Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help - this is my hijackthis file -- thank you

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 21st, 2008, 9:03 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:46 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [2857260e] rundll32.exe "C:\WINDOWS\system32\daienwbf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://ciserver.comfedcu.org/onbase//Ap ... Viewer.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6067 bytes
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm
Advertisement
Register to Remove

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 22nd, 2008, 12:21 pm

Hi,sooner1948 and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 22nd, 2008, 12:29 pm

I believe we have some files hiding from us, were going to flush them out.

Please go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on the HijackThis.exe file and select "Rename". Rename it removal.exe,

Then run HijackThis again and post a new log please.

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 22nd, 2008, 1:05 pm

hello dan - here is the new log

Note that I did add the Scottie program from Nelllie's blog since the previous log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:46 AM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: {049fb6e3-a5f2-17bb-ada4-6d379d103b5d} - {d5b301d9-73d6-4ada-bb71-2f5a3e6bf940} - C:\WINDOWS\system32\pckogewa.dll
O2 - BHO: (no name) - {E0E964EC-A563-47DA-B37E-A2D29043BED8} - C:\WINDOWS\system32\awtsr.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [BM2b641592] Rundll32.exe "C:\WINDOWS\system32\ewoomvqh.dll",s
O4 - HKLM\..\Run: [2857260e] rundll32.exe "C:\WINDOWS\system32\hbbnrrep.dll",b
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://ciserver.comfedcu.org/onbase//Ap ... Viewer.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7221 bytes
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 22nd, 2008, 1:34 pm

Hi, sooner 1948


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 22nd, 2008, 1:58 pm

here is my combofix file

ComboFix 08-02-22.3 - Gary Kueter 2008-02-22 11:46:14.1 - NTFSx86
Running from: C:\Documents and Settings\Gary Kueter\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Gary Kueter\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Temp\isgTi19
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\daienwbf.dll
C:\WINDOWS\system32\duyifdbm.dll
C:\WINDOWS\system32\ewoomvqh.dll
C:\WINDOWS\system32\fbwneiad.ini
C:\WINDOWS\system32\hbbnrrep.dll
C:\WINDOWS\system32\jiqycdyt.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pckogewa.dll
C:\WINDOWS\system32\perrnbbh.ini
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 08:44 . 2008-02-22 08:44 <DIR> d-------- C:\Program Files\BillP Studios
2008-02-22 08:44 . 2008-02-22 08:44 <DIR> d-------- C:\Documents and Settings\Gary Kueter\Application Data\WinPatrol
2008-02-21 18:29 . 2008-02-21 18:29 70,824 --a------ C:\WINDOWS\BM2b641592.xml
2008-02-21 18:29 . 2008-02-21 18:29 22 --a------ C:\WINDOWS\pskt.ini
2008-02-21 18:21 . 2008-02-21 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 12:23 . 2008-02-21 12:23 <DIR> d-------- C:\WINDOWS\wt
2008-02-21 10:52 . 2008-02-21 11:05 <DIR> d-------- C:\SDAT
2008-02-21 10:42 . 2008-02-21 10:42 37,786,820 --a------ C:\sdat5234.exe
2008-02-21 09:58 . 2008-02-21 09:58 61,480 --a------ C:\Documents and Settings\Gary Kueter\GoToAssistDownloadHelper.exe
2008-02-20 16:23 . 2008-02-20 16:23 8,266 --a------ C:\WINDOWS\extend.dat
2008-02-20 16:01 . 2008-02-21 08:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-20 16:01 . 2008-02-21 19:16 <DIR> d-------- C:\Documents and Settings\Gary Kueter\Application Data\SiteAdvisor
2008-02-20 14:03 . 2008-02-21 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 11:57 . 2008-02-20 11:57 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-20 11:57 . 2008-02-20 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-20 11:57 . 2008-02-22 11:51 8,105 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-20 11:56 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-02-20 11:54 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-20 11:54 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-20 11:54 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-20 11:54 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-20 11:54 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-20 11:53 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-20 11:52 . 2008-02-20 16:00 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-20 11:51 . 2008-02-20 16:00 <DIR> d-------- C:\Program Files\McAfee
2008-02-20 11:51 . 2008-02-20 16:00 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-20 11:46 . 2008-02-20 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-19 08:44 . 2008-02-19 08:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-19 08:28 . 2008-02-19 08:29 <DIR> d-------- C:\Program Files\ScottradeELITE
2008-01-30 11:50 . 2008-01-30 11:50 <DIR> d-------- C:\Temp\cXzz9
2008-01-30 11:50 . 2008-02-22 11:46 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 21:15 --------- d-----w C:\Program Files\Google
2008-02-20 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-20 14:04 --------- d-----w C:\Documents and Settings\Gary Kueter\Application Data\AVG7
2008-02-06 15:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 14:03 910,392 ----a-w C:\Documents and Settings\Gary Kueter\Application Data\kuetergl.zip
2007-05-28 21:34 88 --sh--r C:\WINDOWS\system32\83E6C90212.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-24 11:56 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 15:57 36640]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 23:38 316728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk
backup=C:\WINDOWS\pss\Microsoft Office Shortcut Bar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-04-24 00:38 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\GARYKU~1\LOCALS~1\Temp\2007528121420_mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a--c--- 2005-12-15 09:44 839680 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 01:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 04:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-10-05 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 13:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-10-14 19:46 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-10-14 19:50 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-10-14 19:49 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2004-10-30 13:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-06-10 09:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-06-10 09:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-03 22:33 582992 c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-08-18 03:12 394576 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-24 01:01 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-09-09 22:19 393216 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-24 11:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2005-11-29 03:56 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-03-17 12:46 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 17:52:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-20 17:52:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 11:52:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-02-22 11:55:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 17:54:53
.
2008-02-13 09:02:36 --- E O F ---




and here is my new Hijack this file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:23 AM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://ciserver.comfedcu.org/onbase//Ap ... Viewer.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6908 bytes

by the way - I don't know what this last step did, but my PC runs way better now - no pop-ups
I will be away for a few hours but will be back to check for addl info
thanks
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 22nd, 2008, 3:01 pm

Hi, try not to keep you to long, just have a littl to do on your lat returned logs :) .
Can you throw any light on this zip folder for me?

C:\Documents and Settings\Gary Kueter\Application Data\kuetergl.zip
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 22nd, 2008, 5:58 pm

I don't know what it is - it has my name on it, but I don't recall zipping any files
could it be where outlook archives messages or something like that??
don't know much about that stuff...

PC seems to be working very well at this point

thanks
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 22nd, 2008, 6:43 pm

Hi, sooner 1948
PC seems to be working very well at this point
That's good to hear.
You had a vundo Infection.
we still need to do a bit of tidying up and update a couple of programs.

----------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\pskt.ini

    Folder::
C:\WINDOWS\wt
C:\Temp\cXzz9

    Registry::

    Driver::

    DirLook::
C:\WINDOWS\BM2b641592.xml
C:\WINDOWS\system32\83E6C90212.sys
C:\Documents and Settings\Gary Kueter\Application Data\kuetergl.zip

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



please do an online scan with Kaspersky Online Scanner


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Please note! The HijackThis O6 section corresponds to an Administrative lock down for changing the options or the homepage in Internet explorer by changing certain settings in the registry.
This entry would legitimately show if an administrator set the restriction on purpose or if the user utilized Spybot S&D's Home Page and Option Lock down features in the Mode ->Advanced Mode -> Tools -> IE Tweaks section. (Or there could be other similar tools with similar options/functions.
Are you the administrator and did you set the restriction? If you didn't, then you can fix the following two entries.

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 22nd, 2008, 7:19 pm

dan, I did the drag and drop and ran the combofix
saw where it said it created the log

I think I may have locked it up??? I minimized the notepad screen???

it is stuck on the black dell XPS screen

I am on my other PC

should I reboot it or wait more -- it has been a while
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 22nd, 2008, 7:53 pm

Ok, reboot,and go check to see if it saved the log file :)
your doing ok :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 22nd, 2008, 9:55 pm

Kaspersky report

Protection : running
--------------------
Total scanned: 184099
Detected: 16
Untreated: 1
Start time: 2/22/2008 5:48:19 PM
Duration: 02:57:38


Detected
--------
Status Object
------ ------
not found: virus Heur.Invader (modification) File: c:\documents and settings\gary kueter\desktop\combofix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
detected: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000021.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000022.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000023.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000024.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000025.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000026.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000031.dll
not found: virus Heur.Invader (modification) File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000088.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\catchme2008-02-22_115240.65.zip/awtsr.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\C\WINDOWS\system32\daienwbf.dll.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\C\WINDOWS\system32\duyifdbm.dll.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\C\WINDOWS\system32\ewoomvqh.dll.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\C\WINDOWS\system32\hbbnrrep.dll.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\C\WINDOWS\system32\jiqycdyt.dll.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\QooBox\Quarantine\C\WINDOWS\system32\pckogewa.dll.vir


Events
------
Time Event
---- -----
2/22/2008 5:48:19 PM You are advised to perform a full computer scan as soon as possible.
2/22/2008 5:48:19 PM Database is out of date, leaving your computer at risk of infection. Please update your database.
2/22/2008 5:48:19 PM Protection of your computer is enabled.
2/22/2008 5:53:56 PM Update completed successfully
2/22/2008 6:08:33 PM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
2/22/2008 6:10:19 PM File c:\documents and settings\gary kueter\desktop\combofix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
2/22/2008 6:10:19 PM Security threats have been detected. You are advised to neutralize them immediately.
2/22/2008 6:10:30 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000021.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:30 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000021.dll: is still infected, postponed.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000022.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000022.dll: is still infected, postponed.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000023.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000023.dll: is still infected, postponed.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000024.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000024.dll: is still infected, postponed.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000025.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000025.dll: is still infected, postponed.
2/22/2008 6:10:32 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000026.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:32 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000026.dll: is still infected, postponed.
2/22/2008 6:10:33 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000031.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:10:33 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000031.dll: is still infected, postponed.
2/22/2008 6:10:41 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000088.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
2/22/2008 6:19:18 PM File C:\Documents and Settings\Gary Kueter\Desktop\ComboFix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/agntcons.vbs: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/agntlang.vbs: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/comctl.lpk: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/config.ini: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/pbar.vbs: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/UnInsStr.vbs: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/uninst.vbs: is password protected.
2/22/2008 6:38:34 PM File C:\Program Files\McAfee.com\Agent\uninst\screm.ui/uninstall.htm: is password protected.
2/22/2008 6:43:58 PM File C:\QooBox\Quarantine\catchme2008-02-22_115240.65.zip/awtsr.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:43:58 PM File C:\QooBox\Quarantine\catchme2008-02-22_115240.65.zip/awtsr.dll: is still infected, postponed.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\daienwbf.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\daienwbf.dll.vir: is still infected, postponed.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\duyifdbm.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\duyifdbm.dll.vir: is still infected, postponed.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\ewoomvqh.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\ewoomvqh.dll.vir: is still infected, postponed.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\hbbnrrep.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\hbbnrrep.dll.vir: is still infected, postponed.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\jiqycdyt.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:43:59 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\jiqycdyt.dll.vir: is still infected, postponed.
2/22/2008 6:44:00 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\pckogewa.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 6:44:00 PM File C:\QooBox\Quarantine\C\WINDOWS\system32\pckogewa.dll.vir: is still infected, postponed.
2/22/2008 6:58:20 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000021.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 7:13:12 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000021.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'. User: KUETERSHOME\GARYKUETER$, computer: localhost.
2/22/2008 7:50:03 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000021.dll: is still infected, skipped by user.
2/22/2008 7:50:03 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000022.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 7:50:31 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0000021.dll: is still infected, skipped by user.
2/22/2008 7:51:39 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000022.dll: is still infected, cannot be disinfected.
2/22/2008 7:56:53 PM Update completed successfully
2/22/2008 8:21:49 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000022.dll: deleted.
2/22/2008 8:21:49 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000023.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:22:29 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000023.dll: deleted.
2/22/2008 8:22:29 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000024.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:22:53 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000024.dll: deleted.
2/22/2008 8:22:53 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000025.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:23:06 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000025.dll: deleted.
2/22/2008 8:23:06 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000026.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:23:20 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000026.dll: deleted.
2/22/2008 8:23:20 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000031.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:23:43 PM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000031.dll: deleted.
2/22/2008 8:23:44 PM File c:\qoobox\quarantine\catchme2008-02-22_115240.65.zip/awtsr.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:23:55 PM File c:\qoobox\quarantine\catchme2008-02-22_115240.65.zip/awtsr.dll: is still infected, cannot be disinfected.
2/22/2008 8:24:17 PM File c:\qoobox\quarantine\catchme2008-02-22_115240.65.zip/awtsr.dll: deleted.
2/22/2008 8:24:17 PM File c:\qoobox\quarantine\c\windows\system32\daienwbf.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:25:39 PM File c:\qoobox\quarantine\c\windows\system32\daienwbf.dll.vir: deleted.
2/22/2008 8:25:39 PM File c:\qoobox\quarantine\c\windows\system32\duyifdbm.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:25:58 PM File c:\qoobox\quarantine\c\windows\system32\duyifdbm.dll.vir: deleted.
2/22/2008 8:25:58 PM File c:\qoobox\quarantine\c\windows\system32\ewoomvqh.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:26:12 PM File c:\qoobox\quarantine\c\windows\system32\ewoomvqh.dll.vir: deleted.
2/22/2008 8:26:12 PM File c:\qoobox\quarantine\c\windows\system32\hbbnrrep.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:26:35 PM File c:\qoobox\quarantine\c\windows\system32\hbbnrrep.dll.vir: deleted.
2/22/2008 8:26:35 PM File c:\qoobox\quarantine\c\windows\system32\jiqycdyt.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:26:37 PM File c:\qoobox\quarantine\c\windows\system32\jiqycdyt.dll.vir: deleted.
2/22/2008 8:26:37 PM File c:\qoobox\quarantine\c\windows\system32\pckogewa.dll.vir: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.gen'.
2/22/2008 8:26:38 PM File c:\qoobox\quarantine\c\windows\system32\pckogewa.dll.vir: deleted.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Proactive Defense running 2/22/2008 5:48:19 PM 0 bytes
File Anti-Virus running 2/22/2008 5:48:19 PM 886.7 KB
Mail Anti-Virus running 2/22/2008 5:48:19 PM 0 bytes
Web Anti-Virus running 2/22/2008 5:48:19 PM 101.6 KB
Update completed 2/22/2008 5:52:09 PM 2/22/2008 5:53:56 PM 0 bytes
Scan startup objects completed 2/22/2008 5:51:35 PM 2/22/2008 5:56:04 PM 467 KB
Scan My Computer completed 2/22/2008 6:09:25 PM 2/22/2008 8:26:39 PM 35.2 MB
Update completed 2/22/2008 7:56:04 PM 2/22/2008 7:56:53 PM 19.2 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\c\windows\system32\pckogewa.dll.vir 91.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000022.dll 92.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\catchme2008-02-22_115240.65.zip 280.2 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\c\windows\system32\hbbnrrep.dll.vir 86 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000024.dll 86 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000026.dll 91.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000023.dll 89.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000025.dll 89.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\c\windows\system32\duyifdbm.dll.vir 92.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\c\windows\system32\daienwbf.dll.vir 85.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\c\windows\system32\ewoomvqh.dll.vir 89.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp2\a0000031.dll 314 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.gen c:\qoobox\quarantine\c\windows\system32\jiqycdyt.dll.vir 89.6 KB
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 23rd, 2008, 5:03 am

Hi,sooner1948, do you have the "ComboFix.txt and a new highjackthis log please.
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Help - this is my hijackthis file -- thank you

Unread postby sooner1948 » February 23rd, 2008, 11:09 am

here is my hyjack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:54 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Trend Micro\HijackThis\Removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://ciserver.comfedcu.org/onbase//Ap ... Viewer.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6672 bytes



and this is my combofix log file

ComboFix 08-02-22.3 - Gary Kueter 2008-02-23 8:59:24.3 - NTFSx86
Running from: C:\Documents and Settings\Gary Kueter\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 17:43 . 2008-02-22 17:43 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-22 17:43 . 2008-02-22 17:43 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-22 17:42 . 2008-02-22 17:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-22 17:42 . 2008-02-23 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 17:42 . 2008-02-23 09:02 1,709,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 17:42 . 2008-02-22 20:50 23,660 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-22 17:42 . 2008-02-23 09:02 6,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-22 17:42 . 2008-02-22 20:50 1,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-22 17:40 . 2008-02-22 17:40 <DIR> d-------- C:\kav
2008-02-22 08:44 . 2008-02-22 08:44 <DIR> d-------- C:\Program Files\BillP Studios
2008-02-22 08:44 . 2008-02-22 08:44 <DIR> d-------- C:\Documents and Settings\Gary Kueter\Application Data\WinPatrol
2008-02-21 18:29 . 2008-02-21 18:29 70,824 --a------ C:\WINDOWS\BM2b641592.xml
2008-02-21 18:21 . 2008-02-21 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 10:52 . 2008-02-21 11:05 <DIR> d-------- C:\SDAT
2008-02-21 10:42 . 2008-02-21 10:42 37,786,820 --a------ C:\sdat5234.exe
2008-02-21 09:58 . 2008-02-21 09:58 61,480 --a------ C:\Documents and Settings\Gary Kueter\GoToAssistDownloadHelper.exe
2008-02-20 16:23 . 2008-02-20 16:23 8,266 --a------ C:\WINDOWS\extend.dat
2008-02-20 16:01 . 2008-02-21 08:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-20 16:01 . 2008-02-21 19:16 <DIR> d-------- C:\Documents and Settings\Gary Kueter\Application Data\SiteAdvisor
2008-02-20 14:03 . 2008-02-21 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 11:57 . 2008-02-20 11:57 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-20 11:57 . 2008-02-20 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-20 11:57 . 2008-02-23 08:44 8,567 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-20 11:56 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-02-20 11:54 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-20 11:54 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-20 11:54 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-02-20 11:54 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-20 11:54 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-02-20 11:53 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-20 11:52 . 2008-02-20 16:00 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-20 11:51 . 2008-02-20 16:00 <DIR> d-------- C:\Program Files\McAfee
2008-02-20 11:51 . 2008-02-20 16:00 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-20 11:46 . 2008-02-20 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-19 08:44 . 2008-02-19 08:44 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-19 08:28 . 2008-02-19 08:29 <DIR> d-------- C:\Program Files\ScottradeELITE
2008-02-08 18:37 . 2008-02-08 18:37 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 . 2008-02-08 18:35 23,604 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-01-30 11:50 . 2008-02-22 17:02 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 21:15 --------- d-----w C:\Program Files\Google
2008-02-20 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-20 14:04 --------- d-----w C:\Documents and Settings\Gary Kueter\Application Data\AVG7
2008-02-17 16:36 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-06 15:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 14:03 910,392 ----a-w C:\Documents and Settings\Gary Kueter\Application Data\kuetergl.zip
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-28 21:34 88 --sh--r C:\WINDOWS\system32\83E6C90212.sys
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2004-08-10 10:00:00 C:\WINDOWS\system32\svchost.exe

"C:\WINDOWS\system32\user32.dll"
-c--a-w 577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
----a-w 578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
-c----w 577,024 2004-08-10 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
-c----w 577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
----a-w 577,536 2007-03-08 15:36:28 C:\WINDOWS\system32\user32.dll
------w 577,536 2007-03-08 15:36:28 C:\WINDOWS\system32\dllcache\user32.dll

"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2004-08-10 10:00:00 C:\WINDOWS\system32\ws2_32.dll

"C:\WINDOWS\system32\wininet.dll"
-c--a-w 661,504 2005-10-21 03:38:08 C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
----a-w 823,296 2007-03-07 17:40:29 C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
----a-w 823,808 2007-04-25 09:08:34 C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
----a-w 824,320 2007-06-27 14:40:03 C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
----a-w 825,344 2007-08-20 10:02:11 C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
----a-w 825,344 2007-10-10 23:47:29 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
----a-w 825,344 2007-12-07 02:01:13 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
-c----w 658,432 2005-10-21 03:39:30 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
-c----w 663,552 2006-03-04 03:58:52 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
-c----w 663,552 2006-05-10 05:25:22 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
-c----w 664,576 2006-06-23 11:25:31 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
-c--a-w 664,576 2006-09-14 08:31:30 C:\WINDOWS\ie7\wininet.dll
-c----w 818,688 2006-11-08 03:03:36 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
-c----w 822,784 2007-01-12 15:27:42 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
-c----w 822,784 2007-03-07 17:45:18 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
-c----w 822,784 2007-04-25 08:41:17 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
-c----w 823,808 2007-06-27 14:34:59 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
-c----w 824,832 2007-08-20 10:04:43 C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
-c----w 824,832 2007-10-10 23:56:00 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
----a-w 824,832 2007-12-07 02:21:48 C:\WINDOWS\system32\wininet.dll
----a-w 824,832 2007-12-07 02:21:48 C:\WINDOWS\system32\dllcache\wininet.dll

"C:\WINDOWS\system32\drivers\tcpip.sys"
-c--a-w 360,448 2006-01-13 17:07:08 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
-c--a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 359,040 2004-08-10 10:00:00 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
-c----w 359,808 2006-01-13 02:28:14 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
------w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 360,064 2007-10-30 17:20:55 C:\WINDOWS\system32\drivers\tcpip.sys

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2004-08-10 10:00:00 C:\WINDOWS\system32\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
----a-w 182,912 2004-08-10 10:00:00 C:\WINDOWS\system32\dllcache\ndis.sys
-c--a-w 182,912 2004-08-10 10:00:00 C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
----a-w 29,056 2004-08-10 10:00:00 C:\WINDOWS\system32\drivers\ip6fw.sys

"C:\WINDOWS\system32\ntkrnlpa.exe"
-c--a-w 2,056,832 2005-03-02 00:36:40 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
-c----w 2,056,832 2004-08-10 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
-c----w 2,056,832 2005-03-02 00:34:40 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
-c----w 2,059,392 2006-12-19 16:12:16 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
------w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\system32\ntkrnlpa.exe
------w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
-c--a-w 2,179,456 2005-03-02 01:04:22 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
-c----w 2,180,992 2004-08-10 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
-c----w 2,179,328 2005-03-02 00:59:53 C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
-c----w 2,182,016 2006-12-19 16:51:12 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
------w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\system32\ntoskrnl.exe
------w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c----w 1,032,192 2004-08-10 10:00:00 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
------w 1,033,216 2007-06-13 10:23:07 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-24 11:56 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 15:57 36640]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 23:38 316728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk
backup=C:\WINDOWS\pss\Microsoft Office Shortcut Bar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-04-24 00:38 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\GARYKU~1\LOCALS~1\Temp\2007528121420_mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-10 04:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a--c--- 2005-12-15 09:44 839680 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 01:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-09-08 04:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a--c--- 2005-10-05 02:12 94208 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 13:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-10-14 19:46 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-10-14 19:50 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-10-14 19:49 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2004-10-30 13:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-06-10 09:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-06-10 09:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-03 22:33 582992 c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-08-18 03:12 394576 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 01:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-24 01:01 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-09-09 22:19 393216 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-24 11:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2005-11-29 03:56 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-03-17 12:46 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 17:52:59 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-20 17:52:58 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 09:02:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 9:04:09
ComboFix-quarantined-files.txt 2008-02-23 15:04:04
ComboFix2.txt 2008-02-22 23:05:22
ComboFix3.txt 2008-02-22 17:55:01
.
2008-02-13 09:02:36 --- E O F ---


I currently have McAfee Kaspersky and WinPatrol on my PC - I think they are conflicting with each other although right now, I think Kaspersky is dissabled, McAfee is partly dissabled ns WinPatrol is running --- should I uninstall Kaspersky when this is all cleaned up - it is the 30 day trial .....

thank you so much for your help
sooner1948
Regular Member
 
Posts: 17
Joined: February 21st, 2008, 8:28 pm

Re: Help - this is my hijackthis file -- thank you

Unread postby dan12 » February 23rd, 2008, 12:47 pm

You don't want two Antivirus programs running at once they will fight for resources and slow your system down
from what I can see from your log they are both active.
Please disable or delete one of them.
Whilst were cleaning up your pc, please don't download anything whilst were carrying out the fix unless its tools I ask for.

I wont be too long with your next step
Thanks dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware