Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

HELP- I think something has taken over my computer!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 7th, 2008, 2:24 pm

I cannot delete the folder C:\ComboFix

I keep getting the warning:

Error Deleting File or folder
cannot delete test: The directory is not empty.

I get the same warning if I try to delete the \test folder under C:\ComboFix
I checked and the folder is empty.

Mike
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am
Top
Advertisement
Register to Remove

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 2:41 pm

MAPepin wrote:I cannot delete the folder C:\ComboFix

I keep getting the warning:

Error Deleting File or folder
cannot delete test: The directory is not empty.

I get the same warning if I try to delete the \test folder under C:\ComboFix
I checked and the folder is empty.

Mike

Let's see whether any file becomes visible after doing the following.

Be sure that you are set to see hidden files and folders:

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.

    • Put a checkmark in the checkbox labeled Display the contents of system folders.
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    • Remove the checkmark from the checkbox labeled Hide protected operating system files. Answer Yes to the prompt.

  • Press the Apply button and then the OK button and close My Computer.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 7th, 2008, 2:44 pm

:P OK It worked!

Here's the following logs:

1 - ComboFix_log.txt
2 - mbam-log-2-7-2008 (13-35-58).txt (Malwarebytes log)
3 - hijackthis_20080207.log

I'm also attaching the files.
============================================================
1 - ComboFix_log.txt

ComboFix 08-02.05.3 - MAPepin 2008-02-07 13:27:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1589 [GMT -5:00]
Running from: C:\Documents and Settings\MAPepin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MAPepin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\LocalService\Application Data\1001789598.exe
C:\Documents and Settings\LocalService\Application Data\1035870398.exe
C:\lo-1538082432.exe
C:\lo-1679164330.exe
C:\lo-22980135.exe
C:\lo-513865536.exe
C:\lo1289083134.exe
C:\lo482396030.exe
C:\lo636569781.exe
C:\WINDOWS\atty.ico
C:\WINDOWS\browser.exe
C:\WINDOWS\SBCDSL.exe
C:\WINDOWS\system32\6to4svcq.exe
C:\WINDOWS\system32\accessw.dll
C:\WINDOWS\system32\accesswr.exe
C:\WINDOWS\system32\apiuser32.dll
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\DevMngr.vxd
C:\WINDOWS\system32\drivers\Hyw71.sys
C:\WINDOWS\system32\drivers\Ytt77.sys
C:\WINDOWS\system32\iepdforu.tmp
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\userini.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\accesswr.exe
C:\Documents and Settings\LocalService\Application Data\1001789598.exe
C:\Documents and Settings\LocalService\Application Data\1035870398.exe
C:\lo-1538082432.exe
C:\lo-1679164330.exe
C:\lo-22980135.exe
C:\lo-513865536.exe
C:\lo1289083134.exe
C:\lo482396030.exe
C:\lo636569781.exe
C:\WINDOWS\atty.ico
C:\WINDOWS\browser.exe
C:\WINDOWS\SBCDSL.exe
C:\WINDOWS\system32\6to4svcq.exe
C:\WINDOWS\system32\accessw.dll
C:\WINDOWS\system32\accesswr.exe
C:\WINDOWS\system32\apiuser32.dll
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\DevMngr.vxd
C:\WINDOWS\system32\drivers\Qxt58.sys
C:\WINDOWS\system32\drivers\symavc32.sys . . . . failed to delete
C:\WINDOWS\system32\drivers\Ytt77.sys
C:\WINDOWS\system32\drivers\YVT48.sys
C:\WINDOWS\system32\iepdforu.tmp
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\userini.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CBEVTSVC
-------\LEGACY_CCEVTSVC
-------\LEGACY_HYW71
-------\LEGACY_MCMSCSVCWEBCLIENT
-------\LEGACY_MSSQL$MSSMLBIZMESSENGER
-------\LEGACY_NLAMSSQL$MSSMLBIZ
-------\LEGACY_RDSESSMGRWSCSVC
-------\LEGACY_SAMSSDMSERVER
-------\LEGACY_SQLBROWSERIMAPISERVICE
-------\LEGACY_YTT77
-------\LEGACY_YVT48
-------\CbEvtSvc
-------\CcEvtSvc
-------\mcmscsvcWebClient
-------\MSSQL$MSSMLBIZMessenger
-------\NlaMSSQL$MSSMLBIZ
-------\RDSessMgrwscsvc
-------\SamSsdmserver
-------\SQLBrowserImapiService
-------\Ytt77


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 10:16 . 2008-02-07 10:16 38,400 -r-hs---- C:\WINDOWS\system32\adsldpv.exe
2008-02-07 07:47 . 2008-02-07 07:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-07 07:29 . 2008-02-07 12:38 167,936 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2008-02-06 17:24 . 2008-02-06 17:24 <DIR> d-------- C:\Program Files\Java
2008-02-06 17:24 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 17:22 . 2008-02-06 17:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-06 14:30 . 2008-02-06 17:54 <DIR> d-------- C:\ComboFix_a
2008-02-06 14:21 . 2004-08-04 05:00 260,272 -r-hs---- C:\cmldr
2008-02-06 14:03 . 2008-02-07 10:16 32 --a-s---- C:\WINDOWS\system32\2316743137.dat
2008-02-06 14:00 . 2008-02-06 14:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-06 13:57 . 2008-02-06 14:06 <DIR> d-------- C:\SDFix
2008-02-05 14:21 . 2008-02-07 13:27 0 --a------ C:\reg.reg
2008-02-04 09:38 . 2008-02-06 08:50 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-04 09:18 . 2008-02-06 08:50 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-04 08:45 . 2008-02-04 08:45 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-04 07:38 . 2008-02-06 08:53 <DIR> d-------- C:\Program Files\Opera
2008-02-01 12:02 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-01 11:58 . 2008-02-01 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-01 11:58 . 2008-02-01 11:58 0 --a------ C:\WINDOWS\frontpg.ini
2008-02-01 10:56 . 2008-02-01 10:56 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-01 10:56 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-01 10:56 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-01-29 11:29 . 2008-02-06 13:03 <DIR> d-------- C:\Program Files\CCleaner
2008-01-29 10:57 . 2008-02-05 10:26 8,388,671 --a------ C:\WINDOWS\pfirewall.log.old
2008-01-29 08:15 . 2008-01-29 08:15 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\DivX
2008-01-29 08:01 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-01-29 08:01 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-01-29 08:00 . 2008-01-29 08:01 <DIR> d-------- C:\Program Files\DivX
2008-01-28 15:06 . 2008-01-28 15:06 <DIR> d-------- C:\Program Files\SIW
2008-01-28 13:20 . 2008-02-05 14:29 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\OpenOffice.org2
2008-01-28 12:27 . 2008-01-28 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 15:08 . 2008-01-26 15:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-26 14:20 . 2008-01-26 14:20 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-26 13:11 . 2008-01-26 13:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 12:41 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-26 11:52 . 2008-01-26 12:44 <DIR> d-------- C:\Documents and Settings\MAPepin\.housecall6.6
2008-01-26 11:51 . 2008-01-26 11:51 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 11:36 . 2008-01-29 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-24 16:40 . 2008-01-29 07:52 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\XnView
2008-01-22 15:28 . 2008-02-06 08:52 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-19 03:02 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-19 03:02 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-19 03:02 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-19 03:01 . 2008-01-19 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-18 17:13 . 2008-01-18 17:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Monotype Imaging
2008-01-18 17:13 . 2008-01-18 17:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Dell
2008-01-18 16:43 . 2008-01-18 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-18 13:43 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 09:56 . 2008-01-18 09:56 <DIR> d---s---- C:\Documents and Settings\MAPepin\UserData
2008-01-18 08:51 . 2008-01-18 08:51 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Monotype Imaging
2008-01-18 08:42 . 2008-01-18 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-18 08:33 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-18 08:33 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-18 08:33 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-18 07:39 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-17 17:46 . 2008-01-18 09:05 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Yahoo!
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\WINDOWS\Motive
2008-01-17 17:44 . 2008-01-17 17:45 <DIR> d-------- C:\Program Files\SBC Self Support Tool
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-01-17 17:44 . 2005-05-10 01:36 81,920 --------- C:\WINDOWS\system32\W32n50.dll
2008-01-17 17:44 . 2005-05-10 01:36 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2008-01-17 17:44 . 2005-05-10 01:36 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2008-01-17 17:44 . 2005-05-10 01:36 16,073 --------- C:\WINDOWS\system32\Pcandis3.vxd
2008-01-17 17:42 . 2008-01-17 17:42 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\ScanSoft
2008-01-17 17:33 . 2008-01-18 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-17 17:33 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-17 17:33 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-01-17 17:33 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-01-17 17:11 . 2008-01-17 17:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-17 17:07 . 2008-01-17 17:07 <DIR> d-------- C:\Program Files\BroadJump
2008-01-17 16:41 . 2008-01-17 16:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Monotype Imaging
2008-01-17 16:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-17 16:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-17 16:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-17 16:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-17 16:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-17 16:21 . 2008-01-17 16:21 4,128 --a------ C:\INFCACHE.1
2008-01-17 15:55 . 2001-08-17 13:58 19,200 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2008-01-17 15:55 . 2001-08-17 13:58 19,200 --a------ C:\WINDOWS\system32\dllcache\hidbatt.sys
2008-01-17 15:55 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-01-17 15:55 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\dllcache\battc.sys
2008-01-17 15:55 . 2001-08-17 13:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-01-17 15:55 . 2001-08-17 13:58 9,344 --a------ C:\WINDOWS\system32\dllcache\compbatt.sys
2008-01-17 14:42 . 2008-01-15 22:27 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\InstallShield
2008-01-17 14:41 . 2008-01-15 22:27 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2008-01-17 14:34 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-17 14:34 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-17 14:34 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-17 14:34 . 2008-01-17 14:34 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:45 . 2008-01-15 22:45 61 --a------ C:\WINDOWS\smscfg.ini
2008-01-15 22:42 . 2008-02-01 15:00 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-01-15 22:40 . 2008-01-19 03:06 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-01-15 22:36 . 2008-01-30 08:35 <DIR> d-------- C:\Program Files\Google
2008-01-15 22:36 . 2008-01-15 22:36 <DIR> d-------- C:\Program Files\BAE
2008-01-15 22:36 . 2008-02-07 12:30 17,611 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-15 22:35 . 2008-01-15 22:35 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-15 22:35 . 2008-01-15 22:35 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-15 22:35 . 2007-07-21 10:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-15 22:35 . 2006-03-03 12:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 03:08 6,903 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_OPT_755.mrk
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-28 16:21 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-28 16:21 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-28 16:21 137752]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-03-14 12:31 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-03-14 12:29 46632]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 23:46 624248]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"MFPMonitor"="C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe" [2007-07-22 16:10 2002944]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 17:44:25 217088]

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 04:58]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 SSDPSRVBITS;SSDP Discovery Service SSDPSRVBITS;C:\WINDOWS\system32\1041a.exe srv []
S2 upnphostPolicyAgent;Universal Plug and Play Device Host upnphostPolicyAgent;C:\WINDOWS\system32\adsldpv.exe srv []
S2 WmiApSrvaspnet_state;WMI Performance Adapter WmiApSrvaspnet_state;C:\WINDOWS\system32\AlertAppg.exe srv []
S3 AsfAlrt;AsfAlrt Service;C:\WINDOWS\system32\Drivers\AsfAlrt.sys [2007-01-23 04:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{814033b0-c88b-11dc-b481-001aa0ea5509}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9168a98-d3f9-11dc-b497-001aa0ea5509}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 03:35:09 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-16 03:35:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 13:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-07 13:31:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 18:31:03
ComboFix2.txt 2008-02-06 19:35:39
.
2008-02-05 22:14:06 --- E O F ---

============================================================
2 - mbam-log-2-7-2008 (13-35-58).txt

Malwarebytes' Anti-Malware 1.02
Database version: 325

Scan type: Quick Scan
Objects scanned: 21849
Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c145cf11-124f-3562-44ac-e685d962c63c} (Trojan.Alphabet) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\symavc32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

============================================================
3 - hijackthis_20080207.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MFPMonitor] C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.delex.com
O15 - Trusted Zone: *.longwaveinc.com
O15 - Trusted Zone: *.navy.mil
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... ase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SSDP Discovery Service SSDPSRVBITS (SSDPSRVBITS) - Unknown owner - C:\WINDOWS\system32\1041a.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Universal Plug and Play Device Host upnphostPolicyAgent (upnphostPolicyAgent) - Unknown owner - C:\WINDOWS\system32\adsldpv.exe
O23 - Service: WMI Performance Adapter WmiApSrvaspnet_state (WmiApSrvaspnet_state) - Unknown owner - C:\WINDOWS\system32\AlertAppg.exe (file missing)

--
End of file - 10958 bytes

============================================================



Thank you

Mike
You do not have the required permissions to view the files attached to this post.
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am
Top

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 3:31 pm

Hi :)

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
KillAll::

File::

C:\WINDOWS\system32\adsldpv.exe
C:\WINDOWS\system32\drivers\symavc32.sys

Driver::

SSDPSRVBITS
upnphostPolicyAgent
WmiApSrvaspnet_state

FileLook::

C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Post it in your next reply.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 7th, 2008, 4:09 pm

It worked fine.

Here's the ComboFix log and I ran HJT so here's that log, too.

=============================================
ComboFix_log(2).txt

ComboFix 08-02.05.3 - MAPepin 2008-02-07 15:00:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1568 [GMT -5:00]
Running from: C:\Documents and Settings\MAPepin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MAPepin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\adsldpv.exe
C:\WINDOWS\system32\drivers\symavc32.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adsldpv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SSDPSRVBITS
-------\LEGACY_UPNPHOSTPOLICYAGENT
-------\LEGACY_WMIAPSRVASPNET_STATE
-------\SSDPSRVBITS
-------\upnphostPolicyAgent
-------\WmiApSrvaspnet_state


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 14:17 . 2008-02-07 14:17 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-02-07 14:16 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-02-07 14:16 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-02-07 14:16 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-07 14:16 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-02-07 14:12 . 2008-02-07 14:13 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-07 14:12 . 2008-02-07 14:13 <DIR> d-------- C:\Program Files\Winamp
2008-02-07 14:12 . 2008-02-07 14:53 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Winamp
2008-02-07 13:33 . 2008-02-07 13:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-07 13:33 . 2008-02-07 13:33 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Malwarebytes
2008-02-07 13:33 . 2008-02-07 13:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-07 07:47 . 2008-02-07 07:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-06 17:52 . 2004-08-04 06:00 388,608 --a------ C:\kmd.exe
2008-02-06 17:24 . 2008-02-06 17:24 <DIR> d-------- C:\Program Files\Java
2008-02-06 17:24 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 17:22 . 2008-02-06 17:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-06 14:30 . 2008-02-06 17:54 <DIR> d-------- C:\ComboFix_a
2008-02-06 14:21 . 2004-08-04 05:00 260,272 -r-hs---- C:\cmldr
2008-02-06 14:03 . 2008-02-07 10:16 32 --a-s---- C:\WINDOWS\system32\2316743137.dat
2008-02-06 14:00 . 2008-02-06 14:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-06 13:57 . 2008-02-06 14:06 <DIR> d-------- C:\SDFix
2008-02-05 14:21 . 2008-02-07 13:27 0 --a------ C:\reg.reg
2008-02-04 09:38 . 2008-02-06 08:50 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-04 09:18 . 2008-02-06 08:50 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-04 08:45 . 2008-02-04 08:45 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-04 07:38 . 2008-02-06 08:53 <DIR> d-------- C:\Program Files\Opera
2008-02-01 12:02 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-01 11:58 . 2008-02-01 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-01 11:58 . 2008-02-01 11:58 0 --a------ C:\WINDOWS\frontpg.ini
2008-02-01 10:56 . 2008-02-01 10:56 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-01 10:56 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-01 10:56 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-01-29 11:29 . 2008-02-06 13:03 <DIR> d-------- C:\Program Files\CCleaner
2008-01-29 10:57 . 2008-02-05 10:26 8,388,671 --a------ C:\WINDOWS\pfirewall.log.old
2008-01-29 08:15 . 2008-01-29 08:15 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\DivX
2008-01-29 08:01 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-01-29 08:01 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-01-29 08:00 . 2008-01-29 08:01 <DIR> d-------- C:\Program Files\DivX
2008-01-28 15:06 . 2008-01-28 15:06 <DIR> d-------- C:\Program Files\SIW
2008-01-28 13:20 . 2008-02-05 14:29 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\OpenOffice.org2
2008-01-28 12:27 . 2008-01-28 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 15:08 . 2008-01-26 15:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-26 14:20 . 2008-01-26 14:20 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-26 13:11 . 2008-01-26 13:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 12:41 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-26 11:52 . 2008-01-26 12:44 <DIR> d-------- C:\Documents and Settings\MAPepin\.housecall6.6
2008-01-26 11:51 . 2008-01-26 11:51 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 11:36 . 2008-01-29 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-24 16:40 . 2008-01-29 07:52 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\XnView
2008-01-22 15:28 . 2008-02-06 08:52 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-19 03:02 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-19 03:02 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-19 03:02 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-19 03:01 . 2008-01-19 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-18 17:13 . 2008-01-18 17:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Monotype Imaging
2008-01-18 17:13 . 2008-01-18 17:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Dell
2008-01-18 16:43 . 2008-01-18 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-18 13:43 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 09:56 . 2008-01-18 09:56 <DIR> d---s---- C:\Documents and Settings\MAPepin\UserData
2008-01-18 08:51 . 2008-01-18 08:51 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Monotype Imaging
2008-01-18 08:42 . 2008-01-18 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-18 08:33 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-18 08:33 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-18 08:33 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-18 07:39 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-17 17:46 . 2008-01-18 09:05 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Yahoo!
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\WINDOWS\Motive
2008-01-17 17:44 . 2008-01-17 17:45 <DIR> d-------- C:\Program Files\SBC Self Support Tool
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-01-17 17:44 . 2005-05-10 01:36 81,920 --------- C:\WINDOWS\system32\W32n50.dll
2008-01-17 17:44 . 2005-05-10 01:36 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2008-01-17 17:44 . 2005-05-10 01:36 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2008-01-17 17:44 . 2005-05-10 01:36 16,073 --------- C:\WINDOWS\system32\Pcandis3.vxd
2008-01-17 17:42 . 2008-01-17 17:42 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\ScanSoft
2008-01-17 17:33 . 2008-01-18 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-17 17:33 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-17 17:33 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-01-17 17:33 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-01-17 17:11 . 2008-01-17 17:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-17 17:07 . 2008-01-17 17:07 <DIR> d-------- C:\Program Files\BroadJump
2008-01-17 16:41 . 2008-01-17 16:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Monotype Imaging
2008-01-17 16:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-17 16:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-17 16:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-17 16:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-17 16:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-17 16:21 . 2008-01-17 16:21 4,128 --a------ C:\INFCACHE.1
2008-01-17 15:55 . 2001-08-17 13:58 19,200 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2008-01-17 15:55 . 2001-08-17 13:58 19,200 --a------ C:\WINDOWS\system32\dllcache\hidbatt.sys
2008-01-17 15:55 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-01-17 15:55 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\dllcache\battc.sys
2008-01-17 15:55 . 2001-08-17 13:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-01-17 15:55 . 2001-08-17 13:58 9,344 --a------ C:\WINDOWS\system32\dllcache\compbatt.sys
2008-01-17 14:42 . 2008-01-15 22:27 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\InstallShield
2008-01-17 14:41 . 2008-01-15 22:27 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2008-01-17 14:34 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-17 14:34 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-17 14:34 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-17 14:34 . 2008-01-17 14:34 8,192 --a------ C:\WINDOWS\REGLOCS.OLD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 03:08 6,903 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_OPT_755.mrk
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe ----

Company: Dell Corporation.
File Description: Dell MFP 1125 Stsmon.exe(English)
File Version: 1, 1, 0, 0
Product Name: Dell MFP 1125
Copyright: Copyright (C) 2007 Dell Corporation. All Rights Reserved.
Original file name: Stsmon.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-28 16:21 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-28 16:21 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-28 16:21 137752]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-03-14 12:31 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-03-14 12:29 46632]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 23:46 624248]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"MFPMonitor"="C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe" [2007-07-22 16:10 2002944]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 17:44:25 217088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 04:58]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S3 AsfAlrt;AsfAlrt Service;C:\WINDOWS\system32\Drivers\AsfAlrt.sys [2007-01-23 04:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{814033b0-c88b-11dc-b481-001aa0ea5509}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9168a98-d3f9-11dc-b497-001aa0ea5509}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - UMWDF
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 03:35:09 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-16 03:35:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 15:02:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
.
**************************************************************************
.
Completion time: 2008-02-07 15:03:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 20:03:48
ComboFix2.txt 2008-02-07 18:31:07
ComboFix3.txt 2008-02-06 19:35:39
.
2008-02-05 22:14:06 --- E O F ---




=============================================
hijackthis-20080207(2).log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MFPMonitor] C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.delex.com
O15 - Trusted Zone: *.longwaveinc.com
O15 - Trusted Zone: *.navy.mil
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... ase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10602 bytes



=============================================
You do not have the required permissions to view the files attached to this post.
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am
Top

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 4:30 pm

Hi :)

One last thing:

Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.

Go to File > Save As:. Save the file as "Fix.reg" (Including the quotes)

Double-click on Fix.reg. When asked if you want to merge the file with the registry, click Yes.

Delete Fix.reg and restart your computer.

In your next reply, please let me know how your computer is currently running.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 7th, 2008, 4:46 pm

Everything seems to be running fine, now.

Thank you very much

Mike
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am
Top

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 5:12 pm

Everything seems to be running fine, now.

That's good to hear :) Here are some tips to keep your computer clean in the future:

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Install Spybot - Search and Destroy - You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here (do not install TeaTimer): http://www.bleepingcomputer.com/tutoria ... ial43.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutoria ... ial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infections you had were several backdoor trojans.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: HELP- I think something has taken over my computer!

Unread postby Gary R » February 12th, 2008, 3:45 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 119 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index