Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Major infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 3:05 am

Hope this helps...

ComboFix 08-03-30.1 - Ian 2008-04-02 14:03:13.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.456 [GMT 1:00]
Running from: C:\Documents and Settings\Ian.MAINPC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian.MAINPC\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\eqmycdql.exe
C:\WINDOWS\system32\enhtvkvw.ini
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\uvvwa.bak2
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
.
TimedOut: progfile.dat

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-01 21:02 . 2008-04-01 21:02 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-31 17:00 . 2008-03-31 21:02 <DIR> d-------- C:\Program Files\Panda Security
2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\Application Data\Malwarebytes
2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-29 15:31 . 2008-03-29 15:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-03-29 14:32 . 2008-03-29 14:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-28 20:40 . 2008-03-28 20:43 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-28 12:06 . 1998-11-13 13:07 307,712 --a------ C:\WINDOWS\IsUn0410.exe
2008-03-22 09:43 . 2008-03-22 09:43 76 --a------ C:\WINDOWS\system32\Sun Clock 6.ini
2008-03-22 09:42 . 2008-03-22 09:42 <DIR> d-------- C:\Program Files\Map Maker
2008-03-21 18:55 . 2008-03-21 18:55 <DIR> d-------- C:\Program Files\PawPrint.net
2008-03-21 18:30 . 2008-03-22 09:43 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\Application Data\Map Maker
2008-03-21 18:29 . 2008-03-21 18:45 <DIR> d-------- C:\Map Maker
2008-03-21 11:49 . 2008-03-21 11:49 <DIR> d-------- C:\Program Files\Kontiki
2008-03-21 11:49 . 2008-03-21 11:49 <DIR> d-------- C:\logs3
2008-03-21 11:49 . 2008-03-29 11:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-03-16 18:32 . 2008-03-16 18:32 131,584 --------- C:\WINDOWS\combatfs.exe
2008-03-16 15:46 . 2008-03-16 15:46 <DIR> d-------- C:\Casper
2008-03-16 15:46 . 1996-02-14 15:01 92,208 --a------ C:\WINDOWS\system\Wing.dll
2008-03-16 15:46 . 1998-09-02 13:43 81,920 --a------ C:\WINDOWS\system32\LZSCMPRS.DLL
2008-03-16 15:46 . 1998-03-26 16:25 12,800 --a------ C:\WINDOWS\system32\Wing32.dll
2008-03-16 15:46 . 2008-03-16 15:46 183 --a------ C:\WINDOWS\compedia.ini
2008-03-16 15:43 . 2008-03-16 15:43 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\WINDOWS
2008-03-16 15:42 . 2008-03-16 15:48 <DIR> d-------- C:\Program Files\The Learning Company
2008-03-16 15:42 . 2002-09-26 13:19 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2008-03-16 15:40 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-16 15:40 . 2008-03-16 15:40 0 --a------ C:\WINDOWS\SETUP32.INI
2008-03-16 15:36 . 2008-03-16 15:40 <DIR> d-------- C:\Documents and Settings\Cian\Application Data\Teleca
2008-03-16 15:36 . 2008-03-16 15:36 <DIR> d-------- C:\Documents and Settings\Cian\Application Data\Roxio
2008-03-16 00:16 . 2008-04-01 16:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 00:16 . 2008-03-16 00:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 21:22 . 2006-03-03 12:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-15 19:58 . 2008-03-15 20:33 <DIR> d-------- C:\Program Files\SiteAdvisor(2)
2008-03-15 19:58 . 2008-03-15 20:17 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\SiteAdvisor(2)
2008-03-15 19:58 . 2008-03-15 20:16 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\Application Data\SiteAdvisor(2)
2008-03-15 19:42 . 2008-03-16 00:15 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 19:42 . 2008-03-29 15:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 19:41 . 2008-03-15 19:41 <DIR> d-------- C:\Program Files\Smart Projects
2008-03-15 19:41 . 2008-03-15 19:41 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2008-03-15 10:17 . 2008-04-01 18:55 15,010 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-09 20:19 . 2007-07-21 10:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-09 20:19 . 2007-07-24 08:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-09 20:19 . 2007-07-21 10:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-09 20:19 . 2007-07-21 10:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-09 20:19 . 2007-07-24 13:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-09 16:33 . 2008-03-09 16:33 254 --a------ C:\WINDOWS\system32\USER.SCP
2008-03-09 16:33 . 2008-03-09 16:33 254 --a------ C:\WINDOWS\system32\TEMPSCP.SCP
2008-03-09 16:21 . 2008-03-09 16:21 <DIR> d-------- C:\Program Files\DVDFab Platinum 4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.


Malwarebytes' Anti-Malware 1.09
Database version: 573

Scan type: Full Scan (C:\|)
Objects scanned: 237894
Time elapsed: 1 hour(s), 47 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Thursday, April 03, 2008 7:57:17 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 678667


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects202464
Number of viruses found4
Number of infected objects18
Number of suspicious objects0
Duration of the scan process04:54:42

Infected Object NameVirus NameLast Action
C:\8f2a8a4bfd6ccecad52e7de6142b3ef9\update\update.exe Object is locked
skipped

C:\8f2a8a4bfd6ccecad52e7de6142b3ef9\update\updspapi.dll Object is locked
skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\394a590e71de25264ebbffa0e2708613_24adf822-76f7-4481-b30b-ff1b40f8687f
Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f
Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\fda7bb067263b2e40fdae38773d593f8_24adf822-76f7-4481-b30b-ff1b40f8687f
Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\EasyNet\MHNData Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSC\Logs\{92369E2F-5B8F-4FB6-A66E-E03DCD07EB3F}.log Object is
locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSC\Logs\{A8F978A2-4999-4F05-A1FC-094A789CADA3}.log Object is
locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSC\Logs\{F7A3699C-C69E-4DC9-A51E-ECD024F690B4}.log Object is
locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\MSK\SettingsDB.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\VirusScan\Data\TFR18.tmp Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr
Watson\drwtsn32.log Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application
Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\Ian.MAINPC\Desktop\Flight Simulator Deluxe
X\Flight Simulator Deluxe X DVD1.daa Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Desktop\Flight Simulator Deluxe
X\Flight Simulator Deluxe X DVD2.daa Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local
Settings\History\History.IE5\MSHist012008040220080403\index.dat Object is
locked skipped

C:\Documents and Settings\Ian.MAINPC\Local
Settings\Temp\hsperfdata_Ian\2400 Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local Settings\Temp\~DF7997.tmp
Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local Settings\Temp\~DF79C5.tmp
Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\My
Documents\Audible\Logs\Explorer_AudibleShellExt.log Object is locked
skipped

C:\Documents and Settings\Ian.MAINPC\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ian.MAINPC\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat
Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked
skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is
locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local
Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is
locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object
is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked
skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local
Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is
locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is
locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
Object is locked skipped

C:\Program Files\Microsoft Games\Combat Flight Simulator\modules\FE.DLL
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\SDFix\backups\catchme.zip.vir/jwlbqzpi.dll
Infected: Trojan-Clicker.Win32.Costrat.fb skipped

C:\QooBox\Quarantine\C\SDFix\backups\catchme.zip.vir ZIP: infected - 1
skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\pourmpuv.dll.vir Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP437\A0112029.exe/xpkey.exe
Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP437\A0112029.exe/RAS.exe
Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP437\A0112029.exe
RAR: infected - 2 skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP437\A0112054.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP439\A0112116.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP441\A0113262.exe/xpkey.exe
Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP441\A0113262.exe/RAS.exe
Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP441\A0113262.exe
RAR: infected - 2 skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP443\A0114482.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP443\A0114483.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP456\A0122216.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP456\A0122395.exe
Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP460\change.log
Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked
skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F45D5803-FD12-40D8-8F83-3CC16A1D5AC7}.crmlog
Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\Temp\mcafee_js4g58RtNtJSYyV Object is locked skipped

C:\WINDOWS\Temp\mcmsc_Dv0mLSsmVUbeCmp Object is locked skipped

C:\WINDOWS\Temp\mcmsc_HJNTd6AbRCKq1A1 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_OHPFExnOG47z0K0 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_Ok6GJb0n14dXOfN Object is locked skipped

C:\WINDOWS\Temp\mcmsc_prQUdAeVHvubs0f Object is locked skipped

C:\WINDOWS\Temp\sqlite_gzJv7hgrqtfxgOe Object is locked skipped

C:\WINDOWS\Temp\sqlite_zMrHELz5f7WzTFb Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Music & Downloads\POWERDVD\New Folder (2)\crack.exe Infected:
Trojan.Win32.Dialer.qn skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

D:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP409\A0096198.exe
Infected: Trojan.Win32.Dialer.qn skipped

D:\System Volume
Information\_restore{8204CC8A-BECA-4DE3-A03D-1361CAFCC815}\RP460\change.log
Object is locked skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:58:39, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE
C:\PROGRA~1\McAfee\MHN\McENUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-l ... erCtrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan ... stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2778162375
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: McAfee Application Installer Cleanup (0222031207080180) (0222031207080180mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022203~1.EXE (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - Unknown owner - C:\Program Files\Mcafee\MWL\MwlSvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9020 bytes
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm
Advertisement
Register to Remove

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 4:58 am

Ok, thanks for the logs, going to be a pain here but your a\v is active whilst your doing your scan I need it disabled whilst scanning

ComboFix 08-03-30.1 - Ian 2008-04-02 14:03:13.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.456 [GMT 1:00]
Running from: C:\Documents and Settings\Ian.MAINPC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian.MAINPC\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
* Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.


Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


So, could you run it again for me once you have disabled your a\v.
Thanks
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 5:46 am

As requested :-)

ComboFix 08-04-02.1 - Ian 2008-04-03 10:33:55.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512 [GMT 1:00]
Running from: C:\Documents and Settings\Ian.MAINPC\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian.MAINPC\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\eqmycdql.exe
C:\WINDOWS\system32\enhtvkvw.ini
C:\WINDOWS\system32\pstwa.bak2
C:\WINDOWS\system32\uvvwa.bak2
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
.
TimedOut: progfile.dat

((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-02 22:36 . 2008-04-02 22:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 22:36 . 2008-04-02 22:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-01 21:02 . 2008-04-01 21:02 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-31 17:00 . 2008-03-31 21:02 <DIR> d-------- C:\Program Files\Panda Security
2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\Application Data\Malwarebytes
2008-03-31 16:36 . 2008-03-31 16:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-29 15:31 . 2008-03-29 15:31 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-03-29 14:32 . 2008-03-29 14:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-28 20:40 . 2008-03-28 20:43 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-28 12:06 . 1998-11-13 13:07 307,712 --a------ C:\WINDOWS\IsUn0410.exe
2008-03-22 09:43 . 2008-03-22 09:43 76 --a------ C:\WINDOWS\system32\Sun Clock 6.ini
2008-03-22 09:42 . 2008-03-22 09:42 <DIR> d-------- C:\Program Files\Map Maker
2008-03-21 18:55 . 2008-03-21 18:55 <DIR> d-------- C:\Program Files\PawPrint.net
2008-03-21 18:30 . 2008-03-22 09:43 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\Application Data\Map Maker
2008-03-21 18:29 . 2008-03-21 18:45 <DIR> d-------- C:\Map Maker
2008-03-21 11:49 . 2008-03-21 11:49 <DIR> d-------- C:\Program Files\Kontiki
2008-03-21 11:49 . 2008-03-21 11:49 <DIR> d-------- C:\logs3
2008-03-21 11:49 . 2008-03-29 11:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-03-16 18:32 . 2008-03-16 18:32 131,584 --------- C:\WINDOWS\combatfs.exe
2008-03-16 15:46 . 2008-03-16 15:46 <DIR> d-------- C:\Casper
2008-03-16 15:46 . 1996-02-14 15:01 92,208 --a------ C:\WINDOWS\system\Wing.dll
2008-03-16 15:46 . 1998-09-02 13:43 81,920 --a------ C:\WINDOWS\system32\LZSCMPRS.DLL
2008-03-16 15:46 . 1998-03-26 16:25 12,800 --a------ C:\WINDOWS\system32\Wing32.dll
2008-03-16 15:46 . 2008-03-16 15:46 183 --a------ C:\WINDOWS\compedia.ini
2008-03-16 15:43 . 2008-03-16 15:43 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\WINDOWS
2008-03-16 15:42 . 2008-03-16 15:48 <DIR> d-------- C:\Program Files\The Learning Company
2008-03-16 15:42 . 2002-09-26 13:19 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2008-03-16 15:40 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-16 15:40 . 2008-03-16 15:40 0 --a------ C:\WINDOWS\SETUP32.INI
2008-03-16 15:36 . 2008-03-16 15:40 <DIR> d-------- C:\Documents and Settings\Cian\Application Data\Teleca
2008-03-16 15:36 . 2008-03-16 15:36 <DIR> d-------- C:\Documents and Settings\Cian\Application Data\Roxio
2008-03-16 00:16 . 2008-04-01 16:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-16 00:16 . 2008-03-16 00:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-15 21:22 . 2006-03-03 12:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-15 19:58 . 2008-03-15 20:33 <DIR> d-------- C:\Program Files\SiteAdvisor(2)
2008-03-15 19:58 . 2008-03-15 20:17 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\SiteAdvisor(2)
2008-03-15 19:58 . 2008-03-15 20:16 <DIR> d-------- C:\Documents and Settings\Ian.MAINPC\Application Data\SiteAdvisor(2)
2008-03-15 19:42 . 2008-03-16 00:15 <DIR> d-------- C:\Program Files\QuickTime
2008-03-15 19:42 . 2008-03-29 15:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 19:41 . 2008-03-15 19:41 <DIR> d-------- C:\Program Files\Smart Projects
2008-03-15 19:41 . 2008-03-15 19:41 <DIR> d-------- C:\Program Files\Free iPod Video Converter
2008-03-15 10:17 . 2008-04-03 07:56 15,010 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-09 20:19 . 2007-07-21 10:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-09 20:19 . 2007-07-24 08:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-09 20:19 . 2007-07-21 10:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-09 20:19 . 2007-07-21 10:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-09 20:19 . 2007-07-24 13:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-09 16:33 . 2008-03-09 16:33 254 --a------ C:\WINDOWS\system32\USER.SCP
2008-03-09 16:33 . 2008-03-09 16:33 254 --a------ C:\WINDOWS\system32\TEMPSCP.SCP
2008-03-09 16:21 . 2008-03-09 16:21 <DIR> d-------- C:\Program Files\DVDFab Platinum 4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 09:39 --------- d-----w C:\Documents and Settings\Ian.MAINPC\Application Data\Azureus
2008-04-01 20:02 --------- d-----w C:\Program Files\McAfee
2008-03-31 16:35 --------- d-----w C:\Program Files\Microsoft Games
2008-03-29 14:38 --------- d-----w C:\Program Files\WLViewerLite
2008-03-29 14:32 --------- d-----w C:\Program Files\Ahead
2008-03-29 14:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-29 14:27 --------- d-----w C:\Program Files\DivX
2008-03-29 14:25 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-29 14:18 --------- d-----w C:\Documents and Settings\Ian.MAINPC\Application Data\Vso
2008-03-29 14:17 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-29 14:17 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio
2008-03-29 14:13 --------- d-----w C:\Program Files\GameShadow
2008-03-29 12:36 --------- d-----w C:\Program Files\PowerISO
2008-03-29 09:20 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-28 17:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-03-28 16:49 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-28 14:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 20:35 --------- d-----w C:\Program Files\S103
2008-03-26 19:54 --------- d-----w C:\Documents and Settings\Ian.MAINPC\Application Data\Apple Computer
2008-03-21 18:27 --------- d-----w C:\Documents and Settings\Ian.MAINPC\Application Data\AdobeUM
2008-03-18 18:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 17:58 --------- d-----w C:\Program Files\Ubisoft
2008-03-15 20:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-03-15 18:42 --------- d-----w C:\Documents and Settings\Ian.MAINPC\Application Data\SUPERAntiSpyware.com
2008-03-15 07:48 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-03-09 19:19 --------- d-----w C:\Program Files\Common Files\McAfee
2008-03-09 18:36 --------- d-----w C:\Program Files\DellSupport
2008-03-09 18:21 --------- d-----w C:\Program Files\Java
2008-02-26 17:59 --------- d-----w C:\Program Files\iTunes
2008-02-26 17:58 --------- d-----w C:\Program Files\iPod
2008-02-23 13:44 --------- d-----w C:\Program Files\ChemBuddy
2008-02-05 13:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
2008-02-05 12:40 --------- d-----w C:\Program Files\Windows Live
2008-02-05 12:40 --------- d-----w C:\Program Files\MSN Messenger
2008-02-05 12:40 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-10 17:52 47,360 ----a-w C:\Documents and Settings\Ian.MAINPC\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-29_18.04.03.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 13:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2008-03-25 17:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\as2stubie.dll
+ 2007-07-18 12:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\libcomm.dll
+ 2007-07-18 13:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 08:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 07:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-29 17:39:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-03 06:20:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-29 17:39:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-03 06:20:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-29 17:39:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-03 06:20:01 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-03-28 16:39:09 51,608 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 12:12:32 51,608 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-28 16:39:09 377,584 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 12:12:32 377,584 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 08:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05 344064]
"CTHelper"="CTHELPER.EXE" [2005-11-08 20:30 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 12:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 339968 C:\WINDOWS\stsystra.exe]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.exe" [2005-05-12 05:00 98304]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 21:29 1160480]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25025:TCP"= 25025:TCP:BitComet 25025 TCP
"25025:UDP"= 25025:UDP:BitComet 25025 UDP

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S2 0222031207080180mcinstcleanup;McAfee Application Installer Cleanup (0222031207080180);C:\WINDOWS\TEMP\022203~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\ADOBE\command - E:\extras\ar405ita.exe
\Shell\AutoRun\command - E:\setup.EXE /autorun
\Shell\dxsetup\command - E:\directx\dxsetup.exe
\Shell\log\command - E:\machine\machine.exe -l
\Shell\machine\command - E:\machine\machine.exe
\Shell\Register\command - E:\extras\runshell.exe http://www.microsoft.com/games/product_ ... on/fs2002/
\Shell\setup\command - E:\setup.exe
\Shell\Web\command - E:\extras\runshell.exe http://www.microsoft.com/games/fs2002/default.asp
\Shell\WMP\command - E:\wmp\mp71.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{040bb98e-157f-11db-a832-00123fcb9d0e}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72d80cf9-de07-11da-a7d1-00123fcb9d0e}]
\Shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 08:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-03 09:00:00 C:\WINDOWS\Tasks\B49FA522997C5942.job"
- c:\docume~1\ian~1.mai\applic~1\onehtm~1\spam seek each.exe
"2008-03-09 19:19:11 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 00:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 10:38:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-04-03 10:40:48
ComboFix-quarantined-files.txt 2008-04-03 09:40:45
ComboFix2.txt 2008-03-30 10:19:11
ComboFix3.txt 2008-03-29 18:04:26
Pre-Run: 22,457,958,400 bytes free
Post-Run: 22,446,047,232 bytes free
.
2008-03-21 10:46:26 --- E O F ---
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 5:49 am

HJT


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:31, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE
C:\PROGRA~1\McAfee\MHN\McENUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-l ... erCtrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan ... stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2778162375
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: McAfee Application Installer Cleanup (0222031207080180) (0222031207080180mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022203~1.EXE (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - Unknown owner - C:\Program Files\Mcafee\MWL\MwlSvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8991 bytes
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 6:06 am

Ok, I want to check we have deleted the following files\folders

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0222031207080180) (0222031207080180mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022203~1.EXE (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



Right click start, In the drop down menu click "Explore" Then navigate to each file\ folder in the left hand pane, which will reveal its content in the right hand pane, highlight file or folder right click and Delete, if present:

These files:
C:\WINDOWS\system32\enhtvkvw.ini << This file
C:\eqmycdql.exe << This file
C:\WINDOWS\system32\pstwa.bak2 << This file
C:\WINDOWS\system32\uvvwa.bak2 << This file
C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job << This file
C:\Program Files\Microsoft Games\Combat Flight Simulator\modules\FE.DLL << This file
D:\Music & Downloads\POWERDVD\New Folder (2)\crack.exe << This file

These folders:
C:\SDFix << This folder
C:\VundoFix Backups << This folder


_________________________


Your Java is out of date Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5.
  • Scroll down to where it says " Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Please include in your next post:
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 6:47 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:04, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE
C:\PROGRA~1\McAfee\MHN\McENUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJE.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix:
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-l ... erCtrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan ... stubie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2778162375
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: McAfee Application Installer Cleanup (0222031207080180) (0222031207080180mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\022203~1.EXE (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - Unknown owner - C:\Program Files\Mcafee\MWL\MwlSvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8364 bytes
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 7:03 am

How did you get on with those files/folders, where they there?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 7:12 am

I'm not seeing your new java install i your log.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add remove programs
click on the following programs


adobe reader

and click on remove

Reboot the computer


: Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 8:07 am

Ok, a few of those files were present and now deleted. Java has been updated. Adobe reader is deleted but i'm having problems re-installing the latest version. Its asking to be pointed to Acroread.msi. When i do it just says, 'no way jose' and ends.
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 8:25 am

Just tried the adobe reader links myself and works fine here.
Could you try again for the download.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 8:31 am

I've tried about 6 times now :-)

Its asking me for Acroread.msi for ver 8.1.1 and i'm updating to 8.1.2 ???? Idea's?

Ian
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 8:54 am

Ok, I'm assuming you have removed adobe reader via add and remove programs so no issues there?
Your issue is with the download link, will see if I can find another link.
In the mean time you want to try and re-boot the system.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 9:48 am

Hmmmmm i'm getting the same thing when i try uninstall 8.1.1 through control panel.
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm

Re: Major infection

Unread postby dan12 » April 3rd, 2008, 9:56 am

Ok, you have installed java successfully yes?

Is adobe reader the free version? or the paid version if the paid leave it be.

Have you removed adobe reader from your system?

I need to know at which stage were at, to give advise :)
let me know where were at.
Thanks
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Major infection

Unread postby submar1ney » April 3rd, 2008, 10:22 am

Java is updated / re-installed.

Adobe is the free version but it shows up in add/remove programs, but it won't let me remove it. Nor does it work now! Not sure what's happened when i initially went to remove it.

Ian
submar1ney
Regular Member
 
Posts: 28
Joined: March 28th, 2008, 3:47 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware