cpuri Posted March 11, 2009 ID:63605 Share Posted March 11, 2009 Hi,On google & yahoo searches the links are getting redirected to windowsclick.com Search through some of the forums and found that mbam could help so I downloaded the mbam-setup.exeInitially I could not install through it but after changing the name to xyz.exe atleast the installation went through fine. Did not modify anything while installation of mbam. After the finish button was clicked it did not launch the malware automatically.Any ideas on what could be the issue and want to get rid of this windowsclick issue. Its just so damn painful.Pls help!!!!Regds,Chander Link to post Share on other sites More sharing options...
Tigger93 Posted March 11, 2009 ID:63662 Share Posted March 11, 2009 Please post the Malwarebytes log and a HijackThis log. Link to post Share on other sites More sharing options...
cpuri Posted March 12, 2009 Author ID:63824 Share Posted March 12, 2009 Please post the Malwarebytes log and a HijackThis log.I was able to install Malwarebytes but it never launched so not sure where can I find the logs for it.Regarding HJT, I double click the exe and nothing happens.Any ideas on how to get these things working ? Link to post Share on other sites More sharing options...
Tigger93 Posted March 13, 2009 ID:63944 Share Posted March 13, 2009 Try renaming the exe to something else (such as test.exe) and see if they work. Link to post Share on other sites More sharing options...
cpuri Posted March 13, 2009 Author ID:64078 Share Posted March 13, 2009 Hi,I went through couple of other posts in this forum and used randbam.exe. After disabling the Mcafee Total Protection AV double clicked this exe file. It generated me couple of shortcuts. One for Malwarebytes Anti-Malware(with some different name) and anther one for HijackThis(with the same name).Here are the steps that I did:1. Double clicked shortcut for Malware Anti-malware and this time it did launch the application.2. Ran a quick scan (it detected 33 infections). Logs shown below. Deleted & quarantined most of them. Some of them required restart of the PC so did a restart.3. After restarting the PC, relaunched Malware Anti-Malware and went to update tab and updated the s/w with the latest definitions. It updated the version from 1749 to 1842.4. Performed a full scan to all my drives(c, e, f). Logs shown below. This time it displayed 3 infections found which were again quarantined and deleted.5. Double clicked Hijack This shortcut which launched the application. Logs shown below.With all the steps done above, can you please guide me what should be the next steps.----------------------------------------------------------------------------------------------------------QUICK SCAN LOGSMalwarebytes' Anti-Malware 1.34Database version: 1749Windows 5.1.2600 Service Pack 33/12/2009 8:13:16 PMmbam-log-2009-03-12 (20-13-16).txtScan type: Quick ScanObjects scanned: 80861Time elapsed: 15 minute(s), 44 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 2Registry Data Items Infected: 2Folders Infected: 11Files Infected: 15Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\rhccuqj0evet (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhccuqj0evet (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:C:\Documents and Settings\Owner\Application Data\rhccuqj0evet (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Owner\Application Data\rhccuqj0evet\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\UACjrutewcd.dll (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\system32\UACqvsswulv.dll (Rootkit.TDSS) -> Delete on reboot.C:\WINDOWS\system32\UACrbxihxly.dll (Rootkit.TDSS) -> Delete on reboot.C:\WINDOWS\system32\drivers\UACbowbarmp.sys (Rootkit.TDSS) -> Delete on reboot.C:\Documents and Settings\Owner\Local Settings\Temp\UAC9547.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\UAC1db.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\UAC4483.tmp (Rootkit.TDSS) -> Delete on reboot.C:\WINDOWS\Temp\UAC510.tmp (Trojan.TDSS) -> Delete on reboot.C:\WINDOWS\Temp\UAC831.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\UACfwaspyoy.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\UACiuruxnsd.log (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\UACpqmlxlpd.dat (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\UACqxthevcu.dll (Trojan.Agent) -> Delete on reboot.----------------------------------------------------------------------------------------------------------FULL SCAN LOGS AFTER PC RESTARTMalwarebytes' Anti-Malware 1.34Database version: 1842Windows 5.1.2600 Service Pack 33/12/2009 9:46:18 PMmbam-log-2009-03-12 (21-46-18).txtScan type: Full Scan (C:\|E:\|F:\|)Objects scanned: 174305Time elapsed: 1 hour(s), 21 minute(s), 44 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\Temp\UAC5814.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\UACeb3d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.---------------------------------------------------------------------------------------------------------------HIJACKTHIS logsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:50:12 PM, on 3/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\WINDOWS\system32\bmwebcfg.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\dla\tfswctrl.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\system32\UTSCSI.EXEC:\Program Files\Logitech\Video\LogiTray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exeC:\WINDOWS\system32\LVComS.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEACR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exeO4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startguiO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO15 - Trusted Zone: *.credit-suisse.comO16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocxO16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocxO16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CABO18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exeO23 - Service: Check TestDirector User account (CheckTestDirectorUserAccount) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe (file missing)O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXEO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
Tigger93 Posted March 13, 2009 ID:64187 Share Posted March 13, 2009 Please don't do steps in other threads. They are for the person and thread only.Download ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2 Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.When finished, it shall produce a log for you. Post that log and a HijackThis log in your next replyNote: Do not mouseclick Combofix's window while its running. That may cause it to stall Link to post Share on other sites More sharing options...
cpuri Posted March 16, 2009 Author ID:64860 Share Posted March 16, 2009 Attached are the logs for Combofix and HijackThis:Combofix log----------------ComboFix 09-03-15.01 - Owner 2009-03-16 7:30:59.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.535 [GMT -4:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exeAV: McAfee VirusScan *On-access scanning enabled* (Updated)FW: McAfee Personal Firewall *enabled* * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\dat.txtC:\WINDOWS\search_res.txtC:\WINDOWS\system32\erkz6bd.dllC:\WINDOWS\system32\mdm.exeC:\WINDOWS\system32\prsgrc.dllC:\WINDOWS\system32\tmp.reg.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_SYSREST.SYS-------\Service_UACd.sys((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 ))))))))))))))))))))))))))))))).2009-03-12 21:49 . 2009-03-12 21:49 <DIR> d-------- C:\Program Files\Trend Micro2009-03-12 19:55 . 2009-03-12 19:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes2009-03-11 10:48 . 2009-03-12 19:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2009-03-11 10:48 . 2009-03-11 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2009-03-11 10:48 . 2009-02-11 10:19 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys2009-03-11 10:48 . 2009-02-11 10:19 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys2009-03-10 23:40 . 2009-03-10 23:40 0 --a------ C:\backup.reg2009-03-06 09:33 . 2009-03-06 09:33 1,376 --a------ C:\WINDOWS\system32\Status.MPF2009-03-06 00:59 . 2009-03-16 07:21 <DIR> d-------- C:\Program Files\Mozilla Firefox 3.1 Beta 22009-03-06 00:04 . 2009-03-16 07:39 8,287 --a------ C:\WINDOWS\system32\Config.MPF2009-03-05 23:25 . 2009-01-09 13:03 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys2009-03-05 23:25 . 2009-01-09 13:03 40,552 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys2009-03-05 23:25 . 2009-01-09 13:03 35,272 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys2009-03-05 23:24 . 2009-03-05 23:24 <DIR> d-------- C:\Program Files\McAfee.com2009-03-05 23:24 . 2009-03-05 23:25 <DIR> d-------- C:\Program Files\Common Files\McAfee2009-03-05 23:07 . 2009-01-09 13:03 34,216 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys2009-03-01 10:30 . 2009-03-01 10:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SACore2009-03-01 09:35 . 2009-03-01 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor2009-03-01 09:30 . 2008-10-23 14:08 120,136 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys2009-03-01 09:21 . 2006-12-05 18:17 240 --a------ C:\WINDOWS\myClean.bat2009-02-28 09:20 . 2009-02-28 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FileOpen2009-02-28 08:47 . 2009-02-28 08:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Mobipocket Reader2009-02-27 11:16 . 2009-02-28 19:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn2009-02-27 11:16 . 2009-02-27 11:16 1,409 --a------ C:\WINDOWS\QTFont.for.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-13 03:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\U32009-03-11 03:40 156 ----a-w C:\Program Files\dogq.txt2009-03-08 02:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!2009-03-08 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!2009-03-06 13:38 --------- d-----w C:\Program Files\McAfee2009-03-06 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee2009-03-05 15:19 --------- d-----w C:\Program Files\Google2009-03-03 05:41 --------- d-----w C:\Program Files\MUSICMATCH2009-03-01 12:35 --------- d-----w C:\Program Files\Symantec2009-03-01 12:35 --------- d-----w C:\Program Files\NavNT2009-03-01 12:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared2009-02-28 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip2008-10-20 03:26 27,224 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT2007-02-09 16:40 49,152 ----a-w C:\Documents and Settings\Owner\SRProxy.dll2003-09-16 06:19 99,544 ----a-w C:\WINDOWS\inf\virprn.exe2003-09-16 06:19 90,624 ----a-w C:\WINDOWS\inf\prtproc.dll2003-09-16 06:19 18,950 ----a-w C:\WINDOWS\inf\virpntd.dll2003-09-16 06:19 10,240 ----a-w C:\WINDOWS\inf\virport.dll2006-01-19 13:57 56 --sh--r C:\WINDOWS\system32\A4258F1763.sys2006-01-19 13:57 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys2008-09-06 23:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]"cdloader"="C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 12:45 50520]"Google Update"="C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 06:56 133104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 21:36 729178]"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-03 23:01 98304]"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-12 17:57 188416]"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-12 17:59 77824]"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 09:08 185896]"SmcService"="C:\PROGRA~1\Sygate\SSA\smc.exe" [2004-06-04 22:45 2376928]"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]"OpwareSE4"="C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02 79400]"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35 20480]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"EnableShellExecuteHooks"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "C:\WINDOWS\system32\ShellHook.dll" [2007-02-11 16:19 46080][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.enc"= ITIG726.acm[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]--a------ 2007-03-14 11:02 19968 C:\Chander\Install\Cingular\Communication Manager\CingularCCM.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]--a------ 2009-01-09 14:05 5134864 C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]--a------ 2009-01-08 21:30 645328 C:\Program Files\McAfee.com\Agent\mcagent.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]--a------ 2009-01-09 15:41 1176808 C:\PROGRA~1\McAfee\MHN\McENUI.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]--a------ 2008-01-24 13:20 8811824 C:\Chander\Install\VoipBuster\voipbuster.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"OracleXETNSListener"=2 (0x2)"OracleXEClrAgent"=3 (0x3)"OracleServiceXE"=2 (0x2)"OracleServiceORCL"=2 (0x2)"OracleServiceMYDB"=2 (0x2)"OracleOraHome92TNSListener"=2 (0x2)"OracleMTSRecoveryService"=3 (0x3)"McAfee SiteAdvisor Service"=2 (0x2)"gusvc"=3 (0x3)"MSSQLServerADHelper"=3 (0x3)"MSSQLSERVER"=2 (0x2)"Mercury Quality Center"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Chander\\Install\\VoipBuster\\VoipBuster.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\jdk1.5.0\\bin\\java.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\jdk1.5.0\\bin\\javaw.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\jdk1.5.0\\jre\\bin\\javaw.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="C:\\Chander\\Install\\SopCast\\SopCast.exe"="C:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Chander\\Install\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Chander\\Install\\SopCast\\sopvod.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R0 ENO;ENO;C:\WINDOWS\system32\drivers\ENO.sys [2003-10-22 12:57:16 40356]R2 paldrv;paldrv;C:\WINDOWS\system32\pal_drv.sys [2006-05-30 20:49:53 11107]S3 CheckTestDirectorUserAccount;Check TestDirector User account;C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe --> C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe [?]S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);C:\WINDOWS\system32\drivers\swnc8u12.sys [2007-02-23 15:16:22 82432]S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);C:\WINDOWS\system32\drivers\swumx12.sys [2007-02-23 15:16:22 66304]S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-03-05 23:30:29 203280]S4 Mercury Quality Center;Mercury Quality Center;F:\PROGRA~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe --> F:\PROGRA~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe [?]S4 OracleJobSchedulerXE;OracleJobSchedulerXE;f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]S4 OracleServiceMYDB;OracleServiceMYDB;c:\oracle\ora92\bin\ORACLE.EXE MYDB --> c:\oracle\ora92\bin\ORACLE.EXE MYDB [?]S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora92\bin\ORACLE.EXE ORCL --> c:\oracle\ora92\bin\ORACLE.EXE ORCL [?]S4 OracleServiceXE;OracleServiceXE;f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]S4 OracleXETNSListener;OracleXETNSListener;F:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe --> F:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [?][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d8dcf8-fb74-11dc-9689-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7b87a0-7713-11dd-971f-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe\Shell\phone\command - G:\autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b5f9940-daa0-11dc-9639-00a0d5ffff85}]\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe\Shell\Open(&0)\command - Recycled\ctfmon.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7b4d6f0-7717-11dd-9720-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe\Shell\phone\command - G:\autorun.exe.Contents of the 'Scheduled Tasks' folder2009-03-16 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-889904922-4045633332-109091499-1003.job- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 06:56]2009-03-06 C:\WINDOWS\Tasks\McDefragTask.job- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]2009-03-06 C:\WINDOWS\Tasks\McQcTask.job- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53].- - - - ORPHANS REMOVED - - - -SafeBoot-mfehidkSafeBoot-mferkdkSafeBoot-mfetdikSafeBoot-mfetdik.sysMSConfigStartUp-googletalk - C:\Program Files\Google\Google Talk\googletalk.exeMSConfigStartUp-lphc9uqj0evet - C:\WINDOWS\system32\lphc9uqj0evet.exeMSConfigStartUp-MPSExe - c:\PROGRA~1\mcafee.com\mps\mscifapp.exeMSConfigStartUp-SMrhccuqj0evet - C:\Program Files\rhccuqj0evet\rhccuqj0evet.exeMSConfigStartUp-Virtual PDF Printer - E:\Virtual PDF Printer\VirtualPDFPrinter.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={B40D7F23-2C4F-4F54-8824-9C863507B103}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEACIE: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000LSP: C:\WINDOWS\system32\mclsp.dllLSP: bmnet.dllTrusted Zone: credit-suisse.comDPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/newyork/EPAClient/EPAClient.exeDPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://littlechander:8000/qcbin/Spider90.ocxDPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CABFF - ProfilePath - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\tyx32rap.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: C:\Documents and Settings\Owner\Application Data\Mozilla\plugins\np3115F6BB-91B6-44E0-A7AD-0C506D085B1C.dllFF - plugin: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dllFF - plugin: C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dllFF - plugin: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - plugin: E:\Install\Google\Picasa3\npPicasa3.dll---- FIREFOX POLICIES ----C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);C:\Program Files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-16 07:41:30Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome92TNSListener]"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR ".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-889904922-4045633332-109091499-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A838E924-CB44-3F87-1660-861922C5CAFB}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"oalcmnpjfmehljpnlcfdfpoibbfdeb"=hex:6a,61,6b,64,63,6d,6f,62,6a,65,62,69,67,6f, 61,65,63,65,6c,6e,00,1e"nabckeofakaafdedlecddejicpcn"=hex:6a,61,6d,64,69,6e,67,67,62,65,6f,69,66,6b, 66,67,63,62,63,6a,00,17.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1148)C:\Program Files\Intel\Wireless\Bin\LgNotify.dllC:\WINDOWS\system32\NavLogon.dll- - - - - - - > 'lsass.exe'(1204)C:\WINDOWS\system32\mclsp.dllC:\WINDOWS\system32\bmnet.dll.HijackThis Log============Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:00, on 2009-03-16Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\WINDOWS\system32\bmwebcfg.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\UTSCSI.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Logitech\Video\LogiTray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exeC:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\WINDOWS\system32\LVComS.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEACR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exeO4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startguiO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO15 - Trusted Zone: *.credit-suisse.comO16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocxO16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocxO16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CABO18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exeO23 - Service: Check TestDirector User account (CheckTestDirectorUserAccount) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe (file missing)O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXEO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
Tigger93 Posted March 16, 2009 ID:64883 Share Posted March 16, 2009 1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::C:\WINDOWS\system32\A4258F1763.sysC:\DOCUME~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exe Driver::CheckTestDirectorUserAccountRegistry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b5f9940-daa0-11dc-9639-00a0d5ffff85}]3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
cpuri Posted March 18, 2009 Author ID:65434 Share Posted March 18, 2009 New Combofix.log----------------------ComboFix 09-03-15.01 - Owner 2009-03-17 21:42:59.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.558 [GMT -4:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Owner\Desktop\CFScript.txtAV: McAfee VirusScan *On-access scanning disabled* (Updated)FW: McAfee Personal Firewall *disabled* * Created a new restore pointFILE ::c:\docume~1\Owner\LOCALS~1\Temp\ismp001\2818885.tmp\CheckU.exec:\windows\system32\A4258F1763.sys.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\A4258F1763.sys.---- Previous Run -------.c:\windows\dat.txtc:\windows\search_res.txtc:\windows\system32\erkz6bd.dllc:\windows\system32\mdm.exec:\windows\system32\prsgrc.dllc:\windows\system32\tmp.reg.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_SYSREST.SYS-------\Service_UACd.sys-------\Legacy_CHECKTESTDIRECTORUSERACCOUNT-------\Service_CheckTestDirectorUserAccount((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 ))))))))))))))))))))))))))))))).2009-03-12 21:49 . 2009-03-12 21:49 <DIR> d-------- c:\program files\Trend Micro2009-03-12 19:55 . 2009-03-12 19:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes2009-03-11 10:48 . 2009-03-12 19:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-11 10:48 . 2009-03-11 10:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-11 10:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-11 10:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-10 23:40 . 2009-03-10 23:40 0 --a------ C:\backup.reg2009-03-06 09:33 . 2009-03-06 09:33 1,376 --a------ c:\windows\system32\Status.MPF2009-03-06 00:59 . 2009-03-17 21:36 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 22009-03-06 00:04 . 2009-03-17 21:52 8,287 --a------ c:\windows\system32\Config.MPF2009-03-05 23:25 . 2009-01-09 13:03 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys2009-03-05 23:25 . 2009-01-09 13:03 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys2009-03-05 23:25 . 2009-01-09 13:03 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys2009-03-05 23:24 . 2009-03-05 23:24 <DIR> d-------- c:\program files\McAfee.com2009-03-05 23:24 . 2009-03-05 23:25 <DIR> d-------- c:\program files\Common Files\McAfee2009-03-05 23:07 . 2009-01-09 13:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys2009-03-01 10:30 . 2009-03-01 10:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore2009-03-01 09:35 . 2009-03-01 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor2009-03-01 09:30 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys2009-03-01 09:21 . 2006-12-05 18:17 240 --a------ c:\windows\myClean.bat2009-02-28 09:20 . 2009-02-28 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\FileOpen2009-02-28 08:47 . 2009-02-28 08:47 <DIR> d-------- c:\documents and settings\Owner\Application Data\Mobipocket Reader2009-02-27 11:16 . 2009-02-28 19:54 54,156 --ah----- c:\windows\QTFont.qfn2009-02-27 11:16 . 2009-02-27 11:16 1,409 --a------ c:\windows\QTFont.for.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-13 03:58 --------- d-----w c:\documents and settings\Owner\Application Data\U32009-03-11 03:40 156 ----a-w c:\program files\dogq.txt2009-03-08 02:22 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!2009-03-08 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!2009-03-06 13:38 --------- d-----w c:\program files\McAfee2009-03-06 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee2009-03-05 15:19 --------- d-----w c:\program files\Google2009-03-03 05:41 --------- d-----w c:\program files\MUSICMATCH2009-03-01 12:35 --------- d-----w c:\program files\Symantec2009-03-01 12:35 --------- d-----w c:\program files\NavNT2009-03-01 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared2009-02-28 11:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip2008-10-20 03:26 27,224 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT2007-02-09 16:40 49,152 ----a-w c:\documents and settings\Owner\SRProxy.dll2003-09-16 06:19 99,544 ----a-w c:\windows\inf\virprn.exe2003-09-16 06:19 90,624 ----a-w c:\windows\inf\prtproc.dll2003-09-16 06:19 18,950 ----a-w c:\windows\inf\virpntd.dll2003-09-16 06:19 10,240 ----a-w c:\windows\inf\virport.dll2006-01-19 13:57 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys2008-09-06 23:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat.((((((((((((((((((((((((((((( SnapShot@2009-03-16_ 7.44.24.08 ))))))))))))))))))))))))))))))))))))))))).- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat+ 2009-03-17 14:54:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat+ 2009-03-17 14:54:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-03-17 14:54:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-03 98304]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-06-04 2376928]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]"OpwareSE4"="c:\chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"EnableShellExecuteHooks"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2007-02-11 46080][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.enc"= ITIG726.acm[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]--a------ 2007-03-14 11:02 19968 c:\chander\Install\Cingular\Communication Manager\CingularCCM.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]c:\program files\Google\Google Talk\googletalk.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9uqj0evet]c:\windows\system32\lphc9uqj0evet.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]--a------ 2009-01-09 14:05 5134864 c:\program files\McAfee\MBK\McAfeeDataBackup.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]--a------ 2009-01-08 21:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]--a------ 2009-01-09 15:41 1176808 c:\progra~1\McAfee\MHN\McENUI.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]c:\progra~1\mcafee.com\mps\mscifapp.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhccuqj0evet]c:\program files\rhccuqj0evet\rhccuqj0evet.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual PDF Printer]e:\virtual pdf printer\VirtualPDFPrinter.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]--a------ 2008-01-24 13:20 8811824 c:\chander\Install\VoipBuster\voipbuster.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"OracleXETNSListener"=2 (0x2)"OracleXEClrAgent"=3 (0x3)"OracleServiceXE"=2 (0x2)"OracleServiceORCL"=2 (0x2)"OracleServiceMYDB"=2 (0x2)"OracleOraHome92TNSListener"=2 (0x2)"OracleMTSRecoveryService"=3 (0x3)"McAfee SiteAdvisor Service"=2 (0x2)"gusvc"=3 (0x3)"MSSQLServerADHelper"=3 (0x3)"MSSQLSERVER"=2 (0x2)"Mercury Quality Center"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Chander\\Install\\VoipBuster\\VoipBuster.exe"="c:\\WINDOWS\\system32\\usmt\\migwiz.exe"="c:\\jdk1.5.0\\bin\\java.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\jdk1.5.0\\bin\\javaw.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\jdk1.5.0\\jre\\bin\\javaw.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Chander\\Install\\SopCast\\SopCast.exe"="c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Chander\\Install\\SopCast\\adv\\SopAdver.exe"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\MSN Messenger\\livecall.exe"="c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"="c:\\Chander\\Install\\SopCast\\sopvod.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2003-10-22 40356]R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2006-05-30 11107]S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-02-23 82432]S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-02-23 66304]S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-05 203280]S4 Mercury Quality Center;Mercury Quality Center;f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe --> f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe [?]S4 OracleJobSchedulerXE;OracleJobSchedulerXE;f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]S4 OracleServiceMYDB;OracleServiceMYDB;c:\oracle\ora92\bin\ORACLE.EXE MYDB --> c:\oracle\ora92\bin\ORACLE.EXE MYDB [?]S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora92\bin\ORACLE.EXE ORCL --> c:\oracle\ora92\bin\ORACLE.EXE ORCL [?]S4 OracleServiceXE;OracleServiceXE;f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]S4 OracleXETNSListener;OracleXETNSListener;f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe --> f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [?][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d8dcf8-fb74-11dc-9689-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7b87a0-7713-11dd-971f-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe\Shell\phone\command - G:\autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7b4d6f0-7717-11dd-9720-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe\Shell\phone\command - G:\autorun.exe.Contents of the 'Scheduled Tasks' folder2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-889904922-4045633332-109091499-1003.job- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 06:56]2009-03-06 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]2009-03-06 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={B40D7F23-2C4F-4F54-8824-9C863507B103}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEACIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000LSP: c:\windows\system32\mclsp.dllLSP: bmnet.dllTrusted Zone: credit-suisse.comDPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/newyork/EPAClient/EPAClient.exeDPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://littlechander:8000/qcbin/Spider90.ocxDPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CABFF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tyx32rap.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\np3115F6BB-91B6-44E0-A7AD-0C506D085B1C.dllFF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - plugin: e:\install\Google\Picasa3\npPicasa3.dll---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-17 21:54:21Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome92TNSListener]"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR ".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-889904922-4045633332-109091499-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A838E924-CB44-3F87-1660-861922C5CAFB}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"oalcmnpjfmehljpnlcfdfpoibbfdeb"=hex:6a,61,6b,64,63,6d,6f,62,6a,65,62,69,67,6f, 61,65,63,65,6c,6e,00,1e"nabckeofakaafdedlecddejicpcn"=hex:6a,61,6d,64,69,6e,67,67,62,65,6f,69,66,6b, 66,67,63,62,63,6a,00,17.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1148)c:\program files\Intel\Wireless\Bin\LgNotify.dllc:\windows\system32\NavLogon.dll- - - - - - - > 'lsass.exe'(1204)c:\windows\system32\mclsp.dllc:\windows\system32\bmnet.dll- - - - - - - > 'explorer.exe'(1436)c:\chander\Install\ScanSoft\OmniPageSE4\OpHookSE4.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Intel\Wireless\Bin\WLKEEPER.exec:\program files\Intel\Wireless\Bin\ZCfgSvc.exec:\progra~1\Intel\Wireless\Bin\1XConfig.exec:\windows\system32\bmwebcfg.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exec:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exec:\progra~1\McAfee\VIRUSS~1\Mcshield.exec:\program files\McAfee\MPF\MpfSrv.exec:\program files\McAfee\MSK\msksrver.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\system32\wdfmgr.exec:\windows\system32\UTSCSI.EXEc:\progra~1\McAfee.com\Agent\mcagent.exec:\windows\system32\igfxsrvc.exec:\windows\system32\spool\drivers\w32x86\3\WrtProc.exec:\windows\system32\LVComS.exec:\progra~1\McAfee\VIRUSS~1\mcsysmon.exec:\windows\system32\verclsid.exe.**************************************************************************.Completion time: 2009-03-17 21:59:56 - machine was rebooted [Owner]ComboFix-quarantined-files.txt 2009-03-18 01:59:44Pre-Run: 4,101,570,560 bytes freePost-Run: 4,137,496,576 bytes free318 --- E O F --- 2009-03-11 13:48:54New Hijackthis.log=============Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:03:38 PM, on 3/17/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\WINDOWS\system32\bmwebcfg.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\UTSCSI.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Logitech\Video\LogiTray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exeC:\WINDOWS\system32\LVComS.exeC:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEACR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exeO4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startguiO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO15 - Trusted Zone: *.credit-suisse.comO16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocxO16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocxO16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CABO18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXEO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
Tigger93 Posted March 18, 2009 ID:65446 Share Posted March 18, 2009 1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::c:\windows\system32\lphc9uqj0evet.exeFolder::c:\program files\rhccuqj0evet\Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc9uqj0evet][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhccuqj0evet]3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
cpuri Posted March 19, 2009 Author ID:65706 Share Posted March 19, 2009 New combofix log---------------------ComboFix 09-03-18.01 - Owner 2009-03-18 19:52:21.3 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.365 [GMT -4:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Owner\Desktop\CFScript.txtAV: McAfee VirusScan *On-access scanning disabled* (Updated)FW: McAfee Personal Firewall *disabled*FILE ::c:\windows\system32\lphc9uqj0evet.exe.((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 ))))))))))))))))))))))))))))))).2009-03-12 21:49 . 2009-03-12 21:49 <DIR> d-------- c:\program files\Trend Micro2009-03-12 19:55 . 2009-03-12 19:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes2009-03-11 10:48 . 2009-03-12 19:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-03-11 10:48 . 2009-03-11 10:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-11 10:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-03-11 10:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-03-10 23:40 . 2009-03-10 23:40 0 --a------ C:\backup.reg2009-03-06 09:33 . 2009-03-06 09:33 1,376 --a------ c:\windows\system32\Status.MPF2009-03-06 00:59 . 2009-03-17 22:04 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 22009-03-06 00:04 . 2009-03-18 19:47 8,457 --a------ c:\windows\system32\Config.MPF2009-03-05 23:25 . 2009-01-09 13:03 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys2009-03-05 23:25 . 2009-01-09 13:03 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys2009-03-05 23:25 . 2009-01-09 13:03 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys2009-03-05 23:24 . 2009-03-05 23:24 <DIR> d-------- c:\program files\McAfee.com2009-03-05 23:24 . 2009-03-05 23:25 <DIR> d-------- c:\program files\Common Files\McAfee2009-03-05 23:07 . 2009-01-09 13:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys2009-03-01 10:30 . 2009-03-01 10:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore2009-03-01 09:35 . 2009-03-01 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor2009-03-01 09:30 . 2008-10-23 14:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys2009-03-01 09:21 . 2006-12-05 18:17 240 --a------ c:\windows\myClean.bat2009-02-28 09:20 . 2009-02-28 09:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\FileOpen2009-02-28 08:47 . 2009-02-28 08:47 <DIR> d-------- c:\documents and settings\Owner\Application Data\Mobipocket Reader2009-02-27 11:16 . 2009-02-28 19:54 54,156 --ah----- c:\windows\QTFont.qfn2009-02-27 11:16 . 2009-02-27 11:16 1,409 --a------ c:\windows\QTFont.for.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-13 03:58 --------- d-----w c:\documents and settings\Owner\Application Data\U32009-03-11 03:40 156 ----a-w c:\program files\dogq.txt2009-03-08 02:22 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!2009-03-08 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!2009-03-06 13:38 --------- d-----w c:\program files\McAfee2009-03-06 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee2009-03-05 15:19 --------- d-----w c:\program files\Google2009-03-03 05:41 --------- d-----w c:\program files\MUSICMATCH2009-03-01 12:35 --------- d-----w c:\program files\Symantec2009-03-01 12:35 --------- d-----w c:\program files\NavNT2009-03-01 12:34 --------- d-----w c:\program files\Common Files\Symantec Shared2009-02-28 11:59 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll2008-10-20 03:26 27,224 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT2007-02-09 16:40 49,152 ----a-w c:\documents and settings\Owner\SRProxy.dll2003-09-16 06:19 99,544 ----a-w c:\windows\inf\virprn.exe2003-09-16 06:19 90,624 ----a-w c:\windows\inf\prtproc.dll2003-09-16 06:19 18,950 ----a-w c:\windows\inf\virpntd.dll2003-09-16 06:19 10,240 ----a-w c:\windows\inf\virport.dll2006-01-19 13:57 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys2008-09-06 23:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat.((((((((((((((((((((((((((((( SnapShot@2009-03-16_ 7.44.24.08 ))))))))))))))))))))))))))))))))))))))))).- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat+ 2009-03-18 23:46:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat+ 2009-03-18 23:46:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat- 2009-03-16 11:20:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-03-18 23:46:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2008-07-22 50520]"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-03 98304]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-03 185896]"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2004-06-04 2376928]"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]"OpwareSE4"="c:\chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"EnableShellExecuteHooks"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2007-02-11 46080][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"msacm.enc"= ITIG726.acm[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]--a------ 2007-03-14 11:02 19968 c:\chander\Install\Cingular\Communication Manager\CingularCCM.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]c:\program files\Google\Google Talk\googletalk.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]--a------ 2009-01-09 14:05 5134864 c:\program files\McAfee\MBK\McAfeeDataBackup.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]--a------ 2009-01-08 21:30 645328 c:\program files\McAfee.com\Agent\mcagent.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]--a------ 2009-01-09 15:41 1176808 c:\progra~1\McAfee\MHN\McENUI.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]c:\progra~1\mcafee.com\mps\mscifapp.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual PDF Printer]e:\virtual pdf printer\VirtualPDFPrinter.exe [bU][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]--a------ 2008-01-24 13:20 8811824 c:\chander\Install\VoipBuster\voipbuster.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"OracleXETNSListener"=2 (0x2)"OracleXEClrAgent"=3 (0x3)"OracleServiceXE"=2 (0x2)"OracleServiceORCL"=2 (0x2)"OracleServiceMYDB"=2 (0x2)"OracleOraHome92TNSListener"=2 (0x2)"OracleMTSRecoveryService"=3 (0x3)"McAfee SiteAdvisor Service"=2 (0x2)"gusvc"=3 (0x3)"MSSQLServerADHelper"=3 (0x3)"MSSQLSERVER"=2 (0x2)"Mercury Quality Center"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Chander\\Install\\VoipBuster\\VoipBuster.exe"="c:\\WINDOWS\\system32\\usmt\\migwiz.exe"="c:\\jdk1.5.0\\bin\\java.exe"="c:\\Program Files\\Real\\RealPlayer\\realplay.exe"="c:\\jdk1.5.0\\bin\\javaw.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="c:\\jdk1.5.0\\jre\\bin\\javaw.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Chander\\Install\\SopCast\\SopCast.exe"="c:\\Documents and Settings\\Owner\\Application Data\\SopCast\\adv\\SopAdver.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Chander\\Install\\SopCast\\adv\\SopAdver.exe"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\MSN Messenger\\livecall.exe"="c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"="c:\\Chander\\Install\\SopCast\\sopvod.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2003-10-22 40356]R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2006-05-30 11107]S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [2007-02-23 82432]S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [2007-02-23 66304]S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-05 203280]S4 Mercury Quality Center;Mercury Quality Center;f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe --> f:\progra~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe [?]S4 OracleJobSchedulerXE;OracleJobSchedulerXE;f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> f:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]S4 OracleServiceMYDB;OracleServiceMYDB;c:\oracle\ora92\bin\ORACLE.EXE MYDB --> c:\oracle\ora92\bin\ORACLE.EXE MYDB [?]S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora92\bin\ORACLE.EXE ORCL --> c:\oracle\ora92\bin\ORACLE.EXE ORCL [?]S4 OracleServiceXE;OracleServiceXE;f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> f:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]S4 OracleXETNSListener;OracleXETNSListener;f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe --> f:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [?][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29d8dcf8-fb74-11dc-9689-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c7b87a0-7713-11dd-971f-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe\Shell\phone\command - G:\autorun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7b4d6f0-7717-11dd-9720-0013cec484e3}]\Shell\AutoRun\command - G:\autorun.exe\Shell\phone\command - G:\autorun.exe.Contents of the 'Scheduled Tasks' folder2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-889904922-4045633332-109091499-1003.job- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 06:56]2009-03-06 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]2009-03-06 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 11:53]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uInternet Connection Wizard,ShellNext = hxxp://updates.installshield.com/GetUpdates.asp?p={8A9B8148-DDD7-448F-BD6C-358386D32354}&r=6.00&v=ISUA%204.50&u={B40D7F23-2C4F-4F54-8824-9C863507B103}&l=1033&K=ZCEACA7AFC9CCD7EFC9AC4748495C978FF9AB908F498C97A8CE6B90EFC9ECC01FD9FB500FDEACIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000LSP: c:\windows\system32\mclsp.dllLSP: bmnet.dllTrusted Zone: credit-suisse.comDPF: {6416C78A-E810-445C-8712-1785809FA433} - hxxps://newyork.access.credit-suisse.com/CitrixLogonPoint/newyork/EPAClient/EPAClient.exeDPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://littlechander:8000/qcbin/Spider90.ocxDPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CABFF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tyx32rap.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\np3115F6BB-91B6-44E0-A7AD-0C506D085B1C.dllFF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dllFF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - plugin: e:\install\Google\Picasa3\npPicasa3.dll---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-18 19:55:58Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\OracleOraHome92TNSListener]"ImagePath"="c:\oracle\ora92\BIN\TNSLSNR ".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-889904922-4045633332-109091499-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A838E924-CB44-3F87-1660-861922C5CAFB}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"oalcmnpjfmehljpnlcfdfpoibbfdeb"=hex:6a,61,6b,64,63,6d,6f,62,6a,65,62,69,67,6f, 61,65,63,65,6c,6e,00,1e"nabckeofakaafdedlecddejicpcn"=hex:6a,61,6d,64,69,6e,67,67,62,65,6f,69,66,6b, 66,67,63,62,63,6a,00,17.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1148)c:\program files\Intel\Wireless\Bin\LgNotify.dllc:\windows\system32\NavLogon.dllc:\windows\system32\igfxdev.dll- - - - - - - > 'lsass.exe'(1204)c:\windows\system32\mclsp.dllc:\windows\system32\bmnet.dll.Completion time: 2009-03-18 19:59:40ComboFix-quarantined-files.txt 2009-03-18 23:59:01ComboFix2.txt 2009-03-18 02:00:12Pre-Run: 4,111,933,440 bytes freePost-Run: 4,092,264,448 bytes free275 --- E O F --- 2009-03-11 13:48:54New hijackthis log============Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:09:42 PM, on 3/18/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\WINDOWS\system32\bmwebcfg.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\UTSCSI.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Logitech\Video\LogiTray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exeC:\WINDOWS\system32\LVComS.exeC:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Java\jre1.5.0_06\bin\jucheck.exeC:\WINDOWS\system32\wscntfy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exec:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://updates.installshield.com/GetUpdate...01FD9FB500FDEACR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dllO2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exeO4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startguiO4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logonO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [OpwareSE4] "C:\Chander\Install\ScanSoft\OmniPageSE4\OpwareSE4.exe"O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO10 - Unknown file in Winsock LSP: bmnet.dllO15 - Trusted Zone: *.credit-suisse.comO16 - DPF: {6416C78A-E810-445C-8712-1785809FA433} (CCAOControl Object) - https://newyork.access.credit-suisse.com/Ci...t/EPAClient.exeO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163337774790O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://littlechander:8000/qcbin/Spider90.ocxO16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocxO16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi01.morganstanley.com/prx/0...inalSvcsTCS.cabO16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CABO18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SQLSERVERAGENT - Unknown owner - F:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlagent.EXE (file missing)O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXEO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
Tigger93 Posted March 19, 2009 ID:65745 Share Posted March 19, 2009 Open HijackThis and put a check next to these:R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)Click Fix Checked and close HJT.Download the HostsXpert 3.7 - Hosts File Manager.Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpertClick HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new homeClick "Make Hosts Writable?" in the upper right corner (If available).Click Restore Microsoft's Hosts file and then click OK.Click the X to exit the program.Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.Restart your computer and post a new HJT log and update on your problems. Link to post Share on other sites More sharing options...
Recommended Posts