Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help,please. Here is my HJT log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help,please. Here is my HJT log

Unread postby pogo » September 3rd, 2007, 3:49 pm

Hi,
Hoping you can help me. The pop-ups are so bad I kept getting WinAntiVirus pro everytime I tried to get your site! I ran Spybot S&D and AdAware before doing Hijackthis as suggested in the sticky. Here is my log. Thank you in advance! Pogo



Logfile of HijackThis v1.99.1
Scan saved at 12:05:17 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\bp_bg.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\?icrosoft\r?gedit.exe
C:\Documents and Settings\Marc\Desktop\hijackthis_sfx.exe
C:\Documents and Settings\Marc\Desktop\Word Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA4548] command /c del "C:\WINDOWS\SYSTEM32\ddcya.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1099] cmd /c del "C:\WINDOWS\SYSTEM32\ddcya.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7982] command /c del "C:\WINDOWS\SYSTEM32\ddcya.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5776] cmd /c del "C:\WINDOWS\SYSTEM32\ddcya.dll_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Marc\MYDOCU~1\ICROSO~1.NET\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Qwzwd] C:\WINDOWS\?icrosoft\r?gedit.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Marc\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98371A0-EC05-4E47-933B-FB7775E6D099}: NameServer = 66.209.10.202 66.102.163.232
O20 - AppInit_DLLs: secuload.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas
Advertisement
Register to Remove

Unread postby IndiGenus » September 3rd, 2007, 4:34 pm

Hi pogo and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • NOTE:Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

    In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.


I need to check any posts to you with a teacher/expert first so please be patient as we go through this.

In the meantime, please do the following:

We are going to use HJT to create a list of your currently installed programs.
    1. Open HijackThis and click on the Config... button in the "Other stuff" section (lower right hand corner).
    2. Click on the Misc Tools button.
    3. Click on the Open Uninstall Manager... button.
    4. Click on the Save list... button.
    5. Save the file uninstall_list.txt to a convinient location. This should open Notepad with the list.
    6. Please Copy and Paste the list into your next reply.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby pogo » September 3rd, 2007, 7:38 pm

Dave,
I tried to get the uninstall_list.txt, but everytime I follow your instructions Hijackthis shuts down and doesn't save anything to text document. I uninstalled Hijackthis and re-installed, but same thing.
Anything else I can try?
Thanks,
Pogo
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas

Unread postby IndiGenus » September 6th, 2007, 9:31 am

Hi pogo,

I apologize for the delay here. I'm waiting for an expert to peek in on this with some advice. You have not been forgotten.

Thanks,
Dave
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby IndiGenus » September 7th, 2007, 7:01 am

Hi pogo,

STEP 1:

I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
  • Right-click on it, then select Rename.
  • Name it something like: FindVundo.exe (or whatever you want)
STEP 2:

Please download
VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click Yes
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.

STEP 3:

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\??chost.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby pogo » September 8th, 2007, 2:10 pm

Thank you for getting back to me. Here are the files you requested.

VundoFix V6.5.8

Checking Java version...

Scan started at 12:32:01 PM 9/8/2007

Listing files found while scanning....

C:\windows\system32\afmcteut.ini
C:\windows\system32\ahvwufmw.dll
C:\WINDOWS\system32\aycdd.bak1
C:\WINDOWS\system32\aycdd.bak2
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\aycdd.tmp
C:\windows\system32\beobbfyf.ini
C:\windows\system32\cfgyncje.ini
C:\windows\system32\cmbislrg.ini
C:\windows\system32\ctqljdnl.dll
C:\WINDOWS\system32\ddcya.dll
C:\windows\system32\duoaotum.dll
C:\windows\system32\ejcnygfc.dll
C:\windows\system32\emgtaidq.ini
C:\windows\system32\fmhjibft.ini
C:\windows\system32\fyfbboeb.dll
C:\windows\system32\grlsibmc.dll
C:\windows\system32\habrflvn.ini
C:\windows\system32\icedhpao.dll
C:\windows\system32\ihmllkpi.ini
C:\windows\system32\ipkllmhi.dll
C:\windows\system32\jjoxdcyl.ini
C:\windows\system32\jkqtmbqn.dll
C:\windows\system32\lndjlqtc.ini
C:\windows\system32\ltrxgbon.ini
C:\windows\system32\lycdxojj.dll
C:\windows\system32\mdcbwmyn.ini
C:\windows\system32\mtnppvgv.ini
C:\windows\system32\mutoaoud.ini
C:\windows\system32\nobgxrtl.dll
C:\windows\system32\nqbmtqkj.ini
C:\windows\system32\nvlfrbah.dll
C:\windows\system32\nymwbcdm.dll
C:\windows\system32\oaphdeci.ini
C:\windows\system32\piykjkmx.dll
C:\windows\system32\qdiatgme.dll
C:\windows\system32\tfbijhmf.dll
C:\windows\system32\tuetcmfa.dll
C:\windows\system32\utrngvlw.dll
C:\windows\system32\vgvppntm.dll
C:\windows\system32\wlvgnrtu.ini
C:\windows\system32\wmfuwvha.ini
C:\windows\system32\xmkjkyip.ini
C:\WINDOWS\system32\yxvhtojn.dll

Beginning removal...

Attempting to delete C:\windows\system32\afmcteut.ini
C:\windows\system32\afmcteut.ini Has been deleted!

Attempting to delete C:\windows\system32\ahvwufmw.dll
C:\windows\system32\ahvwufmw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.bak1
C:\WINDOWS\system32\aycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.bak2
C:\WINDOWS\system32\aycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\aycdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.tmp
C:\WINDOWS\system32\aycdd.tmp Has been deleted!

Attempting to delete C:\windows\system32\beobbfyf.ini
C:\windows\system32\beobbfyf.ini Has been deleted!

Attempting to delete C:\windows\system32\cfgyncje.ini
C:\windows\system32\cfgyncje.ini Has been deleted!

Attempting to delete C:\windows\system32\cmbislrg.ini
C:\windows\system32\cmbislrg.ini Has been deleted!

Attempting to delete C:\windows\system32\ctqljdnl.dll
C:\windows\system32\ctqljdnl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddcya.dll Has been deleted!

Attempting to delete C:\windows\system32\duoaotum.dll
C:\windows\system32\duoaotum.dll Has been deleted!

Attempting to delete C:\windows\system32\ejcnygfc.dll
C:\windows\system32\ejcnygfc.dll Has been deleted!

Attempting to delete C:\windows\system32\emgtaidq.ini
C:\windows\system32\emgtaidq.ini Has been deleted!

Attempting to delete C:\windows\system32\fmhjibft.ini
C:\windows\system32\fmhjibft.ini Has been deleted!

Attempting to delete C:\windows\system32\fyfbboeb.dll
C:\windows\system32\fyfbboeb.dll Has been deleted!

Attempting to delete C:\windows\system32\grlsibmc.dll
C:\windows\system32\grlsibmc.dll Has been deleted!

Attempting to delete C:\windows\system32\habrflvn.ini
C:\windows\system32\habrflvn.ini Has been deleted!

Attempting to delete C:\windows\system32\icedhpao.dll
C:\windows\system32\icedhpao.dll Has been deleted!

Attempting to delete C:\windows\system32\ihmllkpi.ini
C:\windows\system32\ihmllkpi.ini Has been deleted!

Attempting to delete C:\windows\system32\ipkllmhi.dll
C:\windows\system32\ipkllmhi.dll Has been deleted!

Attempting to delete C:\windows\system32\jjoxdcyl.ini
C:\windows\system32\jjoxdcyl.ini Has been deleted!

Attempting to delete C:\windows\system32\jkqtmbqn.dll
C:\windows\system32\jkqtmbqn.dll Has been deleted!

Attempting to delete C:\windows\system32\lndjlqtc.ini
C:\windows\system32\lndjlqtc.ini Has been deleted!

Attempting to delete C:\windows\system32\ltrxgbon.ini
C:\windows\system32\ltrxgbon.ini Has been deleted!

Attempting to delete C:\windows\system32\lycdxojj.dll
C:\windows\system32\lycdxojj.dll Has been deleted!

Attempting to delete C:\windows\system32\mdcbwmyn.ini
C:\windows\system32\mdcbwmyn.ini Has been deleted!

Attempting to delete C:\windows\system32\mtnppvgv.ini
C:\windows\system32\mtnppvgv.ini Has been deleted!

Attempting to delete C:\windows\system32\mutoaoud.ini
C:\windows\system32\mutoaoud.ini Has been deleted!

Attempting to delete C:\windows\system32\nobgxrtl.dll
C:\windows\system32\nobgxrtl.dll Has been deleted!

Attempting to delete C:\windows\system32\nqbmtqkj.ini
C:\windows\system32\nqbmtqkj.ini Has been deleted!

Attempting to delete C:\windows\system32\nvlfrbah.dll
C:\windows\system32\nvlfrbah.dll Has been deleted!

Attempting to delete C:\windows\system32\nymwbcdm.dll
C:\windows\system32\nymwbcdm.dll Has been deleted!

Attempting to delete C:\windows\system32\oaphdeci.ini
C:\windows\system32\oaphdeci.ini Has been deleted!

Attempting to delete C:\windows\system32\piykjkmx.dll
C:\windows\system32\piykjkmx.dll Has been deleted!

Attempting to delete C:\windows\system32\qdiatgme.dll
C:\windows\system32\qdiatgme.dll Has been deleted!

Attempting to delete C:\windows\system32\tfbijhmf.dll
C:\windows\system32\tfbijhmf.dll Has been deleted!

Attempting to delete C:\windows\system32\tuetcmfa.dll
C:\windows\system32\tuetcmfa.dll Has been deleted!

Attempting to delete C:\windows\system32\utrngvlw.dll
C:\windows\system32\utrngvlw.dll Has been deleted!

Attempting to delete C:\windows\system32\vgvppntm.dll
C:\windows\system32\vgvppntm.dll Has been deleted!

Attempting to delete C:\windows\system32\wlvgnrtu.ini
C:\windows\system32\wlvgnrtu.ini Has been deleted!

Attempting to delete C:\windows\system32\wmfuwvha.ini
C:\windows\system32\wmfuwvha.ini Has been deleted!

Attempting to delete C:\windows\system32\xmkjkyip.ini
C:\windows\system32\xmkjkyip.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yxvhtojn.dll
C:\WINDOWS\system32\yxvhtojn.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 1:05:36 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\bp_bg.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\?icrosoft\r?gedit.exe
C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\findvundo.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {C6489FD1-3EA5-4EEB-8BA0-051E171E0815} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {E3C5DF22-6FCA-4649-BD59-3D761F6F02C7} - C:\WINDOWS\system32\zwmqwqrf.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Marc\MYDOCU~1\ICROSO~1.NET\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Qwzwd] C:\WINDOWS\?icrosoft\r?gedit.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Marc\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98371A0-EC05-4E47-933B-FB7775E6D099}: NameServer = 66.209.10.202 66.102.163.232
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: SOFTWARE - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.

Here is the findfile.bat text...

Volume in drive C has no label.
Volume Serial Number is DC28-48CB

Directory of C:\WINDOWS\system32

08/04/2004 02:56 AM 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of C:\Documents and Settings\Marc\Desktop

Thank you so much!
Johna
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas

Unread postby IndiGenus » September 9th, 2007, 5:38 pm

Hi Johna,

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

C:\WINDOWS\bp_bg.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html

------------------------------------------------------------

Download and Run ComboFix
  • Download this file from below:
    Here
  • Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
  • Then double click Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
Note 2:Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby pogo » September 9th, 2007, 7:26 pm

Virus scan results
Known viruses: 410643 Updated: 10-09-2007
File size (Kb): 116 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Combo fix
ComboFix 07-09-10.2 - "Marc" 2007-09-09 17:56:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Marc\APPLIC~1\WinTouch
C:\DOCUME~1\Marc\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\Marc\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\Marc\APPLIC~1\WinTouch\WTUninstaller.exe
C:\DOCUME~1\Marc\err.log
C:\DOCUME~1\Marc\MYDOCU~1\ICROSO~1.NET
C:\DOCUME~1\Marc\MYDOCU~1\ICROSO~1.NET\?icrosoft.NET\
C:\DOCUME~1\Marc\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Marc\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Marc\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\winpop
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bass.exe
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b138.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1\r?gedit.exe
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\ffpcvdfh.exe
C:\WINDOWS\system32\gtcwcomy.dll
C:\WINDOWS\system32\gtgyhksb.exe
C:\WINDOWS\system32\hoptvosk.exe
C:\WINDOWS\system32\jcybokgj.exe
C:\WINDOWS\system32\kyaigbju.exe
C:\WINDOWS\system32\lilyvbbj.exe
C:\WINDOWS\system32\mkireoos.exe
C:\WINDOWS\system32\njnicykg.exe
C:\WINDOWS\system32\oeponlhu.exe
C:\WINDOWS\system32\omssyvqo.exe
C:\WINDOWS\system32\ptqokbho.exe
C:\WINDOWS\system32\wtscc.exe
C:\WINDOWS\system32\xufofcwu.exe
C:\WINDOWS\system32\ymfottwa.exe
C:\WINDOWS\SYSTEM32\ymocwctg.ini
C:\WINDOWS\system32\zwmqwqrf.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-09 17:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 12:32 <DIR> d-------- C:\VundoFix Backups
2007-09-03 08:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-03 08:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-03 08:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 00:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 19:22 <DIR> d-------- C:\Program Files\absolutist.com
2007-09-02 10:47 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Tenebril
2007-09-01 15:41 512,688 --a------ C:\WINDOWS\SYSTEM32\XceedCry.dll
2007-09-01 15:41 423,784 --a------ C:\WINDOWS\SYSTEM32\XceedBkp.dll
2007-09-01 15:40 10,752 --a------ C:\WINDOWS\SYSTEM32\md5.dll
2007-09-01 15:40 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2007-08-30 16:51 <DIR> d-------- C:\Program Files\LEGO Media
2007-08-29 06:05 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-08-29 06:03 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-08-29 06:03 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\SiteAdvisor
2007-08-29 06:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-08-29 05:57 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-08-29 05:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-08-29 05:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-08-29 05:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-08-29 05:57 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-08-29 05:56 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-08-29 05:45 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-26 17:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-08-26 16:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1.D9N\APPLIC~1\Sonic
2007-08-26 16:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1.D9N\APPLIC~1\Real
2007-08-26 16:47 40,960 --a-s---- C:\WINDOWS\SYSTEM32\ProcessKiller.dll
2007-08-26 16:47 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2007-08-26 16:47 169,544 --a-s---- C:\WINDOWS\SYSTEM32\SecuLoad.dll
2007-08-26 16:47 1,103,944 --a-s---- C:\WINDOWS\SYSTEM32\Protector.dll
2007-08-26 16:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\tenarchlib
2007-08-26 16:47 <DIR> d-------- C:\Program Files\SpyCatcher
2007-08-26 16:35 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-23 21:02 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\NCH Swift Sound
2007-08-23 20:59 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-08-22 20:27 <DIR> d-------- C:\Program Files\TheRingtoneMaker
2007-08-21 19:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\EXP
2007-08-21 19:50 <DIR> d-------- C:\Program Files\Expstudio
2007-08-21 19:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\IBC22
2007-08-21 19:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\cofig3
2007-08-17 17:52 374 --a------ C:\WINDOWS\EReg072.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 18:04 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-03 11:50 --------- d-------- C:\DOCUME~1\Marc\APPLIC~1\U3
2007-09-01 12:28 --------- d-------- C:\DOCUME~1\Marc\APPLIC~1\AdobeUM
2007-08-29 17:52 --------- d-------- C:\Program Files\McAfee
2007-08-29 06:37 --------- d-------- C:\Program Files\McAfee.com
2007-08-29 06:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-29 06:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-26 18:17 --------- d-------- C:\Program Files\PeoplePC
2007-08-23 16:14 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-19 01:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-12 18:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-07-12 10:18 278528 --a------ C:\WINDOWS\SYSTEM32\livesnth.dll
2007-07-11 16:34 --------- d-------- C:\Program Files\PokerStars.NET
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-27 09:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 09:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 09:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 09:34 44544 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 09:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 09:34 230400 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 09:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 09:34 153088 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 09:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 09:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 03:27 63488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 02:00 161792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-26 22:10 317440 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\unregmp2.exe
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-06-25 11:16 325632 --a------ C:\WINDOWS\SYSTEM32\EAREMOVE.EXE
2007-06-25 11:16 132608 --a------ C:\WINDOWS\SYSTEM32\EAEXEC.EXE
2007-06-19 08:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
2004-10-03 13:29 3495391 --a--c--- C:\Program Files\Narcadlines_install.exe
2004-09-29 21:39 24265736 --a--c--- C:\Program Files\dotnetfx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6489FD1-3EA5-4EEB-8BA0-051E171E0815}]
C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-12 07:45]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 12:40]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 03:08]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 21:56]
"CY_BG"="C:\WINDOWS\bp_bg.exe" [2003-04-18 11:30]
"Bart Station"="C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe" [2005-07-14 12:01]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 22:35]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-07-09 10:56]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6028\SiteAdv.exe" [2007-02-08 21:39]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
"Qwzwd"="C:\WINDOWS\?icrosoft\r?gedit.exe" []
"McAfee QuickClean Imonitor"="C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" [2005-07-20 07:00]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe" [2006-06-12 17:53]
"HijackThis startup scan"="C:\Program Files\HijackThis\HijackThis.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
DESKTOP.INI [2002-09-03 09:00:00]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-26 16:47:30]

C:\DOCUME~1\ADMINI~1.D9N\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Johna\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\DOCUME~1\Marc\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
PowerReg Scheduler V3.exe [2007-08-06 11:20:08]
PowerReg Scheduler.exe [2007-03-02 16:32:02]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SOFTWARE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

R1 BpCdrVsd;BpCdrVsd;C:\WINDOWS\system32\drivers\BpCdrVsd.sys
R1 bpfinder;BACKPACK Finder;C:\WINDOWS\system32\DRIVERS\bpfinder.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 bpflt;BACKPACK Filter;C:\WINDOWS\system32\DRIVERS\bpflt.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 BP_FX_AT;BACKPACK USB;C:\WINDOWS\system32\DRIVERS\bp_fx_at.sys
S3 bppccard;BACKPACK PC Card;C:\WINDOWS\system32\DRIVERS\bppccard.sys
S3 bppnpdrv;BACKPACK Driver;C:\WINDOWS\system32\DRIVERS\bppnpdrv.sys
S3 bpusbdrv;BACKPACK USB 1 Cable;C:\WINDOWS\system32\DRIVERS\bpusbdrv.sys
S3 bpusbflt;BACKPACK USB Filter;C:\WINDOWS\system32\DRIVERS\bpusbflt.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG Mobile Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG Mobile Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 sscdserd;SAMSUNG Mobile Modem Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sscdserd.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c30780ff-c97f-11d9-b1c0-00038a000011}]

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 08:30:03 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2007-09-01 01:00:07 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9NX6N31-Marc).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-08-29 10:53:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-09-01 06:10:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 18:09:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 18:17:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 18:17
.
--- E O F ---

hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 6:25:33 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\bp_bg.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\findvundo.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {C6489FD1-3EA5-4EEB-8BA0-051E171E0815} - C:\WINDOWS\system32\ddcya.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Qwzwd] C:\WINDOWS\?icrosoft\r?gedit.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98371A0-EC05-4E47-933B-FB7775E6D099}: NameServer = 66.209.10.202 66.102.163.232
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: SOFTWARE - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks IndiGenus!!!
Johna
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas

Unread postby IndiGenus » September 10th, 2007, 1:23 pm

Hi Johna,

I noticed you are running the program Malware Sweeper. Until Malware Sweeper develops a track record of reliable behavior, I wouldn't use it. We will remove it here. Too many of these new undocumented programs are ineffective, or actually contain spyware. I will give you some recommendations for more proven, free Anti-Malware solutions after you are all clean.

Go to Add or Remove Programs and uninstall the following if present.
Click Start > Control Panel > Double Click Add or Remove Programs:

Malware Sweeper

Let's do some cleanup with HJT.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: (no name) - {C6489FD1-3EA5-4EEB-8BA0-051E171E0815} - C:\WINDOWS\system32\ddcya.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [Qwzwd] C:\WINDOWS\?icrosoft\r?gedit.exe
O20 - Winlogon Notify: SOFTWARE - C:\WINDOWS\

Then close all windows except this one and press Fix checked.

Let's run an online virus scan also.

Using Internet Explorer, click on Kaspersky Online Scanner
    * Click 'Accept' in the window that pops up.
    * You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
    * The program will launch and then start to download the latest definition files.
    * Once the scanner is installed and the definitions downloaded, click 'Next'.
    * Now click on 'Scan Settings'
    * In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
    * Click 'OK'
    * Now under 'Select a target to scan' select 'My Computer'
    * The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
    * Now click on the 'Save Report As...' button:
    * Make sure it says Save as a text file - change it if not
    * Save the file to your desktop.
Please post the Kaspersky report and a new HijackThis log.

NOTE: If you have problems running this please try the following:

I need you to temporarily change your IE settings.

In IE:
    Go to Tools > Internet Options > Click on the Security tab
    Click on the Custom Level... button
    Scroll down a little and under Download unsigned ActiveX controls select Prompt
    OK your way out
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby pogo » September 10th, 2007, 10:17 pm

Thanks IndiGenus, I feel like we're finally getting somewhere in this process.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 11, 2007 9:09:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 11/09/2007
Kaspersky Anti-Virus database records: 412946
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 94665
Number of viruses found: 13
Number of infected objects: 63
Number of suspicious objects: 0
Duration of the scan process: 01:45:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c27fa2e656a822753de586fadc8c4b9f_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab/cccc20030730.exe/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab/cccc20030730.exe/v2.0.4.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab/cccc20030730.exe/v2.0.4.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab/cccc20030730.exe/v2.0.4.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab/cccc20030730.exe/v2.0.4.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab/cccc20030730.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe/ic1DD.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Johna\My Documents\elfbowling3.exe ZIP: infected - 7 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marc\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Marc\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Marc\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\History\History.IE5\MSHist012007091020070911\index.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\History\History.IE5\MSHist012007091120070912\index.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temp\hpotdd017.log Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temp\~DF1D87.tmp Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temp\~DF1DA8.tmp Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temp\~DF9ECF.tmp Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marc\ntuser.dat Object is locked skipped
C:\Documents and Settings\Marc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\DOCUME~1\Marc\APPLIC~1\WinTouch\WTUninstaller.exe.vir Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped
C:\qoobox\Quarantine\C\Temp\bass.exe.vir/data0002/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\qoobox\Quarantine\C\Temp\bass.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\qoobox\Quarantine\C\Temp\bass.exe.vir/data0003 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\qoobox\Quarantine\C\Temp\bass.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ffpcvdfh.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\gtgyhksb.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\hoptvosk.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\jcybokgj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\kyaigbju.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\lilyvbbj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\mkireoos.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\njnicykg.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\oeponlhu.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\omssyvqo.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ptqokbho.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\xufofcwu.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ymfottwa.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\zwmqwqrf.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0007532.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0007533.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0007534.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP13\A0007650.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0010696.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0010710.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0010730.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP15\A0010743.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010783.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010784.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010785.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010786.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010787.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010788.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010789.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010790.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010791.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010792.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010793.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010794.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010795.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010796.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010797.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010800.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010800.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010800.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP17\A0010805.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\change.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\A0005182.exe Infected: Trojan.Win32.Agent.bck skipped
C:\VundoFix Backups\ejcnygfc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\nymwbcdm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.lq skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_SAMSUNG Mobile Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\IBC22\nnx22011.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\WINDOWS\SYSTEM32\IBC22\nnx22011.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_BOeb7NZAHtaXgK2 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2RmBn81RBTwQgoG Object is locked skipped
C:\WINDOWS\Temp\mcmsc_4Hu5xFhn7bxGf2Z Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 9:16:43 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\bp_bg.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\findvundo.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98371A0-EC05-4E47-933B-FB7775E6D099}: NameServer = 66.209.10.202 66.102.163.232
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again,
Johna
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas

Unread postby IndiGenus » September 11th, 2007, 2:27 pm

Hi Johna,

Using Windows Explorer please delete the following file and folder.

C:\WINDOWS\SYSTEM32\IBC22\nnx22011.exe

C:\qoobox

Let's try getting a list of installed programs again, this time we'll try CCleaner.

Download and Install CCleaner
  • Download CCleaner from here
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

Please post that text, also post a fresh HJT log and let me know how it's running.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby pogo » September 11th, 2007, 8:08 pm

IndiGenus,

I haven't had any pop-ups lately an my computer seems to be reacting normally again. You're a genius! When we get finished I would like to know what the problems were so I can file complaints in the other forum,too. Maybe someday this type of invasive adware will be illegal.
Here are the logs you requested...

Logfile of HijackThis v1.99.1
Scan saved at 7:01:16 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\bp_bg.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\findvundo.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98371A0-EC05-4E47-933B-FB7775E6D099}: NameServer = 66.209.10.201 66.102.163.231
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Ad-Aware 2007
Adobe Reader 7.0
Age of Empires III
aspi
AT&T Connection Services Manager
ATI - Software Uninstall Utility
ATI Display Driver
Backpack Driver
Backpack SpeedyCD
Banctec Service Agreement
Banctec Service Agreement
BCM V.92 56K Modem
Blue's Treasure Hunt
Business Complete Care Services Agreement
CCleaner (remove only)
CCScore
CR2
DAO
Dell Networking Guide
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellSupport
Disney's Mickey Mouse Kindergarten
DS21Patch
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
Full Tilt Poker.Net
GameSpy Arcade
Help and Support Customization
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
hp deskjet 3500 series
hp deskjet 3500
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LEGO Creator Harry Potter
Macromedia Flash Player 8
McAfee QuickClean 6.0
McAfee SecurityCenter
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework (English)
Microsoft .NET Framework 1.1
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH Jukebox
MyDVD
Notifier
OTtBP
Paint Shop Pro 7
PCDLNCH
PeoplePC Online
PokerStars.net
PowerDVD
QuickTime
RealPlayer
Registry Mechanic 6.0
SafeGuard
SAMSUNG Mobile Modem Driver Set
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
SFR2
Shockwave
Sonic DLA
Sonic RecordNow!
Sound Blaster Live!
Spybot - Search & Destroy 1.4
SpyCatcher Express 2007
Switch
The Ringtone Maker 3.4.0
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Media Player
Wal-Mart Music Downloads Store
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
WinTouch
Wise Disk Cleaner 2.6
Wise Registry Cleaner 2.8.4
World Series Of Poker

Thanks for all your time and help!
Johna
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas

Unread postby IndiGenus » September 11th, 2007, 11:16 pm

Hi Johna,

Glad to hear things are running better.

Your Java Runtime Environment is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop.
  • Close any programs you may have running - especially any web browsers.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windowsi586.exe to install the newest version.

----------------------

Go to Add or Remove Programs and uninstall the following if present.
Click Start > Control Panel > Double Click Add or Remove Programs:

WinTouch


----------------------

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  4. Do the same for each Viewpoint component.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Unread postby pogo » September 13th, 2007, 8:21 pm

IndiGenus,
Did what you asked and here is a new HiJackThis log.



Logfile of HijackThis v1.99.1
Scan saved at 7:19:40 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\bp_bg.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\WINDOWS\system32\DllHost.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\findvundo.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] "C:\Program Files\McAfee\McAfee QuickClean\PlgUni.exe" /START
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/s ... cGDMgr.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98371A0-EC05-4E47-933B-FB7775E6D099}: NameServer = 66.209.10.202 66.102.163.232
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Let me know what else we need to do.
Thanks,
Johna
pogo
Active Member
 
Posts: 10
Joined: September 2nd, 2007, 11:50 pm
Location: Texas

Unread postby IndiGenus » September 13th, 2007, 10:09 pm

Hi Johna,

You apppear to be all clean. Let's run some cleanup and a spyware scan to make sure.

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.



Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Run AVG

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button This must done before saving the report
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
      Image
  • Right-click the AVG Tray Icon and select Exit.
  • Now copy the report back to this topic.


Restart into normal mode and post the AVG Log and a new HJT Log. Also how are things now
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware