Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP- I think something has taken over my computer!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP- I think something has taken over my computer!

Unread postby MAPepin » February 4th, 2008, 1:41 pm

The other day, I started experiencing some curious behavior. :?
Command (DOS-like) windows kept popping up and disappearing.
There would be probably about a dozen windows tiled and this happened
so quick that I couldn't read the file on the top of the window bar.

I also keep getting warnings from McAfee about the following files:
20391529641.dll
dllgh8jkd1q8.exe
kernelwind64.exe
m1ax1d12132116143v.exe
n2ewma1xxsv234.exe
newmaxxsv234.exe
vedxg4am1et2.exe
vedxg6ame4.exe
vedxga1me4t1.exe
vedxga3me2.exe
vedxga4m1et4.exe
qt-dx331.dll
gdnOT2904[1].exe
ma11x1dd121111v.game
WADA.EXE

Most of these have been associated with something called Dialer-257. Others have been associated with Generic.dx (Trojan), Generic BackDoor (Trojan), or New Malware.j (Trojan). :evil:

I also keep hearing a regular -blip- sound. This is the default sound associated with 'System Notification'. This keeps sounding at regular 50 second intervals. :|

This morning, I received a flash of the Command windows with the following notification:
------------------------------------------------------------------------------------------------
16 bit MS-DOS Subsystem

C:\WINDOWS\system32\M1AXD~2.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0548 IP:0254 OP:63 68 61 72 73 Choose 'Close' to terminate the application.
------------------------------------------------------------------------------------------------
This keeps happening regardless of how many scans I do.
I've done AdAware, Spybot-S&D, Symantec Online, etc.

Please Help
I think something has taken over the system! :evil:
Mike

Following is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\n2ewma1xxsv234.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\mmdssvc.exe
C:\Windows\xpupdate.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\MAPepin\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080115
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 124.217.252.77 http://www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 http://www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 http://www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 http://www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\windows\system32\expand.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MFPMonitor] C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SystemSv121] C:\WINDOWS\system32\n2ewma1xxsv234.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [runtime.exe] C:\WINDOWS\system32\runtime.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ubasss] mmdssvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe
O4 - HKLM\..\RunServices: [ubasss] mmdssvc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.delex.com
O15 - Trusted Zone: *.longwaveinc.com
O15 - Trusted Zone: *.navy.mil
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SQL Server (MSSMLBIZ) MSSQL$MSSMLBIZMessenger (MSSQL$MSSMLBIZMessenger) - Unknown owner - C:\WINDOWS\system32\6to4svcq.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: Network Location Awareness (NLA) NlaMSSQL$MSSMLBIZ (NlaMSSQL$MSSMLBIZ) - Unknown owner - C:\WINDOWS\system32\accessw.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager RDSessMgrwscsvc (RDSessMgrwscsvc) - Unknown owner - C:\WINDOWS\system32\activedsc.exe (file missing)
O23 - Service: Security Accounts Manager SamSsdmserver (SamSsdmserver) - Unknown owner - C:\WINDOWS\system32\amstreami.exe (file missing)
O23 - Service: SQL Server Browser SQLBrowserImapiService (SQLBrowserImapiService) - Unknown owner - C:\WINDOWS\system32\12520437r.exe (file missing)
O23 - Service: SSDP Discovery Service SSDPSRVBITS (SSDPSRVBITS) - Unknown owner - C:\WINDOWS\system32\1041a.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WMI Performance Adapter WmiApSrvaspnet_state (WmiApSrvaspnet_state) - Unknown owner - C:\WINDOWS\system32\AlertAppg.exe (file missing)

--
End of file - 14376 bytes
You do not have the required permissions to view the files attached to this post.
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am
Advertisement
Register to Remove

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 6th, 2008, 7:15 am

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please post to your topic at Castle Cops (http://www.castlecops.com/t214858-HELP_ ... puter.html) and any other topics that you have created that you are being helped here.

That's not looking good. There is evidence of several backdoor trojans present on your system. This infection allows outsiders complete access to every keystroke, account, and password you use while on this machine.

IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. If that's the case, you could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

The decision whether to reformat or not should be based on what you use the computer for. If the computer has been used for any important data, you are strongly advised to do the following, immediately:

  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any applications (programs) or executable files (.dll, .exe, .scr, .bat, .cmd, .vbs, .sys). Those should be reinstalled from the original CD's or websites.
  • If you have used this computer for shopping, banking, or any transactions relating to your financial well being, call all of your banks, credit card companies and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords - for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

In your next reply, let me know how you want to proceed.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 6th, 2008, 12:23 pm

I have disconnected from the internet and have backed up all important files.
I'd like to try to clean this first and then check it before having to wipe the drive.
I've got another computer setup nearby so that I can communicate with you while servicing the infected computer.

BTW - I've already posted this at CastleCops and am now in a [READY] status over there.

Awaiting further instructions

Mike
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 6th, 2008, 12:30 pm

MAPepin wrote:I have disconnected from the internet and have backed up all important files.
I'd like to try to clean this first and then check it before having to wipe the drive.
I've got another computer setup nearby so that I can communicate with you while servicing the infected computer.

BTW - I've already posted this at CastleCops and am now in a [READY] status over there.

Awaiting further instructions

Mike

Please post in that topic that you are being helped here, because it will only become confusing when two helpers are helping you.

If you've done that we can proceed.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 6th, 2008, 12:42 pm

Thank you;

CC has been informed.
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am

Re: HELP- I think something has taken over my computer!

Unread postby Ried » February 6th, 2008, 12:55 pm

Thread at TSF has been closed, and MAPepin has informed CC. Please proceed Simon V. :)
User avatar
Ried
Visiting Staff
 
Posts: 423
Joined: November 6th, 2007, 12:06 pm

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 6th, 2008, 1:39 pm

Ried wrote:Thread at TSF has been closed, and MAPepin has informed CC. Please proceed Simon V. :)

Thank you, Ried :)

Let's get started then...

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.

Step 2

Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.

Please download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows directory, typically C:\SDFix)

Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

Log in to your usual account.

Once in Safe Mode, do the following:

Open the extracted SDFix folder and double-click RunThis.bat to start the script.

  • Type Y to begin the cleanup process.
  • It will remove any trojan services and registry entries that it finds, then prompt you to press any key to reboot; press any key and it will restart the PC.
  • When the PC restarts SDFix will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to clipboard ready for posting back on the forum).

Step 3

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log, the CCleaner Uninstall List (install.txt) and the SDFix report (C:\SDFix\Report.txt)
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 6th, 2008, 3:51 pm

OK,
I ran CCleaner, SDFix, ComboFix, and new HJT log (logs posted below - also attached)

I thought that I had McAfee turned off but it kept popping up a warning on the ComboFix files. I chose to have it ignore each one, but it seems to me that the ComboFix ended abruptly and the computer rebooted. Maybe it was just a quick scan. Anyway, here's the logs:

===================================================
CCinstall.txt
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.0 Standard
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
AT&T Self Support Tool
AT&T Yahoo! Applications
BroadJump Client Foundation
Business Contact Manager for Outlook 2007
Calculator Powertoy for Windows XP
CCleaner (remove only)
Dell MFP 1125
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 2.0 (KB922981)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Alerting Agent
Intel(R) PRO Network Connections 12.1.12.4
Intel(R) PROSafe for Wired Connections
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
McAfee SecurityCenter
MFCLOC
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Standard 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Web Access S/MIME
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
PaperPort Image Printer
PowerDVD
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
ScanSoft PaperPort 11
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB939373)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SIW version 1.73
Sonic Activation Module
Tweak UI
Update for Outlook 2007 Junk Email Filter (kb943597)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
WebFldrs XP
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859

===================================================

SDFix_report.txt


SDFix: Version 1.137

Run by MAPepin on Wed 02/06/2008 at 02:01 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
CcEvtSvc
msupdate

Path:
%SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
c:\windows\system32\mssrv32.exe

CcEvtSvc - Deleted
msupdate - Deleted



Infected ip6fw.sys Found!

ip6fw.sys File Locations:

"C:\WINDOWS\system32\dllcache\ip6fw.sys" 29056 08/04/2004 06:00 AM
"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/04/2004 06:00 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\ip6fw.sys

File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...

Original ip6fw.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting...

Service asc3550p - Deleted after Reboot
Service Ywe34 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\expand.dll - Deleted
C:\WINDOWS\system32\drivers\Wbu31.sys - Deleted
C:\WINDOWS\system32\drivers\Xtfi41.sys - Deleted
C:\WINDOWS\system32\drivers\Ywe34.sys - Deleted
C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\203915~1.DLL - Deleted
C:\WINDOWS\system32\service\dllp.txt - Deleted
C:\WINDOWS\system32\2_exception.nls - Deleted
C:\WINDOWS\system32\dllgh8jkd1q1.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q2.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q5.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q6.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q7.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q8.exe - Deleted
C:\WINDOWS\system32\m1ax1d12132116143v.exe - Deleted
C:\WINDOWS\system32\m1ax1d1213216143v.exe - Deleted
C:\WINDOWS\system32\n2ewma1xxsv234.exe - Deleted
C:\WINDOWS\system32\newmaxxsv234.exe - Deleted
C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vedxg6ame4.exe - Deleted
C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted
C:\Documents and Settings\MAPepin\Application Data\Install.dat - Deleted
C:\WINDOWS\system32\CcEvtSvc.exe - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\kernelwind64.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\lich.dat - Deleted
C:\WINDOWS\system32\mssrv32.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
C:\WINDOWS\system32\drivers\symavc32.sys - Deleted


Could Not Remove C:\WINDOWS\SYSTEM32\231674~1.DAT

Folder C:\WINDOWS\system32\service - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 14:04:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------

CcEvtSvc


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\WINDOWS\\system32\\mmdssvc.exe"="C:\\WINDOWS\\system32\\mmdssvc.exe:*:Enabled:mmdssvc"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\runtime.exe"="C:\\WINDOWS\\system32\\runtime.exe:*:Disabled:runtime.exe"
"C:\\Documents and Settings\\MAPepin\\tmp.exe"="C:\\Documents and Settings\\MAPepin\\tmp.exe:*:Disabled:runtime.exe"
"C:\\Documents and Settings\\MAPepin\\Desktop\\tmp.exe"="C:\\Documents and Settings\\MAPepin\\Desktop\\tmp.exe:*:Disabled:runtime.exe"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
C:\WINDOWS\SYSTEM32\231674~1.DAT Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 1 Feb 2008 38,400 ..SHR --- "C:\WINDOWS\system32\6to4svcq.exe"
Thu 31 Jan 2008 17,920 A.SH. --- "C:\WINDOWS\system32\accessw.dll"
Wed 6 Feb 2008 38,400 ..SHR --- "C:\WINDOWS\system32\accesswr.exe"
Thu 17 Jan 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 17 Jan 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT4.tmp"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT2.tmp"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT6.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1.tmp"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b636582f273e0b4cae6f62415c52d81\BIT8.tmp"
Wed 6 Feb 2008 8,340,783 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7a5a959f7dd6b76d854fc3c066993fad\BIT9.tmp"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT5.tmp"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT7.tmp"
Sat 19 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT3.tmp"
Mon 4 Feb 2008 36,864 ...H. --- "C:\Documents and Settings\MAPepin\Application Data\Microsoft\Templates\~WRL0002.tmp"

Finished!
===================================================

ComboFix.txt

ComboFix 08-02.05.3 - MAPepin 2008-02-06 14:31:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1482 [GMT -5:00]
Running from: C:\Documents and Settings\MAPepin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\symavc32.sys
C:\Documents and Settings\Administrator\Application Data\install.dat
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\BQJ56.sys
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BQJ56
-------\LEGACY_CCEVTSVC
-------\CcEvtSvc


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-06 14:21 . 2004-08-04 05:00 260,272 -r-hs---- C:\cmldr
2008-02-06 14:03 . 2008-02-06 14:03 32 --a------ C:\WINDOWS\system32\2316743137.dat
2008-02-06 14:00 . 2008-02-06 14:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-06 13:57 . 2008-02-06 14:06 <DIR> d-------- C:\SDFix
2008-02-06 07:35 . 2008-02-06 07:35 38,400 -r-hs---- C:\WINDOWS\system32\accesswr.exe
2008-02-05 14:21 . 2008-02-05 14:21 256,000 --a------ C:\WINDOWS\system32\apiuser32.dll
2008-02-05 14:21 . 2008-02-06 14:34 0 --a------ C:\reg.reg
2008-02-05 08:33 . 2004-08-04 06:00 24,576 --a------ C:\WINDOWS\system32\userini.exe
2008-02-04 10:49 . 2008-02-06 14:03 93,184 --a------ C:\Documents and Settings\LocalService\Application Data\1001789598.exe
2008-02-04 09:38 . 2008-02-06 08:50 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-04 09:18 . 2008-02-06 08:50 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-04 08:45 . 2008-02-04 08:45 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-04 07:38 . 2008-02-06 08:53 <DIR> d-------- C:\Program Files\Opera
2008-02-01 12:02 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-01 11:58 . 2008-02-01 11:58 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-02-01 11:58 . 2008-02-01 11:58 0 --a------ C:\WINDOWS\frontpg.ini
2008-02-01 10:56 . 2008-02-01 10:56 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-01 10:56 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-02-01 10:56 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-02-01 07:38 . 2008-02-01 07:38 38,400 -r-hs---- C:\WINDOWS\system32\6to4svcq.exe
2008-01-31 13:32 . 2008-01-31 13:32 17,920 --ahs---- C:\WINDOWS\system32\accessw.dll
2008-01-31 07:33 . 2008-02-04 17:12 25,984 --a------ C:\WINDOWS\system32\drivers\Ytt77.sys
2008-01-30 18:00 . 2008-01-30 18:00 29 --a------ C:\WINDOWS\system32\iepdforu.tmp
2008-01-30 17:54 . 2008-02-06 14:03 163,840 --a------ C:\Documents and Settings\LocalService\Application Data\1035870398.exe
2008-01-29 11:29 . 2008-02-06 13:03 <DIR> d-------- C:\Program Files\CCleaner
2008-01-29 10:57 . 2008-02-05 10:26 8,388,671 --a------ C:\WINDOWS\pfirewall.log.old
2008-01-29 08:15 . 2008-01-29 08:15 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\DivX
2008-01-29 08:01 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-01-29 08:01 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-01-29 08:00 . 2008-01-29 08:01 <DIR> d-------- C:\Program Files\DivX
2008-01-29 07:32 . 2008-01-29 08:54 41,472 --a------ C:\WINDOWS\system32\CbEvtSvc.exe
2008-01-28 15:06 . 2008-01-28 15:06 <DIR> d-------- C:\Program Files\SIW
2008-01-28 13:20 . 2008-02-05 14:29 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\OpenOffice.org2
2008-01-28 12:27 . 2008-01-28 12:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 15:08 . 2008-01-26 15:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-26 14:20 . 2008-01-26 14:20 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-26 13:11 . 2008-01-26 13:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 12:41 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-26 11:52 . 2008-01-26 12:44 <DIR> d-------- C:\Documents and Settings\MAPepin\.housecall6.6
2008-01-26 11:51 . 2008-01-26 11:51 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 11:36 . 2008-01-29 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 16:08 . 2008-01-29 07:32 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-24 16:40 . 2008-01-29 07:52 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\XnView
2008-01-24 15:54 . 2008-01-24 15:54 21,504 --a------ C:\lo-1679164330.exe
2008-01-24 15:52 . 2008-01-24 15:52 21,504 --a------ C:\lo1289083134.exe
2008-01-24 15:52 . 2008-01-24 15:52 21,504 --a------ C:\lo-513865536.exe
2008-01-24 15:52 . 2008-01-24 15:52 21,504 --a------ C:\lo-1538082432.exe
2008-01-24 15:41 . 2008-01-24 15:41 21,504 --a------ C:\lo636569781.exe
2008-01-24 15:40 . 2008-01-24 15:40 21,504 --a------ C:\lo482396030.exe
2008-01-24 15:38 . 2008-01-24 15:38 21,504 --a------ C:\lo-22980135.exe
2008-01-22 15:28 . 2008-02-06 08:52 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-22 15:28 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-19 03:02 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-19 03:02 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-19 03:02 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-19 03:01 . 2008-01-19 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-18 16:43 . 2008-01-18 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-18 13:43 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 09:56 . 2008-01-18 09:56 <DIR> d---s---- C:\Documents and Settings\MAPepin\UserData
2008-01-18 08:51 . 2008-01-18 08:51 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Monotype Imaging
2008-01-18 08:42 . 2008-01-18 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-18 08:33 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-18 08:33 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-18 08:33 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-18 07:39 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-17 17:46 . 2008-01-18 09:05 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\Yahoo!
2008-01-17 17:45 . 2007-01-31 10:58 43,387 --a------ C:\WINDOWS\browser.exe
2008-01-17 17:45 . 2007-01-31 10:58 6,246 --a------ C:\WINDOWS\atty.ico
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\WINDOWS\Motive
2008-01-17 17:44 . 2008-01-17 17:45 <DIR> d-------- C:\Program Files\SBC Self Support Tool
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-01-17 17:44 . 2008-01-17 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-01-17 17:44 . 2005-05-10 01:36 81,920 --------- C:\WINDOWS\system32\W32n50.dll
2008-01-17 17:44 . 2005-05-10 01:36 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2008-01-17 17:44 . 2005-05-10 01:36 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2008-01-17 17:44 . 2005-05-10 01:36 16,073 --------- C:\WINDOWS\system32\Pcandis3.vxd
2008-01-17 17:42 . 2008-01-17 17:42 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\ScanSoft
2008-01-17 17:33 . 2008-01-18 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-17 17:33 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-17 17:33 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-01-17 17:33 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-01-17 17:33 . 2002-02-21 18:56 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-17 17:11 . 2008-01-17 17:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-17 17:07 . 2008-01-17 17:07 <DIR> d-------- C:\Program Files\BroadJump
2008-01-17 16:52 . 2007-01-31 10:58 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-01-17 16:51 . 2007-01-31 10:58 266,240 --------- C:\WINDOWS\SBCDSL.exe
2008-01-17 16:41 . 2008-01-17 16:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Monotype Imaging
2008-01-17 16:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-17 16:41 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-17 16:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-17 16:41 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-17 16:21 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-17 16:21 . 2008-01-17 16:21 4,128 --a------ C:\INFCACHE.1
2008-01-17 15:55 . 2001-08-17 13:58 19,200 --a------ C:\WINDOWS\system32\drivers\hidbatt.sys
2008-01-17 15:55 . 2001-08-17 13:58 19,200 --a------ C:\WINDOWS\system32\dllcache\hidbatt.sys
2008-01-17 15:55 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-01-17 15:55 . 2001-08-17 13:57 14,080 --a------ C:\WINDOWS\system32\dllcache\battc.sys
2008-01-17 15:55 . 2001-08-17 13:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2008-01-17 15:55 . 2001-08-17 13:58 9,344 --a------ C:\WINDOWS\system32\dllcache\compbatt.sys
2008-01-17 14:42 . 2008-01-15 22:27 <DIR> d-------- C:\Documents and Settings\MAPepin\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 03:08 6,903 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_OPT_755.mrk
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-28 16:21 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-28 16:21 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-28 16:21 137752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 10:03 210472]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-03-14 12:31 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-03-14 12:29 46632]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 23:46 624248]
"Acrobat Speed Launch"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 02:40 46200]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"MFPMonitor"="C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe" [2007-07-22 16:10 2002944]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51 442455]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]
"ubasss"="mmdssvc.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ubasss"="mmdssvc.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-17 17:44:25 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWin"= {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll [2008-02-05 14:21 256000]

R0 Ytt77;Ytt77;C:\WINDOWS\system32\Drivers\Ytt77.sys [2008-02-04 17:12]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 04:58]
R2 CbEvtSvc;CbEvtSvc;C:\WINDOWS\System32\CbEvtSvc.exe [2008-01-29 08:54]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" [2007-02-10 05:29]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 06:00]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 mcmscsvcWebClient;McAfee Services mcmscsvcWebClient;C:\WINDOWS\system32\accesswr.exe srv []
S2 MSSQL$MSSMLBIZMessenger;SQL Server (MSSMLBIZ) MSSQL$MSSMLBIZMessenger;C:\WINDOWS\system32\6to4svcq.exe srv []
S2 NlaMSSQL$MSSMLBIZ;Network Location Awareness (NLA) NlaMSSQL$MSSMLBIZ;C:\WINDOWS\system32\accessw.exe srv []
S2 RDSessMgrwscsvc;Remote Desktop Help Session Manager RDSessMgrwscsvc;C:\WINDOWS\system32\activedsc.exe srv []
S2 SamSsdmserver;Security Accounts Manager SamSsdmserver;C:\WINDOWS\system32\amstreami.exe srv []
S2 SQLBrowserImapiService;SQL Server Browser SQLBrowserImapiService;C:\WINDOWS\system32\12520437r.exe srv []
S3 AsfAlrt;AsfAlrt Service;C:\WINDOWS\system32\Drivers\AsfAlrt.sys [2007-01-23 04:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{814033b0-c88b-11dc-b481-001aa0ea5509}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9168a98-d3f9-11dc-b497-001aa0ea5509}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CCEVTSVC
*Newly Created Service* - HYW71
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 03:35:09 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-16 03:35:08 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 14:34:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\CcEvtSvc.exe 93184 bytes executable
C:\WINDOWS\system32\drivers\Hyw71.sys 167936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Hyw71]

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-02-06 14:35:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 19:35:35
.
2008-02-05 22:14:06 --- E O F ---
===================================================
hijackthis20080206(1).txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0080115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MFPMonitor] C:\WINDOWS\twain_32\DELL\MFP1125\Monitor\Stsmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ubasss] mmdssvc.exe
O4 - HKLM\..\RunServices: [ubasss] mmdssvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.delex.com
O15 - Trusted Zone: *.longwaveinc.com
O15 - Trusted Zone: *.navy.mil
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O21 - SSODL: BurnWin - {C145CF11-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\system32\apiuser32.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Services mcmscsvcWebClient (mcmscsvcWebClient) - Unknown owner - C:\WINDOWS\system32\accesswr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Network Location Awareness (NLA) NlaMSSQL$MSSMLBIZ (NlaMSSQL$MSSMLBIZ) - Unknown owner - C:\WINDOWS\system32\accessw.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager RDSessMgrwscsvc (RDSessMgrwscsvc) - Unknown owner - C:\WINDOWS\system32\activedsc.exe (file missing)
O23 - Service: Security Accounts Manager SamSsdmserver (SamSsdmserver) - Unknown owner - C:\WINDOWS\system32\amstreami.exe (file missing)
O23 - Service: SQL Server Browser SQLBrowserImapiService (SQLBrowserImapiService) - Unknown owner - C:\WINDOWS\system32\12520437r.exe (file missing)
O23 - Service: SSDP Discovery Service SSDPSRVBITS (SSDPSRVBITS) - Unknown owner - C:\WINDOWS\system32\1041a.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WMI Performance Adapter WmiApSrvaspnet_state (WmiApSrvaspnet_state) - Unknown owner - C:\WINDOWS\system32\AlertAppg.exe (file missing)

--
End of file - 12232 bytes

===================================================

END
You do not have the required permissions to view the files attached to this post.
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 6th, 2008, 6:09 pm

Hi :)

Step 1

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3


Then download and install Java Runtime Environment (JRE) 6 Update 4.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
KillAll::

File::

C:\WINDOWS\system32\6to4svcq.exe
C:\WINDOWS\system32\accessw.dll
C:\WINDOWS\system32\accesswr.exe
C:\WINDOWS\system32\apiuser32.dll
C:\WINDOWS\system32\userini.exe
C:\Documents and Settings\LocalService\Application Data\1001789598.exe
C:\WINDOWS\system32\drivers\Ytt77.sys
C:\WINDOWS\system32\iepdforu.tmp
C:\Documents and Settings\LocalService\Application Data\1035870398.exe
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\d3d9caps.dat
C:\lo-1679164330.exe
C:\lo1289083134.exe
C:\lo-513865536.exe
C:\lo-1538082432.exe
C:\lo636569781.exe
C:\lo482396030.exe
C:\lo-22980135.exe
C:\WINDOWS\browser.exe
C:\WINDOWS\atty.ico
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\DevMngr.vxd
C:\WINDOWS\SBCDSL.exe
C:\WINDOWS\system32\CcEvtSvc.exe
C:\WINDOWS\system32\drivers\Hyw71.sys

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\mmdssvc.exe"=-
"C:\\Documents and Settings\\MAPepin\\tmp.exe"=-
"C:\\Documents and Settings\\MAPepin\\Desktop\\tmp.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ubasss"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ubasss"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BurnWin"=-

Driver::

Ytt77
CbEvtSvc
mcmscsvcWebClient
MSSQL$MSSMLBIZMessenger
NlaMSSQL$MSSMLBIZ
RDSessMgrwscsvc
SamSsdmserver
SQLBrowserImapiService
CCEVTSVC
HYW71


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

    • Click on the Malwarebytes' Anti-Malware icon to launch the program.
    • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open.

Step 4

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware report
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 6th, 2008, 7:01 pm

Every time I try to drag the CFScript onto the ComboFix.exe, the following windo pops up:

====================================
Error
You cannot rename ComboFix as ComboFix
Please use another name
====================================

When I click 'OK', it closes out. :?:

Mike
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 4:23 am

You probably haven't disabled all your protection programs properly.

Information and instructions on how to do so can be found on this web page: http://www.bleepingcomputer.com/forums/topic114351.html

If the problem persists after disabling your real time protection programs, please let me know.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 7th, 2008, 11:58 am

I have disabled all protection configuration for McAfee. I right-click on the McAfee icon in the taskbar and it does not give me the option to 'Exit' the program. I had to go into the advanced configuration and turn off each item individually.

I still get the same popup when I drag CFScript.txt onto ComboFix.exe, after which it closes out.

Mike
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 12:39 pm

Hi :)

Let's try it in Safe Mode.

Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.

Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking).

Log in to your usual account.

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

If Combofix hasn't done so, reboot your computer into Normal Mode and follow the rest of my last intructions (viewtopic.php?p=262934#p262934)

If Combofix still doesn't work, let me know before proceeding.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium

Re: HELP- I think something has taken over my computer!

Unread postby MAPepin » February 7th, 2008, 1:40 pm

SimonV.

ComboFix is still not accepting the CFScript.txt.

I wonder if this is the result of McAfee closing it out early when I ran it the last time?

Should I re-run ComboFix?

Mike
MAPepin
Regular Member
 
Posts: 23
Joined: January 28th, 2008, 11:37 am

Re: HELP- I think something has taken over my computer!

Unread postby Simon V. » February 7th, 2008, 2:18 pm

MAPepin wrote:SimonV.

ComboFix is still not accepting the CFScript.txt.

I wonder if this is the result of McAfee closing it out early when I ran it the last time?

Should I re-run ComboFix?

Mike

Alright, let's try one last thing before using other tools.

Delete Combofix and this folder: C:\Combofix\.

Then download Combofix again from one of the links below:

Link 1
Link 2
Link 3

In Normal Mode, try dragging CFScript into Combofix.exe. Let me know whether it worked.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 381 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware