Ghostrider 7 #1 Posted April 5, 2009 Hello, I believe I have a UAC rootkit infection. On 03/29, I noticed a problem when I tried to use the pc after my wife used it about 5 hours before me. She doesn't remember anything different or odd. When I started using the pc, I noticed the internet re-direct & that's when I first tried to use Malwarebytes. I have been trying to clean the pc off & on since then. I have been unable to open MBAM.exe, Spybot Search & Destroy or go back to a previous system restore point. I downloaded HiJackThis today, but I'm unable to start that program. The only adware program that runs is Ad-Aware SE by Lavasoft, but I couldn't get the latest definitions because the program is out dated. I still ran SE but it didn't find anything bad. I've also tried doing all of this while in Safe Mode while logged on as the Administrator, myself & my wife. After reviewing my McAfee Antivirus Detection log, I see where it first detected DNSChanger.gen (Trojan) at 13:20 CDT on 03/29. McAfee says that it repaired (removed) the it. This was when my wife was using the pc. Below are the McAfee Detection Logs that I have ran since & what McAfee done. All times are Central (Texas) time.1st McAfee Detection Log:3/29 1:20:12 PM Real-Time Scan DNSChanger.gen (Trojan) McAfee Repaired (removed)McAfee findings from the Detection Logs:3/29 7:53:45 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined3/29 7:53:45 PM Manual Scan DNSChanger.gen (Trojan) Quarantined3/29 7:53:45 PM Manual Scan Generic.dx (Trojan) Quarantined3/29 7:53:45 PM Manual Scan FakeAlert-AB (Trojan) Quarantined3/29 7:53:45 PM Manual Scan FakeAlert.k (Trojan) Quarantined3/29 7:53:46 PM Manual Scan GenericPUP.x (Potentially Unwanted Program) Detected3/29 7:53:46 PM Manual Scan RemAdm-PSKill (Potentially Unwanted Program) Detected3/29 7:53:46 PM Manual Scan DNSChanger.gen (Trojan) QuarantinedMy next time trying to correct this was on 4/01 3:52 PM (I manually stopped scan).McAfee findings from the Detection Logs:4/1 3:52:30 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined4/1 3:52:30 PM Manual Scan DNSChanger.gen (Trojan) Quarantined4/1 3:52:30 PM Manual Scan FakeAlert-AB (Trojan) Quarantined4/1 3:52:30 PM Manual Scan FakeAlert.k (Trojan) QuarantinedI tried again on 4/01 at 7:02 PMMcAfee findings from the Detection Logs:4/1 7:02:49 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined4/1 7:02:50 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined4/1 7:02:50 PM Manual Scan DNSChanger.gen (Trojan) Quarantined4/1 7:02:50 PM Manual Scan FakeAlert-AB (Trojan) Quarantined4/1 7:02:51 PM Manual Scan GenericPUP.x (Potentially Unwanted Program) Detected4/1 7:02:51 PM Manual Scan RemAdm-PSKill (Potentially Unwanted Program) DetectedI have a HP computer & I think that GenericPUP.x & RemAdm-PSKill are part of their sytem.I would appreciate any help I can get.Thanks!NeedhelpinTX Share this post Link to post Share on other sites
AdvancedSetup #2 Posted April 7, 2009 Please take a look at the following post and see if you can get MBAM running and updated by using the information from these posts. If not let me know and we'll try something else. Potential Malware infection issues to review to get MBAM runningMB won't run(Fix) - Total-Security (FakeAlert)MBAM wont run (Fix) - av360 (Fakealert)MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UACIf you can get MBAM running then please run the following.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log.Download DDS and save it to your desktophttp://download.bleepingcomputer.com/sUBs/dds.scrDisable any script blocker if your Anti-Virus/Anti-Malware has it.Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.Then double click dds.scr to run the tool.When done, the DDS.txt will open.Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:DDS.txtAttach.txtSave both reports to your desktopPlease include the following logs in your next reply: DDS.txt and Attach.txt Share this post Link to post Share on other sites
Ghostrider 7 #3 Posted April 8, 2009 OK, Procees Explorer didn't show anything & RootRepeal doesn't let me "wipe" anything.First, here's the info from Proces Explorer. No Total-Security (FakeAlert) or av360 found.But, McAfee previously id'd FakeAlert.k, FakeAlert-AB & Generic FakeAlert.k on 3/29.Process PID CPU Description Company NameSystem Idle Process 0 94.70 Interrupts n/a Hardware Interrupts DPCs n/a 0.76 Deferred Procedure Calls System 4 smss.exe 944 Windows NT Session Manager Microsoft Corporation csrss.exe 1008 0.76 Client Server Runtime Process Microsoft Corporation winlogon.exe 1032 Windows NT Logon Application Microsoft Corporation services.exe 1084 0.76 Services and Controller app Microsoft Corporation svchost.exe 1284 Generic Host Process for Win32 Services Microsoft Corporation mcagent.exe 3236 McAfee Integrated Security Platform McAfee, Inc. ehmsas.exe 1932 Media Center Media Status Aggregator Service Microsoft Corporation svchost.exe 1356 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1504 Generic Host Process for Win32 Services Microsoft Corporation wuauclt.exe 2872 Windows Update Automatic Updates Microsoft Corporation wuauclt.exe 3188 Windows Update Automatic Updates Microsoft Corporation svchost.exe 1688 Generic Host Process for Win32 Services Microsoft Corporation spoolsv.exe 1952 Spooler SubSystem App Microsoft Corporation dsNcService.exe 180 Network Connect Service Juniper Networks ehrecvr.exe 232 Media Center Receiver Service Microsoft Corporation ehSched.exe 248 Media Center Scheduler Service Microsoft Corporation IntuitUpdateService.exe 332 Intuit Update Service Intuit Inc. McSACore.exe 492 SiteAdvisor McAfee, Inc. mcmscsvc.exe 612 McAfee Services McAfee, Inc. McNASvc.exe 716 McAfee Network Agent McAfee, Inc. McProxy.exe 812 McAfee Proxy Service Module McAfee, Inc. Mcshield.exe 920 On-Access Scanner service McAfee, Inc. MpfSrv.exe 1604 McAfee Personal Firewall Service McAfee, Inc. nvsvc32.exe 520 NVIDIA Driver Helper Service, Version 66.72 NVIDIA Corporation svchost.exe 1308 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1560 Generic Host Process for Win32 Services Microsoft Corporation mcrdsvc.exe 2056 MCRD Device Service Microsoft Corporation fxssvc.exe 2092 Fax Service Microsoft Corporation dllhost.exe 3864 COM Surrogate Microsoft Corporation alg.exe 3060 Application Layer Gateway Service Microsoft Corporation mcsysmon.exe 1328 McAfee SystemGuards Service McAfee, Inc. savedump.exe 1096 Windows NT Save Dump Utility Microsoft Corporation lsass.exe 1104 LSA Shell (Export Version) Microsoft Corporationexplorer.exe 2536 Windows Explorer Microsoft Corporation iexplore.exe 2560 Internet Explorer Microsoft Corporation ctfmon.exe 3204 CTF Loader Microsoft Corporation ehtray.exe 3544 Media Center Tray Applet Microsoft Corporation hpsysdrv.exe 3628 hpsysdrv Hewlett-Packard Company shwicon2k.exe 3844 Alcor Micro, Corp. ltmsg.exe 3856 ltmsg Agere Systems Alcxmntr.exe 3892 Realtek Audio - Event Monitor Realtek Semiconductor Corp. hpcmpmgr.exe 3936 HP Framework Component Manager Service Hewlett-Packard Company kbd.exe 824 KBD EXE Hewlett-Packard Company hpwuSchd2.exe 2252 hpwuSchd Application Hewlett-Packard procexp.exe 2820 3.03 Sysinternals Process Explorer Sysinternals - www.sysinternals.comrundll32.exe 3868 Run a DLL as an App Microsoft Corporation*********************************************************************************************Now, here's the info from RootRepeal. First, I got "Could not find kernal file on disk (C:\Windows\system32\ntoskrnl.exe)!"After clicking OK, I clicked on "Files" & scan as instructed & below is what the RoorRepeal File Scan showed.ROOTREPEAL © AD, 2007-2008==================================================Scan Time: 2009/04/07 18:56Program Version: Version 1.2.3.0Windows Version: Windows XP Media Center Edition SP2==================================================Hidden/Locked Files-------------------Path: C:\CMPNENTSStatus: Could not get file information (Error 0xc0000008)Path: C:\MSDOS.SYSStatus: Could not get file information (Error 0xc0000008)Path: C:\1ddd344c4ecfcab1daea4d3e4483Status: Could not get file information (Error 0xc0000008)Path: C:\26d850e8885ae1e5e9561c231645c5Status: Could not get file information (Error 0xc0000008)Path: C:\CONFIG.SYSStatus: Could not get file information (Error 0xc0000008)Path: C:\CtDriverInstTempStatus: Could not get file information (Error 0xc0000008)Path: C:\CtDrvIns.logStatus: Could not get file information (Error 0xc0000008)Path: C:\CtDrvStp.logStatus: Could not get file information (Error 0xc0000008)Path: C:\Documents and SettingsStatus: Could not get file information (Error 0xc0000008)Path: C:\GameSpy Arcade SetupStatus: Could not get file information (Error 0xc0000008)Path: C:\hpStatus: Could not get file information (Error 0xc0000008)Path: C:\hpcmerr.logStatus: Could not get file information (Error 0xc0000008)Path: C:\http_ss.logStatus: Could not get file information (Error 0xc0000008)Path: C:\I386Status: Could not get file information (Error 0xc0000008)Path: C:\IO.SYSStatus: Could not get file information (Error 0xc0000008)Path: C:\KBDSWStatus: Could not get file information (Error 0xc0000008)Path: C:\log-other.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\MediaStatus: Could not get file information (Error 0xc0000008)Path: C:\MSOCacheStatus: Could not get file information (Error 0xc0000008)Path: C:\NTDETECT.COMStatus: Could not get file information (Error 0xc0000008)Path: C:\ntldrStatus: Could not get file information (Error 0xc0000008)Path: C:\NVIDIAStatus: Could not get file information (Error 0xc0000008)Path: C:\Program FilesStatus: Could not get file information (Error 0xc0000008)Path: C:\Python22Status: Could not get file information (Error 0xc0000008)Path: C:\readme.txtStatus: Could not get file information (Error 0xc0000008)Path: C:\RECYCLERStatus: Could not get file information (Error 0xc0000008)Path: C:\SoftpaqStatus: Could not get file information (Error 0xc0000008)Path: C:\sti.logStatus: Could not get file information (Error 0xc0000008)Path: C:\SwsetupStatus: Could not get file information (Error 0xc0000008)Path: C:\System Volume InformationStatus: Could not get file information (Error 0xc0000008)Path: C:\system.savStatus: Could not get file information (Error 0xc0000008)Path: C:\tempStatus: Could not get file information (Error 0xc0000008)Path: C:\windms.logStatus: Could not get file information (Error 0xc0000008)Path: C:\WINDOWSStatus: Could not get file information (Error 0xc0000008)Path: C:\WUTempStatus: Could not get file information (Error 0xc0000008)Path: C:\784e84d4b42c3caa835a5feStatus: Could not get file information (Error 0xc0000008)Path: C:\9da37eb7dc682c6b7Status: Could not get file information (Error 0xc0000008)Path: C:\ArcSoft TutorialsStatus: Could not get file information (Error 0xc0000008)Path: C:\AUTOEXEC.BATStatus: Could not get file information (Error 0xc0000008)Path: C:\b2aStatus: Could not get file information (Error 0xc0000008)Path: C:\BasicDVDStatus: Could not get file information (Error 0xc0000008)Path: C:\boot.iniStatus: Could not get file information (Error 0xc0000008)Path: C:\caavsetup.logStatus: Could not get file information (Error 0xc0000008)Path: C:\cmdconsStatus: Could not get file information (Error 0xc0000008)Path: C:\cmldrStatus: Could not get file information (Error 0xc0000008)I also attached a report from the RootRepeal Driver scan where it shows UACmejwqolw.sys located inC:\Windows\system32\drivers\UACmejwqolw.sys. RootRepeal shows this in red & it says the status is"Hidden from Windows API!"ROOTREPEAL © AD, 2007-2008==================================================Scan Time: 2009/04/07 18:57Program Version: Version 1.2.3.0Windows Version: Windows XP Media Center Edition SP2==================================================Drivers-------------------Name: 1394BUS.SYSImage Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYSAddress: 0xF85D6000 Size: 53248 File Visible: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xF8567000 Size: 187776 File Visible: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000 Size: 2252800 File Visible: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xF3355000 Size: 138368 File Visible: -Status: -Name: AFS2K.SYSImage Path: C:\WINDOWS\System32\Drivers\AFS2K.SYSAddress: 0xF87F6000 Size: 38528 File Visible: -Status: -Name: agp440.sysImage Path: agp440.sysAddress: 0xF8626000 Size: 42368 File Visible: -Status: -Name: ALCXWDM.SYSImage Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYSAddress: 0xF68AB000 Size: 2279424 File Visible: -Status: -Name: arp1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\arp1394.sysAddress: 0xF8676000 Size: 60800 File Visible: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0xF84F9000 Size: 95360 File Visible: -Status: -Name: audstub.sysImage Path: C:\WINDOWS\System32\DRIVERS\audstub.sysAddress: 0xF8C6E000 Size: 3072 File Visible: -Status: -Name: Beep.SYSImage Path: C:\WINDOWS\System32\Drivers\Beep.SYSAddress: 0xF8B12000 Size: 4224 File Visible: -Status: -Name: BOOTVID.dllImage Path: C:\WINDOWS\system32\BOOTVID.dllAddress: 0xF89C6000 Size: 12288 File Visible: -Status: -Name: bridge.sysImage Path: C:\WINDOWS\System32\DRIVERS\bridge.sysAddress: 0xF6875000 Size: 71552 File Visible: -Status: -Name: Cdfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Cdfs.SYSAddress: 0xF0171000 Size: 63744 File Visible: -Status: -Name: cdrom.sysImage Path: C:\WINDOWS\System32\DRIVERS\cdrom.sysAddress: 0xF8806000 Size: 49536 File Visible: -Status: -Name: CLASSPNP.SYSImage Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYSAddress: 0xF8616000 Size: 53248 File Visible: -Status: -Name: cx88enc.sysImage Path: C:\WINDOWS\system32\drivers\cx88enc.sysAddress: 0xF6BA1000 Size: 297344 File Visible: -Status: -Name: CX88TUNE.sysImage Path: C:\WINDOWS\system32\drivers\CX88TUNE.sysAddress: 0xF887E000 Size: 30976 File Visible: -Status: -Name: cx88vid.sysImage Path: C:\WINDOWS\system32\drivers\cx88vid.sysAddress: 0xF6C0D000 Size: 160128 File Visible: -Status: -Name: cxavxbar.sysImage Path: C:\WINDOWS\system32\drivers\cxavxbar.sysAddress: 0xF8A7A000 Size: 9344 File Visible: -Status: -Name: disk.sysImage Path: disk.sysAddress: 0xF8606000 Size: 36352 File Visible: -Status: -Name: dmio.sysImage Path: dmio.sysAddress: 0xF8511000 Size: 153344 File Visible: -Status: -Name: dmload.sysImage Path: dmload.sysAddress: 0xF8ABA000 Size: 5888 File Visible: -Status: -Name: drmk.sysImage Path: C:\WINDOWS\system32\drivers\drmk.sysAddress: 0xF8826000 Size: 61440 File Visible: -Status: -Name: dsNcAdpt.sysImage Path: C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sysAddress: 0xF8666000 Size: 40960 File Visible: -Status: -Name: dump_atapi.sysImage Path: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xF2456000 Size: 98304 File Visible: NoStatus: -Name: dump_WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xF8AC8000 Size: 8192 File Visible: NoStatus: -Name: Dxapi.sysImage Path: C:\WINDOWS\System32\drivers\Dxapi.sysAddress: 0xF67AB000 Size: 12288 File Visible: -Status: -Name: dxg.sysImage Path: C:\WINDOWS\System32\drivers\dxg.sysAddress: 0xBF9C3000 Size: 73728 File Visible: -Status: -Name: dxgthk.sysImage Path: C:\WINDOWS\System32\drivers\dxgthk.sysAddress: 0xF8C84000 Size: 4096 File Visible: -Status: -Name: Fastfat.SYSImage Path: C:\WINDOWS\System32\Drivers\Fastfat.SYSAddress: 0xF246E000 Size: 143360 File Visible: -Status: -Name: fdc.sysImage Path: C:\WINDOWS\system32\DRIVERS\fdc.sysAddress: 0xF8996000 Size: 27392 File Visible: -Status: -Name: Fips.SYSImage Path: C:\WINDOWS\System32\Drivers\Fips.SYSAddress: 0xF86E6000 Size: 34944 File Visible: -Status: -Name: flpydisk.sysImage Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sysAddress: 0xF888E000 Size: 20480 File Visible: -Status: -Name: fltMgr.sysImage Path: fltMgr.sysAddress: 0xF84D9000 Size: 128896 File Visible: -Status: -Name: Fs_Rec.SYSImage Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYSAddress: 0xF8B10000 Size: 7936 File Visible: -Status: -Name: ftdisk.sysImage Path: ftdisk.sysAddress: 0xF8537000 Size: 125056 File Visible: -Status: -Name: hal.dllImage Path: C:\WINDOWS\system32\hal.dllAddress: 0x806FD000 Size: 134400 File Visible: -Status: -Name: HIDCLASS.SYSImage Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYSAddress: 0xF8716000 Size: 36864 File Visible: -Status: -Name: hidir.sysImage Path: C:\WINDOWS\System32\DRIVERS\hidir.sysAddress: 0xF88F6000 Size: 19200 File Visible: -Status: -Name: HIDPARSE.SYSImage Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYSAddress: 0xF889E000 Size: 28672 File Visible: -Status: -Name: hidusb.sysImage Path: C:\WINDOWS\system32\DRIVERS\hidusb.sysAddress: 0xF83C1000 Size: 9600 File Visible: -Status: -Name: HTTP.sysImage Path: C:\WINDOWS\System32\Drivers\HTTP.sysAddress: 0xF08AE000 Size: 262784 File Visible: -Status: -Name: imapi.sysImage Path: C:\WINDOWS\System32\DRIVERS\imapi.sysAddress: 0xF87E6000 Size: 41856 File Visible: -Status: -Name: intelppm.sysImage Path: C:\WINDOWS\system32\DRIVERS\intelppm.sysAddress: 0xF87A6000 Size: 36096 File Visible: -Status: -Name: ipfltdrv.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sysAddress: 0xF8686000 Size: 32896 File Visible: -Status: -Name: ipnat.sysImage Path: C:\WINDOWS\system32\DRIVERS\ipnat.sysAddress: 0xF3463000 Size: 134912 File Visible: -Status: -Name: ipsec.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipsec.sysAddress: 0xF3505000 Size: 74752 File Visible: -Status: -Name: IrBus.sysImage Path: C:\WINDOWS\System32\DRIVERS\IrBus.sysAddress: 0xF86F6000 Size: 46592 File Visible: -Status: -Name: isapnp.sysImage Path: isapnp.sysAddress: 0xF85B6000 Size: 35840 File Visible: -Status: -Name: kbdclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sysAddress: 0xF89BE000 Size: 24576 File Visible: -Status: -Name: kbdhid.sysImage Path: C:\WINDOWS\System32\DRIVERS\kbdhid.sysAddress: 0xF67BF000 Size: 14848 File Visible: -Status: -Name: KDCOM.DLLImage Path: C:\WINDOWS\system32\KDCOM.DLLAddress: 0xF8AB6000 Size: 8192 File Visible: -Status: -Name: kmixer.sysImage Path: C:\WINDOWS\system32\drivers\kmixer.sysAddress: 0xEE351000 Size: 172416 File Visible: -Status: -Name: ks.sysImage Path: C:\WINDOWS\system32\drivers\ks.sysAddress: 0xF6BEA000 Size: 143360 File Visible: -Status: -Name: KSecDD.sysImage Path: KSecDD.sysAddress: 0xF84C2000 Size: 92032 File Visible: -Status: -Name: ltmdmnt.sysImage Path: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sysAddress: 0xF6B06000 Size: 633568 File Visible: -Status: -Name: mfeavfk.sysImage Path: C:\WINDOWS\system32\drivers\mfeavfk.sysAddress: 0xEFB65000 Size: 72576 File Visible: -Status: -Name: mfebopk.sysImage Path: C:\WINDOWS\system32\drivers\mfebopk.sysAddress: 0xF8936000 Size: 28512 File Visible: -Status: -Name: mfehidk.sysImage Path: C:\WINDOWS\system32\drivers\mfehidk.sysAddress: 0xF328B000 Size: 194592 File Visible: -Status: -Name: mfesmfk.sysImage Path: C:\WINDOWS\system32\drivers\mfesmfk.sysAddress: 0xF0659000 Size: 33760 File Visible: -Status: -Name: mnmdd.SYSImage Path: C:\WINDOWS\System32\Drivers\mnmdd.SYSAddress: 0xF8B14000 Size: 4224 File Visible: -Status: -Name: Modem.SYSImage Path: C:\WINDOWS\System32\Drivers\Modem.SYSAddress: 0xF898E000 Size: 30080 File Visible: -Status: -Name: mouclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\mouclass.sysAddress: 0xF8856000 Size: 23040 File Visible: -Status: -Name: mouhid.sysImage Path: C:\WINDOWS\System32\DRIVERS\mouhid.sysAddress: 0xF67BB000 Size: 12160 File Visible: -Status: -Name: MountMgr.sysImage Path: MountMgr.sysAddress: 0xF85E6000 Size: 42240 File Visible: -Status: -Name: Mpfp.sysImage Path: C:\WINDOWS\System32\Drivers\Mpfp.sysAddress: 0xF343F000 Size: 147456 File Visible: -Status: -Name: mrxdav.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sysAddress: 0xF093F000 Size: 179584 File Visible: -Status: -Name: mrxsmb.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sysAddress: 0xF32BB000 Size: 453632 File Visible: -Status: -Name: Msfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Msfs.SYSAddress: 0xF88AE000 Size: 19072 File Visible: -Status: -Name: msgpc.sysImage Path: C:\WINDOWS\System32\DRIVERS\msgpc.sysAddress: 0xF78D1000 Size: 35072 File Visible: -Status: -Name: MSPQM.sysImage Path: C:\WINDOWS\system32\drivers\MSPQM.sysAddress: 0xF8B2A000 Size: 4992 File Visible: -Status: -Name: mssmbios.sysImage Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sysAddress: 0xF6F1D000 Size: 15488 File Visible: -Status: -Name: Mup.sysImage Path: Mup.sysAddress: 0xF83ED000 Size: 107904 File Visible: -Status: -Name: MxlW2k.SYSImage Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYSAddress: 0xF899E000 Size: 25504 File Visible: -Status: -Name: NDIS.sysImage Path: NDIS.sysAddress: 0xF8408000 Size: 182912 File Visible: -Status: -Name: ndistapi.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sysAddress: 0xF6F29000 Size: 9600 File Visible: -Status: -Name: ndisuio.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sysAddress: 0xF13A7000 Size: 14592 File Visible: -Status: -Name: ndiswan.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sysAddress: 0xF685E000 Size: 91776 File Visible: -Status: -Name: NDProxy.SYSImage Path: C:\WINDOWS\System32\Drivers\NDProxy.SYSAddress: 0xF78B1000 Size: 38016 File Visible: -Status: -Name: NEOFLTR_500_8897.SYSImage Path: C:\WINDOWS\system32\Drivers\NEOFLTR_500_8897.SYSAddress: 0xF86B6000 Size: 54112 File Visible: -Status: -Name: netbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbios.sysAddress: 0xF86C6000 Size: 34560 File Visible: -Status: -Name: netbt.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbt.sysAddress: 0xF3377000 Size: 162816 File Visible: -Status: -Name: nic1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\nic1394.sysAddress: 0xF8656000 Size: 61824 File Visible: -Status: -Name: Npfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Npfs.SYSAddress: 0xF88B6000 Size: 30848 File Visible: -Status: -Name: Ntfs.sysImage Path: Ntfs.sysAddress: 0xF8435000 Size: 574464 File Visible: -Status: -Name: ntoskrnl.exeImage Path: C:\WINDOWS\system32\ntoskrnl.exeAddress: 0x804D7000 Size: 2252800 File Visible: -Status: -Name: Null.SYSImage Path: C:\WINDOWS\System32\Drivers\Null.SYSAddress: 0xF8D0D000 Size: 2944 File Visible: -Status: -Name: nv4_disp.dllImage Path: C:\WINDOWS\System32\nv4_disp.dllAddress: 0xBF9D5000 Size: 3723264 File Visible: -Status: -Name: nv4_mini.sysImage Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sysAddress: 0xF6C6C000 Size: 2738592 File Visible: -Status: -Name: ohci1394.sysImage Path: ohci1394.sysAddress: 0xF85C6000 Size: 61056 File Visible: -Status: -Name: parport.sysImage Path: C:\WINDOWS\System32\DRIVERS\parport.sysAddress: 0xF6AD8000 Size: 80128 File Visible: -Status: -Name: PartMgr.sysImage Path: PartMgr.sysAddress: 0xF883E000 Size: 18688 File Visible: -Status: -Name: ParVdm.SYSImage Path: C:\WINDOWS\System32\Drivers\ParVdm.SYSAddress: 0xF8B48000 Size: 6784 File Visible: -Status: -Name: pci.sysImage Path: pci.sysAddress: 0xF8556000 Size: 68224 File Visible: -Status: -Name: pciide.sysImage Path: pciide.sysAddress: 0xF8B7E000 Size: 3328 File Visible: -Status: -Name: PCIIDEX.SYSImage Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYSAddress: 0xF8836000 Size: 28672 File Visible: -Status: -Name: pfc.sysImage Path: C:\WINDOWS\system32\drivers\pfc.sysAddress: 0xF83B5000 Size: 9856 File Visible: -Status: -Name: PnpManagerImage Path: \Driver\PnpManagerAddress: 0x804D7000 Size: 2252800 File Visible: -Status: -Name: portcls.sysImage Path: C:\WINDOWS\system32\drivers\portcls.sysAddress: 0xF6887000 Size: 147456 File Visible: -Status: -Name: PROCEXP113.SYSImage Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYSAddress: 0xF8AF0000 Size: 7872 File Visible: NoStatus: -Name: psched.sysImage Path: C:\WINDOWS\System32\DRIVERS\psched.sysAddress: 0xF684D000 Size: 69120 File Visible: -Status: -Name: ptilink.sysImage Path: C:\WINDOWS\System32\DRIVERS\ptilink.sysAddress: 0xF89AE000 Size: 17792 File Visible: -Status: -Name: PxHelp20.sysImage Path: PxHelp20.sysAddress: 0xF8846000 Size: 19936 File Visible: -Status: -Name: rasacd.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasacd.sysAddress: 0xF8A9A000 Size: 8832 File Visible: -Status: -Name: rasl2tp.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sysAddress: 0xF7901000 Size: 51328 File Visible: -Status: -Name: raspppoe.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sysAddress: 0xF78F1000 Size: 41472 File Visible: -Status: -Name: raspptp.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspptp.sysAddress: 0xF78E1000 Size: 48384 File Visible: -Status: -Name: raspti.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspti.sysAddress: 0xF89B6000 Size: 16512 File Visible: -Status: -Name: RAWImage Path: \FileSystem\RAWAddress: 0x804D7000 Size: 2252800 File Visible: -Status: -Name: rdbss.sysImage Path: C:\WINDOWS\System32\DRIVERS\rdbss.sysAddress: 0xF332A000 Size: 174592 File Visible: -Status: -Name: RDPCDD.sysImage Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sysAddress: 0xF8B16000 Size: 4224 File Visible: -Status: -Name: rdpdr.sysImage Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sysAddress: 0xF681C000 Size: 196864 File Visible: -Status: -Name: redbook.sysImage Path: C:\WINDOWS\System32\DRIVERS\redbook.sysAddress: 0xF8816000 Size: 57472 File Visible: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xEEF7C000 Size: 45056 File Visible: NoStatus: -Name: Rtnicxp.sysImage Path: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sysAddress: 0xF6AEC000 Size: 104320 File Visible: -Status: -Name: secdrv.sysImage Path: C:\WINDOWS\System32\DRIVERS\secdrv.sysAddress: 0xF0619000 Size: 40960 File Visible: -Status: -Name: serenum.sysImage Path: C:\WINDOWS\system32\DRIVERS\serenum.sysAddress: 0xF83B9000 Size: 15488 File Visible: -Status: -Name: serial.sysImage Path: C:\WINDOWS\system32\DRIVERS\serial.sysAddress: 0xF87D6000 Size: 64896 File Visible: -Status: -Name: srv.sysImage Path: C:\WINDOWS\System32\DRIVERS\srv.sysAddress: 0xF0734000 Size: 333184 File Visible: -Status: -Name: STREAM.SYSImage Path: C:\WINDOWS\system32\drivers\STREAM.SYSAddress: 0xF87B6000 Size: 49152 File Visible: -Status: -Name: sunkfilt.sysImage Path: C:\WINDOWS\System32\Drivers\sunkfilt.sysAddress: 0xF88DE000 Size: 26368 File Visible: -Status: -Name: swenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\swenum.sysAddress: 0xF8B04000 Size: 4352 File Visible: -Status: -Name: sysaudio.sysImage Path: C:\WINDOWS\system32\drivers\sysaudio.sysAddress: 0xF09DB000 Size: 60800 File Visible: -Status: -Name: tcpip.sysImage Path: C:\WINDOWS\System32\DRIVERS\tcpip.sysAddress: 0xF34AC000 Size: 360960 File Visible: -Status: -Name: TDI.SYSImage Path: C:\WINDOWS\System32\DRIVERS\TDI.SYSAddress: 0xF89A6000 Size: 20480 File Visible: -Status: -Name: termdd.sysImage Path: C:\WINDOWS\System32\DRIVERS\termdd.sysAddress: 0xF78C1000 Size: 40704 File Visible: -Status: -Name: UACmejwqolw.sysImage Path: C:\WINDOWS\system32\drivers\UACmejwqolw.sysAddress: 0xF7871000 Size: 61440 File Visible: -Status: Hidden from Windows API!Name: update.sysImage Path: C:\WINDOWS\System32\DRIVERS\update.sysAddress: 0xF67C3000 Size: 364160 File Visible: -Status: -Name: usbccgp.sysImage Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sysAddress: 0xF88CE000 Size: 31616 File Visible: -Status: -Name: USBD.SYSImage Path: C:\WINDOWS\system32\DRIVERS\USBD.SYSAddress: 0xF8B06000 Size: 8192 File Visible: -Status: -Name: usbehci.sysImage Path: C:\WINDOWS\system32\DRIVERS\usbehci.sysAddress: 0xF8986000 Size: 26624 File Visible: -Status: -Name: usbhub.sysImage Path: C:\WINDOWS\system32\DRIVERS\usbhub.sysAddress: 0xF78A1000 Size: 57600 File Visible: -Status: -Name: USBPORT.SYSImage Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYSAddress: 0xF6C35000 Size: 143360 File Visible: -Status: -Name: USBSTOR.SYSImage Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYSAddress: 0xF88E6000 Size: 26496 File Visible: -Status: -Name: usbuhci.sysImage Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sysAddress: 0xF897E000 Size: 20480 File Visible: -Status: -Name: vga.sysImage Path: C:\WINDOWS\System32\drivers\vga.sysAddress: 0xF88A6000 Size: 20992 File Visible: -Status: -Name: VIDEOPRT.SYSImage Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYSAddress: 0xF6C58000 Size: 81920 File Visible: -Status: -Name: VolSnap.sysImage Path: VolSnap.sysAddress: 0xF85F6000 Size: 52352 File Visible: -Status: -Name: wanarp.sysImage Path: C:\WINDOWS\System32\DRIVERS\wanarp.sysAddress: 0xF8696000 Size: 34560 File Visible: -Status: -Name: watchdog.sysImage Path: C:\WINDOWS\System32\watchdog.sysAddress: 0xF896E000 Size: 20480 File Visible: -Status: -Name: wdmaud.sysImage Path: C:\WINDOWS\system32\drivers\wdmaud.sysAddress: 0xF0786000 Size: 82944 File Visible: -Status: -Name: Win32kImage Path: \Driver\Win32kAddress: 0xBF800000 Size: 1847296 File Visible: -Status: -Name: win32k.sysImage Path: C:\WINDOWS\System32\win32k.sysAddress: 0xBF800000 Size: 1847296 File Visible: -Status: -Name: WMILIB.SYSImage Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYSAddress: 0xF8AB8000 Size: 8192 File Visible: -Status: -Name: WMIxWDMImage Path: \Driver\WMIxWDMAddress: 0x804D7000 Size: 2252800 File Visible: -Status: -Sorry post takes so long, I have to transfer info from pc to my laptop.And MBAM will not start. Share this post Link to post Share on other sites
Ghostrider 7 #4 Posted April 8, 2009 I forgot to tell you, I cannot get HiJackThis to run either. Share this post Link to post Share on other sites
AdvancedSetup #5 Posted April 8, 2009 Okay, let's try this then. Please see if this will run in normal mode, if not then try in Safe Mode.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Share this post Link to post Share on other sites
Ghostrider 7 #6 Posted April 8, 2009 I downloaded ComboFix on my laptop then moved it to my pc via SD card & placed it on my pc's desktop.Stopped McAfee A/V & firewall, double clicked ComboFix & it will not start. You can see it in the WindowsTask Manager, but it doesn't start.What's next?? Share this post Link to post Share on other sites
AdvancedSetup #7 Posted April 8, 2009 Well if you can't get any of these tools running then please try the following.Avira AntiVir Rescue SystemRequires access to a working computer with a CD/DVD burner to create a bootable CD.Download the Avira AntiVir Rescue System from herePlace a blank CD in your burner and double-click on the downloaded file named rescuecd.exeThe program will automatically burn the CD for you.Place the burned CD into the affected computer and start the computer from this CD.On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.Click on the Configuration button.Select Scan all filesSelect Try to repair infected files and Rename files, if they cannot be removedSelect Scan for dialersSelect Scan for joke programs (Jokes)Select Scan for gamesSelect Scan for spyware (SPR)[*]Click on Virus scanner[*]Click on Start scanner at the bottom of the screen[*]Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and WarningsThe Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.Possible solutions to Screen Resolution and other issuesPlease see the post here if you're unable to view the entire screen of Avira.You can also review this one Fixed Rescue CD Resolution Probs with Dell VideoCurrently only the German keyboard is supported. Command Line not working English keyboards require work arounds.Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning. Share this post Link to post Share on other sites
Ghostrider 7 #8 Posted April 8, 2009 Hey Advanced,I remember seeing somewherer on this forum that said to download ComboFix but save it as Comb-Fix.So while waiting for my laptop to burn the Avira Antivir Rescue System, I decided to try it.ComboFix started working & found the following Rootkit files.ComboFix has detected the presence of rootkit activity and needs to reboot the machine.Kindly note down on paper, the name of each file. We may need it later.C:WINDOWS\system32\drivers\UACmejwqolw.sysC:WINDOWS\system32\UAChxvrbltf.dllC:WINDOWS\system32\UACiqpxuwkm.datC:WINDOWS\system32\UACxypiexwk.dllC:WINDOWS\system32\UACosvtxbxn.dllC:WINDOWS\system32\UACeoeuyful.dllC:WINDOWS\system32\UAChtargskd.dbC:WINDOWS\system32\UACpbpxuvuo.dllC:WINDOWS\system32\UACfwqvtxbw.dllC:WINDOWS\system32\UACajkmgxti.logC:WINDOWS\system32\UACfeeqtklr.logC:WINDOWS\system32\UACloyqxvml.logI let ComboFix continue after writing these down, it rebooted the system, then said that it was deletingthese files. It just finished running all of the stages & it just rebooted again.More to come after booting back up. Share this post Link to post Share on other sites
Ghostrider 7 #9 Posted April 8, 2009 Sorry for the typo, I saved ComboFix when I downloaded it to Combo-Fix.I am now running MBAM & no more internet re-directs. When I am finished running MBAM, I will start HiJackThis &send you the log file for it.For now, here's the ComboFix Log File.ComboFix 09-04-04.01 - Mom 2009-04-07 22:06:04.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.252 [GMT -5:00]Running from: c:\documents and settings\Mom\Desktop\Combo-Fix.exeAV: McAfee VirusScan *On-access scanning disabled* (Updated)FW: McAfee Personal Firewall *disabled*.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\Downloaded Program Files\Quarantinec:\windows\system\oeminfo.inic:\windows\system32\drivers\UACmejwqolw.sysc:\windows\system32\ntnet.drvc:\windows\system32\UACajkmgxti.logc:\windows\system32\UACeoeuyful.dllc:\windows\system32\UACfeeqtklr.logc:\windows\system32\UACfwqvtxbw.dllc:\windows\system32\UAChtargskd.dbc:\windows\system32\UAChxvrbltf.dllc:\windows\system32\uacinit.dllc:\windows\system32\UACiqpxuwkm.datc:\windows\system32\UACloyqxvml.logc:\windows\system32\UACosvtxbxn.dllc:\windows\system32\UACpbpxuvuo.dllc:\windows\system32\UACxypiexwk.dllD:\Autorun.inf.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_UACd.sys-------\Legacy_RPCPATCH-------\Legacy_RPCTFTPD((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 ))))))))))))))))))))))))))))))).2009-04-05 18:09 . 2009-04-05 18:11 <DIR> d-------- c:\program files\Help2009-04-01 22:41 . 2009-04-01 22:41 <DIR> d-------- c:\documents and settings\Mom\DoctorWeb2009-03-31 22:08 . 2009-03-31 22:08 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}2009-03-31 16:01 . 2009-03-31 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks2009-03-29 17:01 . 2009-04-07 18:44 1,896,749 --a------ c:\windows\system32\uactmp.db.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-05 23:30 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft2009-04-05 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-04-05 23:05 --------- d-----w c:\program files\Spybot - Search & Destroy2009-04-02 03:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2009-03-01 17:47 --------- d-----w c:\program files\ArcSoft2009-02-18 00:16 --------- d-----w c:\documents and settings\Mom\Application Data\Juniper Networks2009-02-17 00:16 --------- d-----w c:\program files\Common Files\AnswerWorks 5.02009-02-17 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit2009-02-17 00:13 --------- d-----w c:\program files\Common Files\Intuit2009-02-17 00:10 --------- d-----w c:\program files\TurboTax2005-01-22 01:56 0 -csha-w c:\windows\SMINST\HPCD.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-15 3092480]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-22 98304]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]"nwiz"="nwiz.exe" [2004-09-20 c:\windows\system32\nwiz.exe]"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\Alcxmntr.exe]c:\documents and settings\Andrew\Start Menu\Programs\Startup\AutoTBar.exe [2003-06-18 53248]mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"= sysaudio.sys[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Sid Registration.lnk]path=c:\documents and settings\Dad\Start Menu\Programs\Startup\Sid Registration.lnkbackup=c:\windows\pss\Sid Registration.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]--a--c--- 2003-06-22 23:25 24576 c:\program files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]--a--c--- 2002-10-07 09:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]--a--c--- 2003-05-28 22:12 143360 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]--a--c--- 2003-12-10 04:52 380928 c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2005-01-22 18:09 98304 c:\program files\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a--c--- 2004-09-28 21:26 32881 c:\program files\Java\j2re1.4.2_06\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]--a--c--- 2005-01-28 16:15 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]--a--c--- 2003-08-19 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]--a--c--- 2004-05-10 19:40 64512 c:\program files\WildTangent\Apps\CDA\CDAEngine0400.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\WINDOWS\\system32\\dxdiag.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\WINDOWS\\system32\\mshta.exe"="c:\\WINDOWS\\system32\\fxsclnt.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="c:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);c:\windows\system32\drivers\NEOFLTR_500_8897.sys [2005-07-27 56038]R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-17 203280]S2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys --> c:\windows\system32\drivers\CX88XBARDUAL.sys [?]S3 krdpdre;krdpdre;\??\c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sys [?]S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2006-06-30 32000]S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2006-06-30 28057]S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2006-06-30 21081]S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-26 6795333][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480.Contents of the 'Scheduled Tasks' folder2008-12-18 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]2008-12-18 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]2008-12-23 c:\windows\Tasks\{0E71A998-55BF-44C3-828D-3E422D0F2561}_DEN_Administrator.job- c:\windows\system32\mobsync.exe [2004-08-10 14:00]2009-04-01 c:\windows\Tasks\{2038B94A-6254-4988-A85D-8118BC8D2482}_DEN_Administrator.job- c:\windows\system32\mobsync.exe [2004-08-10 14:00]2009-03-27 c:\windows\Tasks\{F98E5278-55E0-4992-8DC0-BFF9E90747B8}_DEN_Administrator.job- c:\windows\system32\mobsync.exe [2004-08-10 14:00].- - - - ORPHANS REMOVED - - - -HKLM-Run-DXDllRegExe - dxdllreg.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/uInternet Settings,ProxyOverride = localhostIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mobile.coair.com/llclient/postsp/winxp/,DanaInfo=10.192.130.35,CT=java+AXXPEE.dllDPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} - hxxp://insidetis.coair.com/edocs/cabs/ssdw3b32.cab.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-07 22:13:44Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.c:\program files\Juniper Networks\Common Files\dsNcService.exec:\windows\eHome\ehrecvr.exec:\windows\eHome\ehSched.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exec:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exec:\progra~1\McAfee\VIRUSS~1\Mcshield.exec:\program files\McAfee\MPF\MpfSrv.exec:\windows\system32\nvsvc32.exec:\windows\system32\fxssvc.exec:\windows\eHome\mcrdsvc.exec:\windows\system32\dllhost.exec:\progra~1\McAfee.com\Agent\mcagent.exec:\windows\system32\wscntfy.exec:\windows\eHome\ehmsas.exec:\windows\system32\rundll32.exec:\program files\Yahoo!\Messenger\Ymsgr_tray.exec:\progra~1\McAfee\MSC\mcuimgr.exe.**************************************************************************.Completion time: 2009-04-07 22:18:41 - machine was rebootedComboFix-quarantined-files.txt 2009-04-08 03:18:38Pre-Run: 51,692,417,024 bytes freePost-Run: 51,876,364,288 bytes free214 --- E O F --- 2009-03-24 01:56:02#########################################################################All of this happened when my wife was logged on the pc under her logon. Will I need to run any other the programsunder my login & my sons. Or do I need to boot into Safe Mode & run any programs as the Administrator.More logs to come later!Thanks for your help tonight!Regards,NeedhelpinTX Share this post Link to post Share on other sites
Ghostrider 7 #10 Posted April 8, 2009 Ok, Here's my MBAM scan. While I was doing the scan, McAfee alerted me to the Trojans again & they were quarantined.Malwarebytes' Anti-Malware 1.36Database version: 1950Windows 5.1.2600 Service Pack 24/8/2009 12:22:51 AMmbam-log-2009-04-08 (00-22-51).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 276582Time elapsed: 1 hour(s), 53 minute(s), 42 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here's what McAfee did during the MBAM scan.McAfee Real-Time Scan report:4/7/09 11:45:03 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:45:09 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:45:15 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:46:55 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:47:02 PM DNSChanger.gen (Trojan), DNSChanger.gen (Trojan) - Repaired (removed)4/7/09 11:47:08 PM DNSChanger.gen (Trojan), DNSChanger.gen (Trojan) - Repaired (removed)4/7/09 11:47:11 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:47:13 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:47:15 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)4/7/09 11:47:17 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)At least there isn't any FakeAlert.k or FakeAlert-AB this time.I will be running HiJackThis in the afternoon when I get home from work. I will post that log too.Regards Share this post Link to post Share on other sites
Ghostrider 7 #11 Posted April 8, 2009 I didn't run the Avira. Let me know if I need to. Share this post Link to post Share on other sites
AdvancedSetup #12 Posted April 8, 2009 STEP 01Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::File::c:\windows\system32\uactmp.dbc:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sysDriver::krdpdreOpen a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.Post back the Combofix log on your next reply.STEP 02Click on START - RUN and type in MSCONFIG and set it to Normal Startup and RESTART the computerSTEP 03Click on START - RUN and type in or copy / paste NETSH FIREWALL RESET (there is a space between each word) then hit the OK button.STEP 04Download this, then disconnect from the Internet and disable your current Anti-Virus (delete you current AV quarantine area first)Please download to your Desktop: Dr.Web CureItAfter the file has downloaded, disable your current Anti-Virus and disconnect from the InternetDoubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.Once the short scan has finished, Click on the Complete scan radio button.Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the LanguageChoose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)On the File types tab ensure you select All filesClick on the Actions tab and set the following:Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = ReportInfected packages Archive = Move, E-mails = Report, Containers = MoveMalware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = MoveDo not change the Rename extension - default is: #??Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\Leave prompt on Action checked[*]On the Log file tab leave the Log to file checked.[*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log[*]Log mode = Append[*]Encoding = ANSI[*]Details Leave Names of file packers and Statistics checked.[*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.[*]On the General tab leave the Scan Priority on High[*]Click the Apply button at the bottom, and then the OK button.[*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.[*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives[*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.[*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.[*]Click 'Yes to all' if it asks if you want to cure/move the files.[*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list[*]Save the report to your Desktop. The report will be called DrWeb.csv[*]Close Dr.Web Cureit.[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.[*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log. Share this post Link to post Share on other sites
Ghostrider 7 #13 Posted April 8, 2009 Here's my HiJackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:53:07 PM, on 4/8/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\VirusScan\McShield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\fxssvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\windows\system\hpsysdrv.exeC:\Program Files\Multimedia Card Reader\shwicon2k.exeC:\WINDOWS\LTMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\HP\KBD\KBD.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exeO4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')O4 - Startup: Sid Registration.lnk = E:\ATR1.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dllO16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cabO16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cabO16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CABO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXEO23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe--End of file - 9906 bytesI will continue with the next steps from your last post. Share this post Link to post Share on other sites
Ghostrider 7 #14 Posted April 8, 2009 Here's the 2nd ComboFix Scan Log ReportComboFix 09-04-04.01 - Mom 2009-04-08 17:11:26.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.198 [GMT -5:00]Running from: c:\documents and settings\Mom\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Mom\Desktop\CFscript.txtAV: McAfee VirusScan *On-access scanning disabled* (Updated)FW: McAfee Personal Firewall *enabled* * Created a new restore pointFILE ::c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sysc:\windows\system32\uactmp.db.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\uactmp.db.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_KRDPDRE-------\Service_krdpdre((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 ))))))))))))))))))))))))))))))).2009-04-08 16:52 . 2009-04-08 16:52 <DIR> d-------- c:\program files\Trend Micro2009-04-05 18:09 . 2009-04-05 18:11 <DIR> d-------- c:\program files\Help2009-04-01 22:41 . 2009-04-01 22:41 <DIR> d-------- c:\documents and settings\Mom\DoctorWeb2009-03-31 22:08 . 2009-03-31 22:08 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}2009-03-31 16:01 . 2009-03-31 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-04-08 03:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware2009-04-06 20:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys2009-04-06 20:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys2009-04-05 23:30 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft2009-04-05 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-04-05 23:05 --------- d-----w c:\program files\Spybot - Search & Destroy2009-03-01 17:47 --------- d-----w c:\program files\ArcSoft2009-02-18 00:16 --------- d-----w c:\documents and settings\Mom\Application Data\Juniper Networks2009-02-17 00:16 --------- d-----w c:\program files\Common Files\AnswerWorks 5.02009-02-17 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit2009-02-17 00:13 --------- d-----w c:\program files\Common Files\Intuit2009-02-17 00:10 --------- d-----w c:\program files\TurboTax2005-01-22 01:56 0 -csha-w c:\windows\SMINST\HPCD.sys.((((((((((((((((((((((((((((( SnapShot@2009-04-07_22.17.30.98 ))))))))))))))))))))))))))))))))))))))))).- 2009-04-08 01:56:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat+ 2009-04-08 21:56:04 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat- 2009-04-08 01:56:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat+ 2009-04-08 21:56:04 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat- 2009-04-08 01:56:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-04-08 21:56:04 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-15 3092480]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-22 98304]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]"nwiz"="nwiz.exe" [2004-09-20 c:\windows\system32\nwiz.exe]"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\Alcxmntr.exe]c:\documents and settings\Andrew\Start Menu\Programs\Startup\AutoTBar.exe [2003-06-18 53248]mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"= sysaudio.sys[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Sid Registration.lnk]path=c:\documents and settings\Dad\Start Menu\Programs\Startup\Sid Registration.lnkbackup=c:\windows\pss\Sid Registration.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]--a--c--- 2003-06-22 23:25 24576 c:\program files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]--a--c--- 2002-10-07 09:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]--a--c--- 2003-05-28 22:12 143360 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]--a--c--- 2003-12-10 04:52 380928 c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2005-01-22 18:09 98304 c:\program files\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a--c--- 2004-09-28 21:26 32881 c:\program files\Java\j2re1.4.2_06\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]--a--c--- 2005-01-28 16:15 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]--a--c--- 2003-08-19 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]--a--c--- 2004-05-10 19:40 64512 c:\program files\WildTangent\Apps\CDA\CDAEngine0400.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\WINDOWS\\system32\\dxdiag.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\WINDOWS\\system32\\mshta.exe"="c:\\WINDOWS\\system32\\fxsclnt.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="c:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);c:\windows\system32\drivers\NEOFLTR_500_8897.sys [2005-07-27 56038]R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-17 203280]S2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys --> c:\windows\system32\drivers\CX88XBARDUAL.sys [?]S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2006-06-30 32000]S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2006-06-30 28057]S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2006-06-30 21081]S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-26 6795333][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480.Contents of the 'Scheduled Tasks' folder2008-12-18 c:\windows\Tasks\McDefragTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]2008-12-18 c:\windows\Tasks\McQcTask.job- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]2008-12-23 c:\windows\Tasks\{0E71A998-55BF-44C3-828D-3E422D0F2561}_DEN_Administrator.job- c:\windows\system32\mobsync.exe [2004-08-10 14:00]2009-04-01 c:\windows\Tasks\{2038B94A-6254-4988-A85D-8118BC8D2482}_DEN_Administrator.job- c:\windows\system32\mobsync.exe [2004-08-10 14:00]2009-03-27 c:\windows\Tasks\{F98E5278-55E0-4992-8DC0-BFF9E90747B8}_DEN_Administrator.job- c:\windows\system32\mobsync.exe [2004-08-10 14:00]..------- Supplementary Scan -------.uStart Page = hxxp://www.yahoo.com/uInternet Settings,ProxyOverride = localhostIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mobile.coair.com/llclient/postsp/winxp/,DanaInfo=10.192.130.35,CT=java+AXXPEE.dllDPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} - hxxp://insidetis.coair.com/edocs/cabs/ssdw3b32.cab.**************************************************************************catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-04-08 17:19:58Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.c:\program files\Juniper Networks\Common Files\dsNcService.exec:\windows\eHome\ehrecvr.exec:\windows\eHome\ehSched.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exec:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exec:\progra~1\McAfee\VIRUSS~1\Mcshield.exec:\program files\McAfee\MPF\MpfSrv.exec:\windows\system32\nvsvc32.exec:\windows\system32\fxssvc.exec:\windows\eHome\mcrdsvc.exec:\windows\system32\dllhost.exec:\progra~1\McAfee.com\Agent\mcagent.exec:\windows\system32\wscntfy.exec:\windows\eHome\ehmsas.exec:\windows\system32\rundll32.exec:\program files\Yahoo!\Messenger\Ymsgr_tray.exec:\progra~1\McAfee\MSC\mcuimgr.exe.**************************************************************************.Completion time: 2009-04-08 17:25:04 - machine was rebootedComboFix-quarantined-files.txt 2009-04-08 22:25:00ComboFix2.txt 2009-04-08 03:18:44Pre-Run: 51,842,473,984 bytes freePost-Run: 51,822,358,528 bytes free211 --- E O F --- 2009-03-24 01:56:02I also finished the following:Step 2 MSCONFIG = Normal StartupStep 3 - NETSH FIREWALL RESETStep 4 - Downloaded Dr Web-cureit, disconnected internet, disabled McAfee A/V & removed AV quarantines.Now this Warning message pops up eavery once in a while.Microsoft .NET Framework Alert Box MessageAn unhandled exception has occurred in your application. If you clickContinue, the application will ignore this erro and attempt to continue.If you click Quit, the application will be shut down immediately.The system cannot find the file specified.DetailsSee the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box.************** Exception Text **************System.ComponentModel.Win32Exception: The system cannot find the file specified at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo) at System.Diagnostics.Process.Start() at System.Diagnostics.Process.Start(ProcessStartInfo startInfo) at System.Diagnostics.Process.Start(String fileName, String arguments) at BackupNotify.BackupNotify.LaunchReminder() at BackupNotify.BackupNotify.timer1_Tick(Object sender, EventArgs e) at System.Windows.Forms.Timer.OnTick(EventArgs e) at System.Windows.Forms.Timer.Callback(IntPtr hWnd, Int32 msg, IntPtr idEvent, IntPtr dwTime)************** Loaded Assemblies **************mscorlib Assembly Version: 1.0.5000.0 Win32 Version: 1.1.4322.2407 CodeBase: file:///c:/windows/microsoft.net/framework/v1.1.4322/mscorlib.dll----------------------------------------BackupNotify Assembly Version: 1.0.1268.24163 Win32 Version: 1.0.1268.24163 CodeBase: file:///C:/Program%20Files/Hewlett-Packard/Digital%20Imaging/bin/backupnotify.exe----------------------------------------System.Windows.Forms Assembly Version: 1.0.5000.0 Win32 Version: 1.1.4322.2032 CodeBase: file:///c:/windows/assembly/gac/system.windows.forms/1.0.5000.0__b77a5c561934e089/system.windows.forms.dll----------------------------------------System Assembly Version: 1.0.5000.0 Win32 Version: 1.1.4322.2407 CodeBase: file:///c:/windows/assembly/gac/system/1.0.5000.0__b77a5c561934e089/system.dll----------------------------------------Utilities Assembly Version: 1.0.0.0 Win32 Version: 1.0.0.662 CodeBase: file:///C:/Program%20Files/Hewlett-Packard/Digital%20Imaging/bin/Utilities.DLL----------------------------------------System.Drawing Assembly Version: 1.0.5000.0 Win32 Version: 1.1.4322.2032 CodeBase: file:///c:/windows/assembly/gac/system.drawing/1.0.5000.0__b03f5f7f11d50a3a/system.drawing.dll----------------------------------------System.Xml Assembly Version: 1.0.5000.0 Win32 Version: 1.1.4322.2032 CodeBase: file:///c:/windows/assembly/gac/system.xml/1.0.5000.0__b77a5c561934e089/system.xml.dll----------------------------------------Localization Assembly Version: 1.0.0.0 Win32 Version: 1.0.0.607 CodeBase: file:///C:/Program%20Files/Hewlett-Packard/Digital%20Imaging/bin/Localization.DLL----------------------------------------************** JIT Debugging **************To enable just in time (JIT) debugging, the config file for thisapplication or machine (machine.config) must have thejitDebugging value set in the system.windows.forms section.The application must also be compiled with debuggingenabled.For example:<configuration> <system.windows.forms jitDebugging="true" /></configuration>When JIT debugging is enabled, any unhandled exceptionwill be sent to the JIT debugger registered on the machinerather than being handled by this dialog.###################################################I always click on "Continue".Now I'm running Dr. Web-cureit as instructed. I will post the finished Dr Web log along with anotherHiJackThis log & then await further instructions. Share this post Link to post Share on other sites
Ghostrider 7 #15 Posted April 9, 2009 Here's my Dr.Web-cureit log. ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Program.PsExec.171;;data002;C:\Documents and Settings\Mom\Desktop;Archive contains infected objects;;ComboFix.exe;C:\Documents and Settings\Mom\Desktop;Container contains infected objects;Moved.;InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;;A0000039.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Probably BATCH.Virus;;A0000042.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Program.PsExec.170;Moved.;A0000128.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Probably BATCH.Virus;;A0000128.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Program.PsExec.171;;data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Archive contains infected objects;;A0000128.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Container contains infected objects;Moved.;A0000163.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Probably BATCH.Virus;;A0000166.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Program.PsExec.170;Moved.;A0000233.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Probably BATCH.Virus;;A0000233.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Program.PsExec.171;;data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Archive contains infected objects;;A0000233.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Container contains infected objects;Moved.;#############################################################I think I made a mistake, because I accidently clicked on the "Rename" button when I was trying to click on the"Cure" button at the bottom of the program. The program then renamed the following files.InstallHelper.exe, A0000039.bat & A0000163.batThe program left the 5 moved the same, but now I cannot go back & do anything with the other 9 items. The nextpost is another Dr.Web log that I saved after my goof. Share this post Link to post Share on other sites
Ghostrider 7 #16 Posted April 9, 2009 This is the 2nd Dr.Web log after clicking the "Rename" button.ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Program.PsExec.171;;data002;C:\Documents and Settings\Mom\Desktop;Archive contains infected objects;;ComboFix.exe;C:\Documents and Settings\Mom\Desktop;Container contains infected objects;Moved.;InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Renamed.;A0000039.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Probably BATCH.Virus;Renamed.;A0000042.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Program.PsExec.170;Moved.;A0000128.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Probably BATCH.Virus;;A0000128.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Program.PsExec.171;;data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Archive contains infected objects;;A0000128.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Container contains infected objects;Moved.;A0000163.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Probably BATCH.Virus;Renamed.;A0000166.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Program.PsExec.170;Moved.;A0000233.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Probably BATCH.Virus;;A0000233.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Program.PsExec.171;;data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Archive contains infected objects;;A0000233.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Container contains infected objects;Moved.;Do I need to redo the scan again? I need to close Dr.Web, reboot & do another HiJackThis. Please let me know mynext steps. Share this post Link to post Share on other sites
Ghostrider 7 #17 Posted April 9, 2009 Here's the HiJackThis log to finish Step 4.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:34:13 PM, on 4/8/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\VirusScan\McShield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\fxssvc.exeC:\WINDOWS\system32\dllhost.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\ehome\ehtray.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Multimedia Card Reader\shwicon2k.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\LTMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\HP\KBD\KBD.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\RUNDLL32.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exeO4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMainO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeO4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exeO4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')O4 - Startup: Sid Registration.lnk = E:\ATR1.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dllO16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cabO16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cabO16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CABO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXEO23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe--End of file - 10899 bytes Share this post Link to post Share on other sites
AdvancedSetup #18 Posted April 9, 2009 No that looks fine.You can delete Dr Web and the folder where under your profile where it stored all the data.Please remove or update your Adobe Acrobat.Security Updates available for Adobe Reader and AcrobatAlso remove JavaPlease go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAThen run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaThen download and run thisDownload and install CCleanerCCleaner Double-click on the downloaded file "ccsetup218.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsThen update MBAM again and scan again.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen post back the MBAM log and a new Hijackthis log. Share this post Link to post Share on other sites
Ghostrider 7 #19 Posted April 9, 2009 No problem, I'll do those next. One question, I've been holding off on updating to XP SP3 for a while.Ok to do that after I get the all clear? Share this post Link to post Share on other sites
AdvancedSetup #20 Posted April 9, 2009 Yes, once all clear I highly recommend you do update to SP3 Share this post Link to post Share on other sites
Ghostrider 7 #21 Posted April 9, 2009 Hello Advanced,Ok, Java removed as instructed.CCleaner ran, no problem with either.Here's my MBAM Quaick Scan & HiJackThis log as requested.Malwarebytes' Anti-Malware 1.36Database version: 1959Windows 5.1.2600 Service Pack 24/9/2009 4:31:51 PMmbam-log-2009-04-09 (16-31-51).txtScan type: Quick ScanObjects scanned: 95765Time elapsed: 7 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)##################################################Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:36:04 PM, on 4/9/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\VirusScan\McShield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\fxssvc.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\ehome\ehtray.exeC:\windows\system\hpsysdrv.exeC:\Program Files\Multimedia Card Reader\shwicon2k.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\LTMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\HP\KBD\KBD.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\RUNDLL32.exeC:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exeO4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMainO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')O4 - Startup: Sid Registration.lnk = E:\ATR1.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dllO16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cabO16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cabO16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CABO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXEO23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe--End of file - 10525 bytes###################################################################How does it look?Once I get an all clear, I'll upgrade to XP SP3. What about the new IE8??Thanks!,Soon to be NOT-NeedinghelpinTX! Share this post Link to post Share on other sites
AdvancedSetup #22 Posted April 9, 2009 That looks good except the Adobe Acrobat Reader - did you go get an update? If not you really need to.If it's just the reader you may want to remove the 7.x and install the 9.1.x version.Then if you're all set let's do an online Anti-Virus scan to confirm no remaining issues.Please run an Online Anti-Virus scan with either the Java or ActiveX version of KasperskyJava VersionRun Kaspersky Online AV ScannerPlease go to Kaspersky website and perform an online antivirus scan.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programsArchivesMail databases[*]Click on My Computer under Scan and then put the kettle on![*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.ActiveX versionRun Kaspersky Online AV ScannerUsing Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. Read the Requirements and limitations before you click Accept. Allow the ActiveX download if necessary. Once the database has downloaded, click Next. Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK. Click on "My Computer" and then put the kettle on!When the scan has completed, click Save Report As... Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt) Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving. Share this post Link to post Share on other sites
Ghostrider 7 #23 Posted April 9, 2009 I upgraded to Adobe Reader 9.1 after I ran MBAM & HiJackThis. I have ver 9.1.0 & the latest update.I'll be doing the Kaspersky ActiveX version.What about IE8?? Share this post Link to post Share on other sites
AdvancedSetup #24 Posted April 9, 2009 Okay let's use HJT to remove some old entries then for Adobe Reader.With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeThen Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTAs for the IE8 - some people like it, others are having some conflicts with certain sites and or pluggins. You can install it (wait till SP3 is done and running well first) and then if you do run into issues with any software that is not compatible you can uninstall it and go back to IE7 if you really have to. Share this post Link to post Share on other sites
Ghostrider 7 #25 Posted April 10, 2009 Ok, I had to run Kaspersky using Java. So I downloaded the latest Java Version you asked me to.Kaspersky would only say that I needed Java when both of the links you gave were clicked.And you're right, I put the kettle on (3 hour scan).Here's the Kaspersky log.KASPERSKY ONLINE SCANNER 7 REPORT Thursday, April 9, 2009 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, April 10, 2009 00:26:31 Records in database: 2029347--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\Scan statistics: Files scanned: 173116 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 03:09:19No malware has been detected. The scan area is clean.The selected area was scanned.#################################################I then opened HiJackThis & deleted the old Java stuff. The only one left wasO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1These two didn't show, I think that is because Reader 9.1 repalced them.- O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll- O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe#################################################Here's my HiJackThis log after running Kaspersky & after I deleted that one Java remnant:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:49:13 PM, on 4/9/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\Program Files\McAfee\VirusScan\McShield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\fxssvc.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\ehome\ehtray.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Multimedia Card Reader\shwicon2k.exeC:\WINDOWS\LTMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\HP\KBD\KBD.EXEC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\RUNDLL32.exeC:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exeC:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetectO4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exeO4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXEO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hideO4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMainO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exeO4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')O4 - Startup: Sid Registration.lnk = E:\ATR1.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dllO16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dllO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exeO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cabO16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cabO16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CABO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXEO23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe--End of file - 11136 bytes#############################################################The pc seems to be running like it did before the rootkit attack. I will try to put it through the paces tomorrow.I will also logon under my login & my boys to see how it runs there.Let me know if it's okay & I'll download SP3 tomorrow or over the weekend. I'll hold off on IE8 for a while.My next biggest task is to school my family on adware, malware, etc.I really appreciate you, Malwarebytes & all the fighters against the bad for what you do!!Have a good night!Regards,NHITX Share this post Link to post Share on other sites