINDOWS\system32\yymgp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\wokk
C:\Program Files\Common Files\wokk\wokka.lck
C:\Program Files\Common Files\wokk\wokkd\class-barrel
C:\Program Files\Common Files\wokk\wokkd\vocabulary
C:\Program Files\Common Files\wokk\wokkh
C:\Program Files\Common Files\wokk\wokkl.lck
C:\Program Files\Common Files\wokk\wokkm.lck
C:\WINDOWS\TmFvbWk
C:\WINDOWS\wokk
C:\WINDOWS\wokk\wokk.dat
C:\WINDOWS\wokk\wu

.
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-15 12:20 1,165 --a------ C:\WINDOWS\mozver.dat
2007-09-14 16:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 18:47 1,330 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-13 18:46 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-13 18:46 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-13 18:46 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-12 21:21 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-12 21:16 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-09-12 21:16 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-09-12 21:16 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-09-12 21:16 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-09-12 21:16 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-09-12 21:15 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-09-12 21:12 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-12 21:12 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-12 21:11 <DIR> d-------- C:\Program Files\McAfee
2007-09-12 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-09-12 20:10 <DIR> d-------- C:\DOCUME~1\Naomi\APPLIC~1\Aim
2007-09-12 20:08 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-12 15:40 <DIR> d-------- C:\WINDOWS\Profiles
2007-09-12 15:11 <DIR> d-------- C:\DOCUME~1\Naomi\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 16:05 76,285 --a------ C:\Program Files\setup.exe
2007-09-11 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 16:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-11 16:00 <DIR> d-------- C:\DOCUME~1\Amy\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 15:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 16:21 <DIR> d-------- C:\Program Files\Words
2007-08-30 10:34 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData
2007-08-19 09:45 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-18 18:20 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 18:58 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-15 18:54 --------- d-------- C:\Program Files\WildTangent
2007-09-13 20:21 --------- d-------- C:\Program Files\AIM
2007-09-12 20:21 --------- d-------- C:\DOCUME~1\Naomi\APPLIC~1\Viewpoint
2007-09-12 20:08 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-12 20:08 --------- d-------- C:\Program Files\AOD
2007-09-11 19:08 --------- d--h----- C:\DOCUME~1\Amy\APPLIC~1\Gtek
2007-09-11 11:29 --------- d-------- C:\Program Files\NetWaiting
2007-09-07 17:48 --------- d-------- C:\Program Files\LimeWire
2007-09-04 20:44 14336 --a------ C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2007-08-31 18:46 --------- d-------- C:\Program Files\Common Files\Real
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-29 19:58 --------- d-------- C:\Program Files\Dell
2007-07-29 19:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 19:57 --------- d-------- C:\Program Files\Canon
2007-06-26 22:10 317440 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\unregmp2.exe
2007-06-26 11:13 851968 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-26 10:09 658944 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2005-02-16 11:06 218112 --a------ C:\Program Files\HijackThis.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-14_171238.96 )))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 16,384 2007-09-15 00:32:24 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-09-15 00:32:24 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-09-15 00:32:24 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 2,115,816 2007-06-11 17:34:00 C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
----a-w 190,696 2007-06-11 17:34:00 C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
.
-c--a-w 16,384 2007-09-13 01:04:35 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-09-13 01:04:35 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-09-13 01:04:35 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 22:15]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 05:50 C:\WINDOWS\LOGI_MWX.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2006-05-14 19:58:25]
DESKTOP.INI [2004-08-10 15:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-02 15:15:24]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2006-10-30 20:01:07]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2005-04-02 15:14:43]

C:\DOCUME~1\Amy\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\DOCUME~1\Cam\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\DOCUME~1\Naomi\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f81bc97c-5df7-11db-abee-00904bd5079b}]
AutoRun\command- E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 01:14:18 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-09-13 01:14:16 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 19:15:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-15 19:16:29
C:\ComboFix-quarantined-files.txt ... 2007-09-15 19:16
C:\ComboFix2.txt ... 2007-09-14 17:13
.
--- E O F ---


NEW HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 7:27:31 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts

Unread postby km2357 » September 16th, 2007, 9:25 pm

If you already have SmitFraudFix on your computer, please delete it, before following Step 1.


Step #1 Download and run SmitFraudFix

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3: Run SuperAntiSpyware


  • Double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, underComplete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.



Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

    1. SmitFraudFix Log
    2. SuperAntiSpyware Log
    3. A fresh HijackThis Log


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

new log files

Unread postby aphdes » September 18th, 2007, 12:08 pm

Here are my new log files, I was not able to download ATF cleaner

SMIT FRAUD

SmitFraudFix v2.225

Scan done at 9:29:40.01, Tue 09/18/2007
Run from C:\Documents and Settings\Amy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Amy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NETGEAR RangeMax(TM) Wireless USB 2.0 Adapter WPN111 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242

HKLM\SYSTEM\CCS\Services\Tcpip\..\{979783A4-5B53-45CF-9A4D-7B91B281A594}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{979783A4-5B53-45CF-9A4D-7B91B281A594}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\..\{979783A4-5B53-45CF-9A4D-7B91B281A594}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

SUPERANTISPYWARE

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/18/2007 at 10:59 AM

Application Version : 3.9.1008

Core Rules Database Version : 3308
Trace Rules Database Version: 1314

Scan type : Complete Scan
Total Scan Time : 01:18:48

Memory items scanned : 462
Memory threats detected : 0
Registry items scanned : 4788
Registry threats detected : 1
File items scanned : 46796
File threats detected : 61

Adware.Tracking Cookie
C:\Documents and Settings\Amy\Cookies\amy@atdmt[2].txt
C:\Documents and Settings\Amy\Cookies\amy@adrevolver[2].txt
C:\Documents and Settings\Amy\Cookies\amy@bluestreak[1].txt
C:\Documents and Settings\Amy\Cookies\amy@www.winantispyware[1].txt
C:\Documents and Settings\Amy\Cookies\amy@trafficmp[1].txt
C:\Documents and Settings\Amy\Cookies\amy@adrevolver[3].txt
C:\Documents and Settings\Amy\Cookies\amy@winantispyware[2].txt
C:\Documents and Settings\Amy\Cookies\amy@drivecleaner[2].txt
C:\Documents and Settings\Amy\Cookies\amy@linksynergy[1].txt
C:\Documents and Settings\Amy\Cookies\amy@media.adrevolver[1].txt
C:\Documents and Settings\Amy\Cookies\amy@doubleclick[1].txt
C:\Documents and Settings\Amy\Cookies\amy@stats1.reliablestats[2].txt
C:\Documents and Settings\Amy\Cookies\amy@sexbuddies[2].txt
C:\Documents and Settings\Amy\Cookies\amy@tacoda[1].txt
C:\Documents and Settings\Amy\Cookies\amy@anad.tacoda[1].txt
C:\Documents and Settings\Amy\Cookies\amy@fastclick[1].txt
C:\Documents and Settings\Amy\Cookies\amy@winantivirus[2].txt
C:\Documents and Settings\Amy\Cookies\amy@tribalfusion[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@2o7[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@ad.yieldmanager[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@adbrite[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@adopt.specificclick[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@adrevolver[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@adrevolver[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@ads.adbrite[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@ads.pointroll[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@adserver[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@advertising[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@atdmt[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@atwola[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@casalemedia[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@cpvfeed[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@doubleclick[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@ehg-maniatv.hitbox[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@exitexchange[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@fastclick[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@media.adrevolver[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@mediaplex[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@overture[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@perf.overture[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@questionmarket[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@realmedia[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@revsci[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@specificclick[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@tacoda[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@theused0.tripod[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@trafficmp[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@tribalfusion[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@tripod[1].txt
C:\Documents and Settings\Naomi\Cookies\naomi@www.xctrk[2].txt
C:\Documents and Settings\Naomi\Cookies\naomi@zedo[1].txt

Adware.AdSponsor/ISM
HKU\S-1-5-21-4176856247-3032328838-2985300085-1007\Software\BndDrive

Adware.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\WOKK\WOKKD\CLASS-BARREL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\WOKK\WOKKD\VOCABULARY.VIR

Adware.ISM/BndDrive
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDDRIVE2.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDDRIVE3.DLL.VIR

Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CVJJUPXT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KKACTDKG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QFOPRUDU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TMOSSQBA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UNNXVTBB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VOJPPJOW.EXE.VIR

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 12:01:29 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts

Unread postby km2357 » September 18th, 2007, 10:32 pm

Step # 1: Deleting Files/Folders

I need you to use Windows Explorer to delete the files/folders I have marked in Red(if found):

C:\Program Files\setup.exe

Step # 2: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Save the file to your desktop.

Step # 3 Post Logs

In your next post/reply, I'd like to see the following:

    1. Kaspersky Log
    2. How is your computer running?/Any problems?


If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

Unread postby km2357 » September 24th, 2007, 3:38 pm

Aphdes?

Do you still need help? If any of my instructions are unclear, please let me know.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California

still here

Unread postby aphdes » September 24th, 2007, 5:26 pm

hi, I still need to do the last instructions, everything has been very clear, the computer is working much better,
I will be sending you a new log soon!

-- Amy

Is there some way I can pay or donate for this service? I don't know what I would have done without it!
aphdes
Active Member
 
Posts: 10
Joined: September 11th, 2007, 9:29 am
Location: massachusetts

Unread postby km2357 » September 26th, 2007, 8:00 pm

Hi Amy.

Thanks for the update. That's great to hear that your computer is working much better. I'll be waiting to see the Kaspersky log. :)

If you wish to make a donation, you can go to the following link for more information:

http://www.malwareremoval.com/donations.html
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3003
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware