Jump to content

windowsclick


Recommended Posts

Hi,

On google & yahoo searches the links are getting redirected to windowsclick.com

Search through some of the forums and found that mbam could help so I downloaded the mbam-setup.exe

Initially I could not install through it but after changing the name to xyz.exe atleast the installation went through fine. Did not modify anything while installation of mbam. After the finish button was clicked it did not launch the malware automatically.

Any ideas on what could be the issue and want to get rid of this windowsclick issue. Its just so damn painful.

Pls help!!!!

Regds,

Chander

Link to post
Share on other sites

Please post the Malwarebytes log and a HijackThis log.

I was able to install Malwarebytes but it never launched so not sure where can I find the logs for it.

Regarding HJT, I double click the exe and nothing happens.

Any ideas on how to get these things working ?

Link to post
Share on other sites

Hi,

I went through couple of other posts in this forum and used randbam.exe. After disabling the Mcafee Total Protection AV double clicked this exe file. It generated me couple of shortcuts. One for Malwarebytes Anti-Malware(with some different name) and anther one for HijackThis(with the same name).

Here are the steps that I did:

1. Double clicked shortcut for Malware Anti-malware and this time it did launch the application.

2. Ran a quick scan (it detected 33 infections). Logs shown below. Deleted & quarantined most of them. Some of them required restart of the PC so did a restart.

3. After restarting the PC, relaunched Malware Anti-Malware and went to update tab and updated the s/w with the latest definitions. It updated the version from 1749 to 1842.

4. Performed a full scan to all my drives(c, e, f). Logs shown below. This time it displayed 3 infections found which were again quarantined and deleted.

5. Double clicked Hijack This shortcut which launched the application. Logs shown below.

With all the steps done above, can you please guide me what should be the next steps.

----------------------------------------------------------------------------------------------------------

QUICK SCAN LOGS

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

3/12/2009 8:13:16 PM

mbam-log-2009-03-12 (20-13-16).txt

Scan type: Quick Scan

Objects scanned: 80861

Time elapsed: 15 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 11

Files Infected: 15

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhccuqj0evet (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhccuqj0evet (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\UACjrutewcd.dll (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\UACqvsswulv.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\UACrbxihxly.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\drivers\UACbowbarmp.sys (Rootkit.TDSS) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\UAC9547.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\UAC1db.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\UAC4483.tmp (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\Temp\UAC510.tmp (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\Temp\UAC831.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACfwaspyoy.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\UACiuruxnsd.log (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\UACpqmlxlpd.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\UACqxthevcu.dll (Trojan.Agent) -> Delete on reboot.

----------------------------------------------------------------------------------------------------------

FULL SCAN LOGS AFTER PC RESTART

Malwarebytes' Anti-Malware 1.34

Database version: 1842

Windows 5.1.2600 Service Pack 3

3/12/2009 9:46:18 PM

mbam-log-2009-03-12 (21-46-18).txt

Scan type: Full Scan (C:\|E:\|F:\|)

Objects scanned: 174305

Time elapsed: 1 hour(s), 21 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\UAC5814.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\UACeb3d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

---------------------------------------------------------------------------------------------------------------

HIJACKTHIS logs

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:50:12 PM, on 3/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\UTSCSI.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\LVComS.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEAC

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O15 - Trusted Zone: *.credit-suisse.com

O16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790

O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocx

O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx

O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cab

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: Check TestDirector User account (CheckTestDirectorUserAccount) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Please don't do steps in other threads. They are for the person and thread only.

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Attached are the logs for Combofix and HijackThis:

Combofix log

----------------

ComboFix 09-03-15.01 - Owner 2009-03-16 7:30:59.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.535 [GMT -4:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\dat.txt

C:\WINDOWS\search_res.txt

C:\WINDOWS\system32\erkz6bd.dll

C:\WINDOWS\system32\mdm.exe

C:\WINDOWS\system32\prsgrc.dll

C:\WINDOWS\system32\tmp.reg

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SYSREST.SYS

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))

.

2009-03-12 21:49 . 2009-03-12 21:49 <DIR> d-------- C:\Program Files\Trend Micro

2009-03-12 19:55 . 2009-03-12 19:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2009-03-11 10:48 . 2009-03-12 19:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2009-03-11 10:48 . 2009-03-11 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2009-03-11 10:48 . 2009-02-11 10:19 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2009-03-11 10:48 . 2009-02-11 10:19 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2009-03-10 23:40 . 2009-03-10 23:40 0 --a------ C:\backup.reg

2009-03-06 09:33 . 2009-03-06 09:33 1,376 --a------ C:\WINDOWS\system32\Status.MPF

2009-03-06 00:59 . 2009-03-16 07:21 <DIR> d-------- C:\Program Files\Mozilla Firefox 3.1 Beta 2

2009-03-06 00:04 . 2009-03-16 07:39 8,287 --a------ C:\WINDOWS\system32\Config.MPF

2009-03-05 23:25 . 2009-01-09 13:03 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys

2009-03-05 23:25 . 2009-01-09 13:03 40,552 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys

2009-03-05 23:25 . 2009-01-09 13:03 35,272 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys

2009-03-05 23:24 . 2009-03-05 23:24 <DIR> d-------- C:\Program Files\McAfee.com

2009-03-05 23:24 . 2009-03-05 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee

2009-03-05 23:07 . 2009-01-09 13:03 34,216 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys

2009-03-01 10:30 . 2009-03-01 10:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore

2009-03-01 09:35 . 2009-03-01 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

2009-03-01 09:30 . 2008-10-23 14:08 120,136 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys

2009-03-01 09:21 . 2006-12-05 18:17 240 --a------ C:\WINDOWS\myClean.bat

2009-02-28 09:20 . 2009-02-28 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FileOpen

2009-02-28 08:47 . 2009-02-28 08:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Mobipocket Reader

2009-02-27 11:16 . 2009-02-28 19:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2009-02-27 11:16 . 2009-02-27 11:16 1,409 --a------ C:\WINDOWS\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-13 03:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3

2009-03-11 03:40 156 ----a-w C:\Program Files\dogq.txt

2009-03-08 02:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!

2009-03-08 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!

2009-03-06 13:38 --------- d-----w C:\Program Files\McAfee

2009-03-06 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee

2009-03-05 15:19 --------- d-----w C:\Program Files\Google

2009-03-03 05:41 --------- d-----w C:\Program Files\MUSICMATCH

2009-03-01 12:35 --------- d-----w C:\Program Files\Symantec

2009-03-01 12:35 --------- d-----w C:\Program Files\NavNT

2009-03-01 12:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2009-02-28 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip

2008-10-20 03:26 27,224 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2007-02-09 16:40 49,152 ----a-w C:\Documents and Settings\Owner\SRProxy.dll

2003-09-16 06:19 99,544 ----a-w C:\WINDOWS\inf\virprn.exe

2003-09-16 06:19 90,624 ----a-w C:\WINDOWS\inf\prtproc.dll

2003-09-16 06:19 18,950 ----a-w C:\WINDOWS\inf\virpntd.dll

2003-09-16 06:19 10,240 ----a-w C:\WINDOWS\inf\virport.dll

2006-01-19 13:57 56 --sh--r C:\WINDOWS\system32\A4258F1763.sys

2006-01-19 13:57 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-09-06 23:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

"cdloader"="C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 12:45 50520]

"Google Update"="C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 06:56 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 21:36 729178]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-03 23:01 98304]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]

"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-12 17:57 188416]

"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-12 17:59 77824]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 09:08 185896]

"SmcService"="C:\PROGRA~1\Sygate\SSA\smc.exe" [2004-06-04 22:45 2376928]

"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]

"OpwareSE4"="C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02 79400]

"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35 20480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "C:\WINDOWS\system32\ShellHook.dll" [2007-02-11 16:19 46080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]

--a------ 2007-03-14 11:02 19968 C:\Chander\Install\Cingular\Communication Manager\CingularCCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]

--a------ 2009-01-09 14:05 5134864 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]

--a------ 2009-01-08 21:30 645328 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

--a------ 2009-01-09 15:41 1176808 C:\PROGRA~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]

--a------ 2008-01-24 13:20 8811824 C:\Chander\Install\VoipBuster\voipbuster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"OracleXETNSListener"=2 (0x2)

"OracleXEClrAgent"=3 (0x3)

"OracleServiceXE"=2 (0x2)

"OracleServiceORCL"=2 (0x2)

"OracleServiceMYDB"=2 (0x2)

"OracleOraHome92TNSListener"=2 (0x2)

"OracleMTSRecoveryService"=3 (0x3)

"McAfee SiteAdvisor Service"=2 (0x2)

"gusvc"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

"Mercury Quality Center"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Chander\\Install\\VoipBuster\\VoipBuster.exe"=

"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"C:\\jdk1.5.0\\bin\\java.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\jdk1.5.0\\bin\\javaw.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\jdk1.5.0\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Chander\\Install\\SopCast\\SopCast.exe"=

"C:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Chander\\Install\\SopCast\\adv\\SopAdver.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

"C:\\Chander\\Install\\SopCast\\sopvod.exe"=

"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 ENO;ENO;C:\WINDOWS\system32\drivers\ENO.sys [2003-10-22 12:57:16 40356]

R2 paldrv;paldrv;C:\WINDOWS\system32\pal_drv.sys [2006-05-30 20:49:53 11107]

S3 CheckTestDirectorUserAccount;Check TestDirector User account;C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe --> C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe [?]

S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);C:\WINDOWS\system32\drivers\swnc8u12.sys [2007-02-23 15:16:22 82432]

S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);C:\WINDOWS\system32\drivers\swumx12.sys [2007-02-23 15:16:22 66304]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-03-05 23:30:29 203280]

S4 Mercury Quality Center;Mercury Quality Center;F:\PROGRA~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe --> F:\PROGRA~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe [?]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

S4 OracleServiceMYDB;OracleServiceMYDB;c:\oracle\ora92\bin\ORACLE.EXE MYDB --> c:\oracle\ora92\bin\ORACLE.EXE MYDB [?]

S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora92\bin\ORACLE.EXE ORCL --> c:\oracle\ora92\bin\ORACLE.EXE ORCL [?]

S4 OracleServiceXE;OracleServiceXE;f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

S4 OracleXETNSListener;OracleXETNSListener;F:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe --> F:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d8dcf8-fb74-11dc-9689-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7b87a0-7713-11dd-971f-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b5f9940-daa0-11dc-9639-00a0d5ffff85}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7b4d6f0-7717-11dd-9720-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\phone\command - G:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-16 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-889904922-4045633332-109091499-1003.job

- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 06:56]

2009-03-06 C:\WINDOWS\Tasks\McDefragTask.job

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-06 C:\WINDOWS\Tasks\McQcTask.job

- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk

SafeBoot-mferkdk

SafeBoot-mfetdik

SafeBoot-mfetdik.sys

MSConfigStartUp-googletalk - C:\Program Files\Google\Google Talk\googletalk.exe

MSConfigStartUp-lphc9uqj0evet - C:\WINDOWS\system32\lphc9uqj0evet.exe

MSConfigStartUp-MPSExe - c:\PROGRA~1\mcafee.com\mps\mscifapp.exe

MSConfigStartUp-SMrhccuqj0evet - C:\Program Files\rhccuqj0evet\rhccuqj0evet.exe

MSConfigStartUp-Virtual PDF Printer - E:\Virtual PDF Printer\VirtualPDFPrinter.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={B40D7F23-2C4F-4F54-8824-9C863507B103}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FD

EAC

IE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

LSP: C:\WINDOWS\system32\mclsp.dll

LSP: bmnet.dll

Trusted Zone: credit-suisse.com

DPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/newyork/EPAClient/EPAClient.exe

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://littlechander:8000/qcbin/Spider90.ocx

DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB

FF - ProfilePath - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tyx32rap.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: C:\Documents and Settings\Owner\Application Data\Mozilla\plugins\np3115F6BB-91B6-44E0-A7AD-0C506D085B1C.dll

FF - plugin: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: E:\Install\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----

C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-16 07:41:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome92TNSListener]

"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-889904922-4045633332-109091499-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A838E924-CB44-3F87-1660-861922C5CAFB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oalcmnpjfmehljpnlcfdfpoibbfdeb"=hex:6a,61,6b,64,63,6d,6f,62,6a,65,62,69,67,6f,

61,65,63,65,6c,6e,00,1e

"nabckeofakaafdedlecddejicpcn"=hex:6a,61,6d,64,69,6e,67,67,62,65,6f,69,66,6b,

66,67,63,62,63,6a,00,17

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

C:\WINDOWS\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(1204)

C:\WINDOWS\system32\mclsp.dll

C:\WINDOWS\system32\bmnet.dll

.

HijackThis Log

============

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:00, on 2009-03-16

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\UTSCSI.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\LVComS.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEAC

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O15 - Trusted Zone: *.credit-suisse.com

O16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790

O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocx

O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx

O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cab

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: Check TestDirector User account (CheckTestDirectorUserAccount) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe (file missing)

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\WINDOWS\system32\A4258F1763.sys

C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe

Driver::

CheckTestDirectorUserAccount

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b5f9940-daa0-11dc-9639-00a0d5ffff85}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

New Combofix.log

----------------------

ComboFix 09-03-15.01 - Owner 2009-03-17 21:42:59.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.558 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

* Created a new restore point

FILE ::

c:\docume~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe

c:\windows\system32\A4258F1763.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\A4258F1763.sys

.

---- Previous Run -------

.

c:\windows\dat.txt

c:\windows\search_res.txt

c:\windows\system32\erkz6bd.dll

c:\windows\system32\mdm.exe

c:\windows\system32\prsgrc.dll

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SYSREST.SYS

-------\Service_UACd.sys

-------\Legacy_CHECKTESTDIRECTORUSERACCOUNT

-------\Service_CheckTestDirectorUserAccount

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))

.

2009-03-12 21:49 . 2009-03-12 21:49 <DIR> d-------- c:\program files\Trend Micro

2009-03-12 19:55 . 2009-03-12 19:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-03-11 10:48 . 2009-03-12 19:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 10:48 . 2009-03-11 10:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-11 10:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-11 10:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-10 23:40 . 2009-03-10 23:40 0 --a------ C:\backup.reg

2009-03-06 09:33 . 2009-03-06 09:33 1,376 --a------ c:\windows\system32\Status.MPF

2009-03-06 00:59 . 2009-03-17 21:36 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2

2009-03-06 00:04 . 2009-03-17 21:52 8,287 --a------ c:\windows\system32\Config.MPF

2009-03-05 23:25 . 2009-01-09 13:03 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-03-05 23:25 . 2009-01-09 13:03 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-03-05 23:25 . 2009-01-09 13:03 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-03-05 23:24 . 2009-03-05 23:24 <DIR> d-------- c:\program files\McAfee.com

2009-03-05 23:24 . 2009-03-05 23:25 <DIR> d-------- c:\program files\Common Files\McAfee

2009-03-05 23:07 . 2009-01-09 13:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-03-01 10:30 . 2009-03-01 10:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore

2009-03-01 09:35 . 2009-03-01 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-03-01 09:30 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-03-01 09:21 . 2006-12-05 18:17 240 --a------ c:\windows\myClean.bat

2009-02-28 09:20 . 2009-02-28 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\FileOpen

2009-02-28 08:47 . 2009-02-28 08:47 <DIR> d-------- c:\documents and settings\Owner\Application Data\Mobipocket Reader

2009-02-27 11:16 . 2009-02-28 19:54 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-27 11:16 . 2009-02-27 11:16 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-13 03:58 --------- d-----w c:\documents and settings\Owner\Application Data\U3

2009-03-11 03:40 156 ----a-w c:\program files\dogq.txt

2009-03-08 02:22 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!

2009-03-08 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!

2009-03-06 13:38 --------- d-----w c:\program files\McAfee

2009-03-06 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-05 15:19 --------- d-----w c:\program files\Google

2009-03-03 05:41 --------- d-----w c:\program files\MUSICMATCH

2009-03-01 12:35 --------- d-----w c:\program files\Symantec

2009-03-01 12:35 --------- d-----w c:\program files\NavNT

2009-03-01 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-28 11:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2008-10-20 03:26 27,224 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2007-02-09 16:40 49,152 ----a-w c:\documents and settings\Owner\SRProxy.dll

2003-09-16 06:19 99,544 ----a-w c:\windows\inf\virprn.exe

2003-09-16 06:19 90,624 ----a-w c:\windows\inf\prtproc.dll

2003-09-16 06:19 18,950 ----a-w c:\windows\inf\virpntd.dll

2003-09-16 06:19 10,240 ----a-w c:\windows\inf\virport.dll

2006-01-19 13:57 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-06 23:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-16_ 7.44.24.08 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-17 14:54:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-17 14:54:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-17 14:54:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-03 98304]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]

"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-06-04 2376928]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2007-02-11 46080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]

--a------ 2007-03-14 11:02 19968 c:\chander\Install\Cingular\Communication Manager\CingularCCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

c:\program files\Google\Google Talk\googletalk.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9uqj0evet]

c:\windows\system32\lphc9uqj0evet.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]

--a------ 2009-01-09 14:05 5134864 c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]

--a------ 2009-01-08 21:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

--a------ 2009-01-09 15:41 1176808 c:\progra~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]

c:\progra~1\mcafee.com\mps\mscifapp.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhccuqj0evet]

c:\program files\rhccuqj0evet\rhccuqj0evet.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual PDF Printer]

e:\virtual pdf printer\VirtualPDFPrinter.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]

--a------ 2008-01-24 13:20 8811824 c:\chander\Install\VoipBuster\voipbuster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"OracleXETNSListener"=2 (0x2)

"OracleXEClrAgent"=3 (0x3)

"OracleServiceXE"=2 (0x2)

"OracleServiceORCL"=2 (0x2)

"OracleServiceMYDB"=2 (0x2)

"OracleOraHome92TNSListener"=2 (0x2)

"OracleMTSRecoveryService"=3 (0x3)

"McAfee SiteAdvisor Service"=2 (0x2)

"gusvc"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

"Mercury Quality Center"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Chander\\Install\\VoipBuster\\VoipBuster.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\jdk1.5.0\\bin\\java.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\jdk1.5.0\\bin\\javaw.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\jdk1.5.0\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Chander\\Install\\SopCast\\SopCast.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Chander\\Install\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Chander\\Install\\SopCast\\sopvod.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2003-10-22 40356]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2006-05-30 11107]

S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-02-23 82432]

S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-02-23 66304]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-05 203280]

S4 Mercury Quality Center;Mercury Quality Center;f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe --> f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe [?]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

S4 OracleServiceMYDB;OracleServiceMYDB;c:\oracle\ora92\bin\ORACLE.EXE MYDB --> c:\oracle\ora92\bin\ORACLE.EXE MYDB [?]

S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora92\bin\ORACLE.EXE ORCL --> c:\oracle\ora92\bin\ORACLE.EXE ORCL [?]

S4 OracleServiceXE;OracleServiceXE;f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

S4 OracleXETNSListener;OracleXETNSListener;f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe --> f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d8dcf8-fb74-11dc-9689-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7b87a0-7713-11dd-971f-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7b4d6f0-7717-11dd-9720-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\phone\command - G:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-889904922-4045633332-109091499-1003.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 06:56]

2009-03-06 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-06 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={B40D7F23-2C4F-4F54-8824-9C863507B103}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FD

EAC

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

LSP: c:\windows\system32\mclsp.dll

LSP: bmnet.dll

Trusted Zone: credit-suisse.com

DPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/newyork/EPAClient/EPAClient.exe

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://littlechander:8000/qcbin/Spider90.ocx

DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tyx32rap.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\np3115F6BB-91B6-44E0-A7AD-0C506D085B1C.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: e:\install\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-17 21:54:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome92TNSListener]

"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR "

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-889904922-4045633332-109091499-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A838E924-CB44-3F87-1660-861922C5CAFB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oalcmnpjfmehljpnlcfdfpoibbfdeb"=hex:6a,61,6b,64,63,6d,6f,62,6a,65,62,69,67,6f,

61,65,63,65,6c,6e,00,1e

"nabckeofakaafdedlecddejicpcn"=hex:6a,61,6d,64,69,6e,67,67,62,65,6f,69,66,6b,

66,67,63,62,63,6a,00,17

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(1204)

c:\windows\system32\mclsp.dll

c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(1436)

c:\chander\Install\ScanSoft\OmniPageSE4\OpHookSE4.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\system32\bmwebcfg.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\UTSCSI.EXE

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

c:\windows\system32\LVComS.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\windows\system32\verclsid.exe

.

**************************************************************************

.

Completion time: 2009-03-17 21:59:56 - machine was rebooted [Owner]

ComboFix-quarantined-files.txt 2009-03-18 01:59:44

Pre-Run: 4,101,570,560 bytes free

Post-Run: 4,137,496,576 bytes free

318 --- E O F --- 2009-03-11 13:48:54

New Hijackthis.log

=============

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:03:38 PM, on 3/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UTSCSI.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\LVComS.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEAC

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O15 - Trusted Zone: *.credit-suisse.com

O16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790

O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocx

O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx

O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cab

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\lphc9uqj0evet.exe

Folder::

c:\program files\rhccuqj0evet\

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9uqj0evet]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhccuqj0evet]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

New combofix log

---------------------

ComboFix 09-03-18.01 - Owner 2009-03-18 19:52:21.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.365 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

FILE ::

c:\windows\system32\lphc9uqj0evet.exe

.

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))

.

2009-03-12 21:49 . 2009-03-12 21:49 <DIR> d-------- c:\program files\Trend Micro

2009-03-12 19:55 . 2009-03-12 19:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-03-11 10:48 . 2009-03-12 19:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-11 10:48 . 2009-03-11 10:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-11 10:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-11 10:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-10 23:40 . 2009-03-10 23:40 0 --a------ C:\backup.reg

2009-03-06 09:33 . 2009-03-06 09:33 1,376 --a------ c:\windows\system32\Status.MPF

2009-03-06 00:59 . 2009-03-17 22:04 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2

2009-03-06 00:04 . 2009-03-18 19:47 8,457 --a------ c:\windows\system32\Config.MPF

2009-03-05 23:25 . 2009-01-09 13:03 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys

2009-03-05 23:25 . 2009-01-09 13:03 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys

2009-03-05 23:25 . 2009-01-09 13:03 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys

2009-03-05 23:24 . 2009-03-05 23:24 <DIR> d-------- c:\program files\McAfee.com

2009-03-05 23:24 . 2009-03-05 23:25 <DIR> d-------- c:\program files\Common Files\McAfee

2009-03-05 23:07 . 2009-01-09 13:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys

2009-03-01 10:30 . 2009-03-01 10:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore

2009-03-01 09:35 . 2009-03-01 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-03-01 09:30 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys

2009-03-01 09:21 . 2006-12-05 18:17 240 --a------ c:\windows\myClean.bat

2009-02-28 09:20 . 2009-02-28 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\FileOpen

2009-02-28 08:47 . 2009-02-28 08:47 <DIR> d-------- c:\documents and settings\Owner\Application Data\Mobipocket Reader

2009-02-27 11:16 . 2009-02-28 19:54 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-27 11:16 . 2009-02-27 11:16 1,409 --a------ c:\windows\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-13 03:58 --------- d-----w c:\documents and settings\Owner\Application Data\U3

2009-03-11 03:40 156 ----a-w c:\program files\dogq.txt

2009-03-08 02:22 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!

2009-03-08 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!

2009-03-06 13:38 --------- d-----w c:\program files\McAfee

2009-03-06 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-05 15:19 --------- d-----w c:\program files\Google

2009-03-03 05:41 --------- d-----w c:\program files\MUSICMATCH

2009-03-01 12:35 --------- d-----w c:\program files\Symantec

2009-03-01 12:35 --------- d-----w c:\program files\NavNT

2009-03-01 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-28 11:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll

2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe

2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-10-20 03:26 27,224 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2007-02-09 16:40 49,152 ----a-w c:\documents and settings\Owner\SRProxy.dll

2003-09-16 06:19 99,544 ----a-w c:\windows\inf\virprn.exe

2003-09-16 06:19 90,624 ----a-w c:\windows\inf\prtproc.dll

2003-09-16 06:19 18,950 ----a-w c:\windows\inf\virpntd.dll

2003-09-16 06:19 10,240 ----a-w c:\windows\inf\virport.dll

2006-01-19 13:57 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-06 23:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-16_ 7.44.24.08 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-18 23:46:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-18 23:46:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-18 23:46:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-03 98304]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]

"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]

"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-06-04 2376928]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2007-02-11 46080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]

--a------ 2007-03-14 11:02 19968 c:\chander\Install\Cingular\Communication Manager\CingularCCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

c:\program files\Google\Google Talk\googletalk.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]

--a------ 2009-01-09 14:05 5134864 c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]

--a------ 2009-01-08 21:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

--a------ 2009-01-09 15:41 1176808 c:\progra~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]

c:\progra~1\mcafee.com\mps\mscifapp.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual PDF Printer]

e:\virtual pdf printer\VirtualPDFPrinter.exe [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]

--a------ 2008-01-24 13:20 8811824 c:\chander\Install\VoipBuster\voipbuster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"OracleXETNSListener"=2 (0x2)

"OracleXEClrAgent"=3 (0x3)

"OracleServiceXE"=2 (0x2)

"OracleServiceORCL"=2 (0x2)

"OracleServiceMYDB"=2 (0x2)

"OracleOraHome92TNSListener"=2 (0x2)

"OracleMTSRecoveryService"=3 (0x3)

"McAfee SiteAdvisor Service"=2 (0x2)

"gusvc"=3 (0x3)

"MSSQLServerADHelper"=3 (0x3)

"MSSQLSERVER"=2 (0x2)

"Mercury Quality Center"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Chander\\Install\\VoipBuster\\VoipBuster.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\jdk1.5.0\\bin\\java.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\jdk1.5.0\\bin\\javaw.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\jdk1.5.0\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Chander\\Install\\SopCast\\SopCast.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Chander\\Install\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Chander\\Install\\SopCast\\sopvod.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2003-10-22 40356]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2006-05-30 11107]

S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-02-23 82432]

S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-02-23 66304]

S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-05 203280]

S4 Mercury Quality Center;Mercury Quality Center;f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe --> f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe [?]

S4 OracleJobSchedulerXE;OracleJobSchedulerXE;f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

S4 OracleServiceMYDB;OracleServiceMYDB;c:\oracle\ora92\bin\ORACLE.EXE MYDB --> c:\oracle\ora92\bin\ORACLE.EXE MYDB [?]

S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora92\bin\ORACLE.EXE ORCL --> c:\oracle\ora92\bin\ORACLE.EXE ORCL [?]

S4 OracleServiceXE;OracleServiceXE;f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]

S4 OracleXETNSListener;OracleXETNSListener;f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe --> f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d8dcf8-fb74-11dc-9689-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7b87a0-7713-11dd-971f-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7b4d6f0-7717-11dd-9720-0013cec484e3}]

\Shell\AutoRun\command - G:\autorun.exe

\Shell\phone\command - G:\autorun.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-889904922-4045633332-109091499-1003.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 06:56]

2009-03-06 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

2009-03-06 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={B40D7F23-2C4F-4F54-8824-9C863507B103}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FD

EAC

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

LSP: c:\windows\system32\mclsp.dll

LSP: bmnet.dll

Trusted Zone: credit-suisse.com

DPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/newyork/EPAClient/EPAClient.exe

DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://littlechander:8000/qcbin/Spider90.ocx

DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tyx32rap.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\np3115F6BB-91B6-44E0-A7AD-0C506D085B1C.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: e:\install\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-18 19:55:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome92TNSListener]

"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR "

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-889904922-4045633332-109091499-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A838E924-CB44-3F87-1660-861922C5CAFB}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oalcmnpjfmehljpnlcfdfpoibbfdeb"=hex:6a,61,6b,64,63,6d,6f,62,6a,65,62,69,67,6f,

61,65,63,65,6c,6e,00,1e

"nabckeofakaafdedlecddejicpcn"=hex:6a,61,6d,64,69,6e,67,67,62,65,6f,69,66,6b,

66,67,63,62,63,6a,00,17

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)

c:\program files\Intel\Wireless\Bin\LgNotify.dll

c:\windows\system32\NavLogon.dll

c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1204)

c:\windows\system32\mclsp.dll

c:\windows\system32\bmnet.dll

.

Completion time: 2009-03-18 19:59:40

ComboFix-quarantined-files.txt 2009-03-18 23:59:01

ComboFix2.txt 2009-03-18 02:00:12

Pre-Run: 4,111,933,440 bytes free

Post-Run: 4,092,264,448 bytes free

275 --- E O F --- 2009-03-11 13:48:54

New hijackthis log

============

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:09:42 PM, on 3/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UTSCSI.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\LVComS.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEAC

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O15 - Trusted Zone: *.credit-suisse.com

O16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790

O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocx

O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx

O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cab

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

Open HijackThis and put a check next to these:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)

O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)

Click Fix Checked and close HJT.

Download the HostsXpert 3.7 - Hosts File Manager.

  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Restart your computer and post a new HJT log and update on your problems.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.