Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

nhenson's hijack this log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

nhenson's hijack this log

Unread postby nhenson » December 20th, 2009, 11:34 pm

I posted here last month and my topic was bumped...and then I didn't have access to this (my family's) computer for almost a month due to some extenuating circumstances. Sorry for the inconvenience. Anyways, here are my lists:

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:58 PM, on 12/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\SafetyCenter\new.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\program files\real\realplayer\RealPlay.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 antiviraprof2009.com
O1 - Hosts: 91.212.127.227 www.antiviraprof2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: BHO - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [SafetyCenter] c:\SafetyCenter\start.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
O4 - HKCU\..\Run: [lweysfii] C:\Documents and Settings\Nikki\Local Settings\Application Data\sytejs\rjdgsysguard.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca329e656b8fd0) (gupdate1ca329e656b8fd0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:\WINDOWS\system32\cjnr4r4dzuo.exe (file missing)
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hwvqlgcxtok.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9511 bytes


Uninstall list:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AIM 6
AOL Instant Messenger
AOLIcon
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
Azureus Vuze
Bluetooth Stack for Windows by Toshiba
Broadcom Management Programs
Centra Client
Cisco Clean Access Agent
Conexant HDA D110 MDC V.92 Modem
Corel Photo Album 6
DellSupport
Digital Line Detect
DivX
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
ELIcon
GemMaster Mystic
Google Chrome
Google Update Helper
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) PROSet/Wireless Software
iPod for Windows 2006-06-28
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
LiveUpdate 2.6 (Symantec Corporation)
Logitech QuickCam Software
McAfee SecurityCenter
mCore
MCU
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.15)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mWMI
mXML
mZConfig
Nero 7 Essentials
NetWaiting
oggcodecs 0.71.0946
PowerDVD 5.7
QuickSet
QuickTime
RealPlayer
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
SEU Network Applications
Sonic Copy Module
Sonic DLA
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Data
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Synaptics Pointing Device Driver
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update Rollup 2 for Windows XP Media Center Edition 2005
Windows Defender
Windows Defender Signatures
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
WordPerfect Office 12



Once logged into the computer, the first thing that pops up, without letting Windows load, is what appears to be a fake virus protection program warning the user about something dangerous on the system. Once this window is closed, Windows loads and then above the task bar on the lower right-hand side of the screen a popup alert will show up with the title "Safety Center" and say "SafetyCenter software managed to ?????(a part of the window is just white and you can't see all of the text) and block the attack attempt! Please ??? the instructions to get full protection." It then says to "Run registry doctor" and has a button below the window to do this. I have never clicked on this nor has anyone in my family (or at least no one is admitting it). I was told sometimes the computer will just go to an entirely blue screen and say something like "Windows has detected a problem and is terminating operations to protect the computer. If this is the first time you have received this message, reboot. If not, take measures to reduce errors." I also know that the browsers, usually just Firefox although Google Chrome has done it to me, randomly close down without warning as well. Please help me if possible. Thank you,

Nhenson
nhenson
Active Member
 
Posts: 8
Joined: November 26th, 2009, 6:13 pm
Top
Advertisement
Register to Remove

Re: nhenson's hijack this log

Unread postby MWR 3 day Mod » December 24th, 2009, 12:20 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am
Top

Re: nhenson's hijack this log

Unread postby muppy03 » December 26th, 2009, 4:03 am

Hello and welcome to Malware Removal Forums

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-
  • Continue to respond to this thread until I give you the All Clean!
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
  • Please follow all instructions in the order posted.
  • If you have any questions or do not understand instructions, please ask before continuing.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus Vuze

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red). Also take note that remnants of the above program/s and any other P2P program found will be removed when cleaning.


Multiple Anti-virus Programs
You are operating your computer with multiple Anti-virus programs running in memory at once:
Avira AntiVir Personal
McAfee SecurityCenter

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.

While in add/removeprograms I would like you to uninstall the following:-
    LiveUpdate 2.6 (Symantec Corporation)

Once the above is done please post back a NEW HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: nhenson's hijack this log

Unread postby nhenson » December 26th, 2009, 11:32 am

New log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:29 AM, on 12/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
c:\SafetyCenter\new.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 antiviraprof2009.com
O1 - Hosts: 91.212.127.227 www.antiviraprof2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: BHO - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\RunOnce: [SafetyCenter] c:\SafetyCenter\start.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
O4 - HKCU\..\Run: [lweysfii] C:\Documents and Settings\Nikki\Local Settings\Application Data\sytejs\rjdgsysguard.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca329e656b8fd0) (gupdate1ca329e656b8fd0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:\WINDOWS\system32\cjnr4r4dzuo.exe (file missing)
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hwvqlgcxtok.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
nhenson
Active Member
 
Posts: 8
Joined: November 26th, 2009, 6:13 pm
Top

Re: nhenson's hijack this log

Unread postby muppy03 » December 26th, 2009, 8:49 pm

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

NEXT Download and Run: RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please reply with:-

  • MBAM log
  • RSIT logs ( info.txt and log.txt)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: nhenson's hijack this log

Unread postby nhenson » December 27th, 2009, 9:28 pm

After attempting to run the anti-malware program on the computer three times. On the third time a blue screen came up with the message that ends "beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance."
nhenson
Active Member
 
Posts: 8
Joined: November 26th, 2009, 6:13 pm
Top

Re: nhenson's hijack this log

Unread postby muppy03 » December 27th, 2009, 10:09 pm

Lets try a different approach!

Disable Windows Defender until the computer is clean

Windows Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
  • Open Windows Defender
  • Select Tools and then General Settings
  • Under Real Time Protection Options uncheck Turn on real-time protection
  • Select Save
Don't forget to re-enable it, after i tell you that your computer is clean.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    (If you use FireFox or the Opera browser,To keep saved passwords, click No at the prompt.)
    Click Exit on the Main menu to close the program.


Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.227 antiviraprof2009.com
    O1 - Hosts: 91.212.127.227 http://www.antiviraprof2009.com <http://www.antiviraprof2009.com>
    O2 - BHO: BHO - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll (file missing)
    O4 - HKLM\..\RunOnce: [SafetyCenter] c:\SafetyCenter\start.exe
    O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
    O4 - HKCU\..\Run: [lweysfii] C:\Documents and Settings\Nikki\Local Settings\Application Data\sytejs\rjdgsysguard.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:\WINDOWS\system32\cjnr4r4dzuo.exe (file missing)
    O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
    O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hwvqlgcxtok.exe (file missing)


Once selected close all windows except HJT an click on Fix Checked

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reply with:-
  • Combofix log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: nhenson's hijack this log

Unread postby nhenson » December 28th, 2009, 3:31 am

ComboFix 09-12-27.02 - Nikki 12/28/2009 0:59.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1647 [GMT -6:00]
Running from: c:\documents and settings\Nikki\Desktop\cf.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\asikuxu.reg
c:\documents and settings\All Users\Documents\qyga.reg
c:\documents and settings\All Users\Documents\zujocuqy.inf
c:\documents and settings\Nikki\Local Settings\Application Data\ibesupy.bat
c:\documents and settings\Nikki\Local Settings\Application Data\zowururywy.bat
c:\documents and settings\Nikki\Local Settings\Temporary Internet Files\imybekoh._sy
c:\documents and settings\Nikki\Local Settings\Temporary Internet Files\toky.lib
c:\documents and settings\Nikki\Local Settings\Temporary Internet Files\vehobe._sy
c:\documents and settings\Nikki\Local Settings\Temporary Internet Files\xapidogiku.lib
c:\program files\Active Security
c:\program files\Common Files\uhubyrij.reg
c:\program files\Protection System
c:\windows\afyricymyg.vbs
c:\windows\esiqi.scr
c:\windows\EventSystem.log
c:\windows\fadiceli.scr
c:\windows\kb913800.exe
c:\windows\quxad.vbs
c:\windows\system32\Data
c:\windows\system32\drivers\UAClftoqbavym.sys
c:\windows\system32\rohudiquha.vbs
c:\windows\system32\UACbrsnkvtblu.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAComywlrfpfu.dll
c:\windows\system32\UACpmykrwbwwq.dll
c:\windows\system32\UACpxjovddsrd.dat
c:\windows\system32\UACqcgqtjyohh.dll
c:\windows\system32\wscsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_TERMS
-------\Service_terms


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 06:58 . 2009-12-28 06:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2009-12-27 23:45 . 2009-12-27 23:45 -------- d-----w- c:\documents and settings\Nikki\Application Data\Malwarebytes
2009-12-27 23:44 . 2009-12-27 23:45 -------- d-----w- c:\program files\mapp
2009-12-27 23:40 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 23:40 . 2009-12-27 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 23:40 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 17:59 . 2009-12-27 23:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 21:16 . 2009-11-15 05:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-26 15:21 . 2006-06-22 13:41 -------- d-----w- c:\program files\Symantec
2009-12-26 15:21 . 2006-06-22 13:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-19 01:33 . 2006-06-22 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-09 00:12 . 2009-11-26 21:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-28 02:16 . 2009-11-28 02:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-11-27 01:18 . 2009-11-27 01:18 -------- d-----w- c:\program files\Trend Micro
2009-11-27 01:09 . 2007-09-10 01:13 -------- d-----w- c:\program files\My Sam's Club Digital Photo Center
2009-11-26 21:29 . 2006-06-29 06:32 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 15:15 . 2006-09-20 01:03 -------- d-----w- c:\documents and settings\Nikki\Application Data\Lavasoft
2009-11-15 05:39 . 2007-06-14 07:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-15 05:31 . 2009-11-15 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-11-15 05:31 . 2009-09-07 03:28 -------- d-----w- c:\program files\McAfee
2009-11-15 05:30 . 2009-11-15 05:29 -------- d-----w- c:\program files\Common Files\McAfee
2009-11-15 05:30 . 2009-11-15 05:29 -------- d-----w- c:\program files\McAfee.com
2009-11-11 03:59 . 2009-11-11 03:58 1961720 ----a-w- c:\documents and settings\Nikki\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-29 05:04 . 2005-08-16 09:18 668672 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2005-08-16 09:18 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2005-08-16 09:18 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54 . 2005-08-16 09:18 69632 ----a-w- c:\windows\system32\raschap.dll
2009-08-28 15:27 . 2009-08-28 15:27 14359 ----a-w- c:\program files\Common Files\huzafytir.bin
2009-08-26 17:45 . 2009-08-26 17:45 19443 ----a-w- c:\program files\Common Files\ykeby.sys
2009-08-26 17:45 . 2009-08-26 17:45 16129 ----a-w- c:\program files\Common Files\jaxyvav.bin
2009-08-26 17:45 . 2009-08-26 17:45 14724 ----a-w- c:\program files\Common Files\suxatot.dll
2009-04-20 03:02 . 2006-08-03 05:15 88 --sh--r- c:\windows\system32\DBF1E843E4.sys
2009-04-20 03:02 . 2006-08-03 05:15 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 397312]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-04-03 777424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-11 198160]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-22 24576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51 57344 ------w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-03-03 08:18 1355938 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20120:TCP"= 20120:TCP:BitComet 20120 TCP
"20120:UDP"= 20120:UDP:BitComet 20120 UDP

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/14/2009 11:31 PM 210216]
S2 gupdate1ca329e656b8fd0;Google Update Service (gupdate1ca329e656b8fd0);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2009 11:12 PM 133104]
S2 SpoolSvc213;Print Spooler Service;c:\windows\system32\cjnr4r4dzuo.exe /service --> c:\windows\system32\cjnr4r4dzuo.exe [?]
S2 Time;Time Service;c:\windows\system32\mlsdf8hwvqlgcxtok.exe --> c:\windows\system32\mlsdf8hwvqlgcxtok.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/27/2009 5:40 PM 38224]
S3 WTime;WTime;\??\c:\windows\system32\timedrv26.sys --> c:\windows\system32\timedrv26.sys [?]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 5:12 PM 14032]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nikki\Application Data\Mozilla\Firefox\Profiles\3rejp29z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCentraUpdater.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-MCODS
MSConfigStartUp-VoiceCenter - c:\program files\Creative\VoiceCenter\AndreaVC.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 01:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\À* 4*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2996)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\dllhost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2009-12-28 01:28:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 07:28

Pre-Run: 1,134,231,552 bytes free
Post-Run: 2,006,175,744 bytes free

- - End Of File - - 3D57EF14D23E2022DC4FD66DAEE940DB





Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:32 AM, on 12/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca329e656b8fd0) (gupdate1ca329e656b8fd0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:\WINDOWS\system32\cjnr4r4dzuo.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hwvqlgcxtok.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8444 bytes
nhenson
Active Member
 
Posts: 8
Joined: November 26th, 2009, 6:13 pm
Top

Re: nhenson's hijack this log

Unread postby muppy03 » December 28th, 2009, 4:36 am

Please update me on computer next post!

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:\WINDOWS\system32\cjnr4r4dzuo.exe (file missing)
    O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hwvqlgcxtok.exe (file missing)


Once selected close all windows except HJT an click on Fix Checked

NOTE Make sure Mcaffe and Windows defender are disabled before running Combofix.

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
c:\program files\Common Files\huzafytir.bin
c:\program files\Common Files\ykeby.sys
c:\program files\Common Files\jaxyvav.bin
c:\program files\Common Files\suxatot.dll
 
Driver::
SpoolSvc213
Time
WTime
 
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20120:TCP"=-
"20120:UDP"=-

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • Combofix log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia
Top

Re: nhenson's hijack this log

Unread postby Dakeyras » December 31st, 2009, 5:47 am

Due to lack of activity, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 154 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index