Jump to content
Ghostrider 7

Cannot run Malwarebytes, HiJackThis, Spybot & Internet redirects

Recommended Posts

Hello, I believe I have a UAC rootkit infection. On 03/29, I noticed a problem when I tried to use the pc after my wife used it about 5 hours before me. She doesn't remember anything different or odd. When I started using the pc, I noticed the internet re-direct & that's when I first tried to use Malwarebytes. I have been trying to clean the pc off & on since then. I have been unable to open MBAM.exe, Spybot Search & Destroy or go back to a previous system restore point. I downloaded HiJackThis today, but I'm unable to start that program. The only adware program that runs is Ad-Aware SE by Lavasoft, but I couldn't get the latest definitions because the program is out dated. I still ran SE but it didn't find anything bad. I've also tried doing all of this while in Safe Mode while logged on as the Administrator, myself & my wife.

After reviewing my McAfee Antivirus Detection log, I see where it first detected DNSChanger.gen (Trojan) at 13:20 CDT on 03/29. McAfee says that it repaired (removed) the it. This was when my wife was using the pc. Below are the McAfee Detection Logs that I have ran since & what McAfee done. All times are Central (Texas) time.

1st McAfee Detection Log:

3/29 1:20:12 PM Real-Time Scan DNSChanger.gen (Trojan) McAfee Repaired (removed)

McAfee findings from the Detection Logs:

3/29 7:53:45 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined

3/29 7:53:45 PM Manual Scan DNSChanger.gen (Trojan) Quarantined

3/29 7:53:45 PM Manual Scan Generic.dx (Trojan) Quarantined

3/29 7:53:45 PM Manual Scan FakeAlert-AB (Trojan) Quarantined

3/29 7:53:45 PM Manual Scan FakeAlert.k (Trojan) Quarantined

3/29 7:53:46 PM Manual Scan GenericPUP.x (Potentially Unwanted Program) Detected

3/29 7:53:46 PM Manual Scan RemAdm-PSKill (Potentially Unwanted Program) Detected

3/29 7:53:46 PM Manual Scan DNSChanger.gen (Trojan) Quarantined

My next time trying to correct this was on 4/01 3:52 PM (I manually stopped scan).

McAfee findings from the Detection Logs:

4/1 3:52:30 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined

4/1 3:52:30 PM Manual Scan DNSChanger.gen (Trojan) Quarantined

4/1 3:52:30 PM Manual Scan FakeAlert-AB (Trojan) Quarantined

4/1 3:52:30 PM Manual Scan FakeAlert.k (Trojan) Quarantined

I tried again on 4/01 at 7:02 PM

McAfee findings from the Detection Logs:

4/1 7:02:49 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined

4/1 7:02:50 PM Manual Scan Generic FakeAlert.k (Trojan) Quarantined

4/1 7:02:50 PM Manual Scan DNSChanger.gen (Trojan) Quarantined

4/1 7:02:50 PM Manual Scan FakeAlert-AB (Trojan) Quarantined

4/1 7:02:51 PM Manual Scan GenericPUP.x (Potentially Unwanted Program) Detected

4/1 7:02:51 PM Manual Scan RemAdm-PSKill (Potentially Unwanted Program) Detected

I have a HP computer & I think that GenericPUP.x & RemAdm-PSKill are part of their sytem.

I would appreciate any help I can get.

Thanks!

NeedhelpinTX

Share this post


Link to post
Share on other sites

Please take a look at the following post and see if you can get MBAM running and updated by using the information from these posts. If not let me know and we'll try something else.

Potential Malware infection issues to review to get MBAM running

If you can get MBAM running then please run the following.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Share this post


Link to post
Share on other sites

OK, Procees Explorer didn't show anything & RootRepeal doesn't let me "wipe" anything.

First, here's the info from Proces Explorer. No Total-Security (FakeAlert) or av360 found.

But, McAfee previously id'd FakeAlert.k, FakeAlert-AB & Generic FakeAlert.k on 3/29.

Process PID CPU Description Company Name

System Idle Process 0 94.70

Interrupts n/a Hardware Interrupts

DPCs n/a 0.76 Deferred Procedure Calls

System 4

smss.exe 944 Windows NT Session Manager Microsoft Corporation

csrss.exe 1008 0.76 Client Server Runtime Process Microsoft Corporation

winlogon.exe 1032 Windows NT Logon Application Microsoft Corporation

services.exe 1084 0.76 Services and Controller app Microsoft Corporation

svchost.exe 1284 Generic Host Process for Win32 Services Microsoft Corporation

mcagent.exe 3236 McAfee Integrated Security Platform McAfee, Inc.

ehmsas.exe 1932 Media Center Media Status Aggregator Service Microsoft Corporation

svchost.exe 1356 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1504 Generic Host Process for Win32 Services Microsoft Corporation

wuauclt.exe 2872 Windows Update Automatic Updates Microsoft Corporation

wuauclt.exe 3188 Windows Update Automatic Updates Microsoft Corporation

svchost.exe 1688 Generic Host Process for Win32 Services Microsoft Corporation

spoolsv.exe 1952 Spooler SubSystem App Microsoft Corporation

dsNcService.exe 180 Network Connect Service Juniper Networks

ehrecvr.exe 232 Media Center Receiver Service Microsoft Corporation

ehSched.exe 248 Media Center Scheduler Service Microsoft Corporation

IntuitUpdateService.exe 332 Intuit Update Service Intuit Inc.

McSACore.exe 492 SiteAdvisor McAfee, Inc.

mcmscsvc.exe 612 McAfee Services McAfee, Inc.

McNASvc.exe 716 McAfee Network Agent McAfee, Inc.

McProxy.exe 812 McAfee Proxy Service Module McAfee, Inc.

Mcshield.exe 920 On-Access Scanner service McAfee, Inc.

MpfSrv.exe 1604 McAfee Personal Firewall Service McAfee, Inc.

nvsvc32.exe 520 NVIDIA Driver Helper Service, Version 66.72 NVIDIA Corporation

svchost.exe 1308 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1560 Generic Host Process for Win32 Services Microsoft Corporation

mcrdsvc.exe 2056 MCRD Device Service Microsoft Corporation

fxssvc.exe 2092 Fax Service Microsoft Corporation

dllhost.exe 3864 COM Surrogate Microsoft Corporation

alg.exe 3060 Application Layer Gateway Service Microsoft Corporation

mcsysmon.exe 1328 McAfee SystemGuards Service McAfee, Inc.

savedump.exe 1096 Windows NT Save Dump Utility Microsoft Corporation

lsass.exe 1104 LSA Shell (Export Version) Microsoft Corporation

explorer.exe 2536 Windows Explorer Microsoft Corporation

iexplore.exe 2560 Internet Explorer Microsoft Corporation

ctfmon.exe 3204 CTF Loader Microsoft Corporation

ehtray.exe 3544 Media Center Tray Applet Microsoft Corporation

hpsysdrv.exe 3628 hpsysdrv Hewlett-Packard Company

shwicon2k.exe 3844 Alcor Micro, Corp.

ltmsg.exe 3856 ltmsg Agere Systems

Alcxmntr.exe 3892 Realtek Audio - Event Monitor Realtek Semiconductor Corp.

hpcmpmgr.exe 3936 HP Framework Component Manager Service Hewlett-Packard Company

kbd.exe 824 KBD EXE Hewlett-Packard Company

hpwuSchd2.exe 2252 hpwuSchd Application Hewlett-Packard

procexp.exe 2820 3.03 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

rundll32.exe 3868 Run a DLL as an App Microsoft Corporation

********************************************************************************

*************

Now, here's the info from RootRepeal. First, I got "Could not find kernal file on disk (C:\Windows\system32\ntoskrnl.exe)!"

After clicking OK, I clicked on "Files" & scan as instructed & below is what the RoorRepeal File Scan showed.

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/07 18:56

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

Hidden/Locked Files

-------------------

Path: C:\CMPNENTS

Status: Could not get file information (Error 0xc0000008)

Path: C:\MSDOS.SYS

Status: Could not get file information (Error 0xc0000008)

Path: C:\1ddd344c4ecfcab1daea4d3e4483

Status: Could not get file information (Error 0xc0000008)

Path: C:\26d850e8885ae1e5e9561c231645c5

Status: Could not get file information (Error 0xc0000008)

Path: C:\CONFIG.SYS

Status: Could not get file information (Error 0xc0000008)

Path: C:\CtDriverInstTemp

Status: Could not get file information (Error 0xc0000008)

Path: C:\CtDrvIns.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\CtDrvStp.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings

Status: Could not get file information (Error 0xc0000008)

Path: C:\GameSpy Arcade Setup

Status: Could not get file information (Error 0xc0000008)

Path: C:\hp

Status: Could not get file information (Error 0xc0000008)

Path: C:\hpcmerr.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\http_ss.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\I386

Status: Could not get file information (Error 0xc0000008)

Path: C:\IO.SYS

Status: Could not get file information (Error 0xc0000008)

Path: C:\KBDSW

Status: Could not get file information (Error 0xc0000008)

Path: C:\log-other.txt

Status: Could not get file information (Error 0xc0000008)

Path: C:\Media

Status: Could not get file information (Error 0xc0000008)

Path: C:\MSOCache

Status: Could not get file information (Error 0xc0000008)

Path: C:\NTDETECT.COM

Status: Could not get file information (Error 0xc0000008)

Path: C:\ntldr

Status: Could not get file information (Error 0xc0000008)

Path: C:\NVIDIA

Status: Could not get file information (Error 0xc0000008)

Path: C:\Program Files

Status: Could not get file information (Error 0xc0000008)

Path: C:\Python22

Status: Could not get file information (Error 0xc0000008)

Path: C:\readme.txt

Status: Could not get file information (Error 0xc0000008)

Path: C:\RECYCLER

Status: Could not get file information (Error 0xc0000008)

Path: C:\Softpaq

Status: Could not get file information (Error 0xc0000008)

Path: C:\sti.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\Swsetup

Status: Could not get file information (Error 0xc0000008)

Path: C:\System Volume Information

Status: Could not get file information (Error 0xc0000008)

Path: C:\system.sav

Status: Could not get file information (Error 0xc0000008)

Path: C:\temp

Status: Could not get file information (Error 0xc0000008)

Path: C:\windms.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS

Status: Could not get file information (Error 0xc0000008)

Path: C:\WUTemp

Status: Could not get file information (Error 0xc0000008)

Path: C:\784e84d4b42c3caa835a5fe

Status: Could not get file information (Error 0xc0000008)

Path: C:\9da37eb7dc682c6b7

Status: Could not get file information (Error 0xc0000008)

Path: C:\ArcSoft Tutorials

Status: Could not get file information (Error 0xc0000008)

Path: C:\AUTOEXEC.BAT

Status: Could not get file information (Error 0xc0000008)

Path: C:\b2a

Status: Could not get file information (Error 0xc0000008)

Path: C:\BasicDVD

Status: Could not get file information (Error 0xc0000008)

Path: C:\boot.ini

Status: Could not get file information (Error 0xc0000008)

Path: C:\caavsetup.log

Status: Could not get file information (Error 0xc0000008)

Path: C:\cmdcons

Status: Could not get file information (Error 0xc0000008)

Path: C:\cmldr

Status: Could not get file information (Error 0xc0000008)

I also attached a report from the RootRepeal Driver scan where it shows UACmejwqolw.sys located in

C:\Windows\system32\drivers\UACmejwqolw.sys. RootRepeal shows this in red & it says the status is

"Hidden from Windows API!"

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/04/07 18:57

Program Version: Version 1.2.3.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

Drivers

-------------------

Name: 1394BUS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS

Address: 0xF85D6000 Size: 53248 File Visible: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF8567000 Size: 187776 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2252800 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xF3355000 Size: 138368 File Visible: -

Status: -

Name: AFS2K.SYS

Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS

Address: 0xF87F6000 Size: 38528 File Visible: -

Status: -

Name: agp440.sys

Image Path: agp440.sys

Address: 0xF8626000 Size: 42368 File Visible: -

Status: -

Name: ALCXWDM.SYS

Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS

Address: 0xF68AB000 Size: 2279424 File Visible: -

Status: -

Name: arp1394.sys

Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys

Address: 0xF8676000 Size: 60800 File Visible: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF84F9000 Size: 95360 File Visible: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys

Address: 0xF8C6E000 Size: 3072 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF8B12000 Size: 4224 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF89C6000 Size: 12288 File Visible: -

Status: -

Name: bridge.sys

Image Path: C:\WINDOWS\System32\DRIVERS\bridge.sys

Address: 0xF6875000 Size: 71552 File Visible: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF0171000 Size: 63744 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys

Address: 0xF8806000 Size: 49536 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Address: 0xF8616000 Size: 53248 File Visible: -

Status: -

Name: cx88enc.sys

Image Path: C:\WINDOWS\system32\drivers\cx88enc.sys

Address: 0xF6BA1000 Size: 297344 File Visible: -

Status: -

Name: CX88TUNE.sys

Image Path: C:\WINDOWS\system32\drivers\CX88TUNE.sys

Address: 0xF887E000 Size: 30976 File Visible: -

Status: -

Name: cx88vid.sys

Image Path: C:\WINDOWS\system32\drivers\cx88vid.sys

Address: 0xF6C0D000 Size: 160128 File Visible: -

Status: -

Name: cxavxbar.sys

Image Path: C:\WINDOWS\system32\drivers\cxavxbar.sys

Address: 0xF8A7A000 Size: 9344 File Visible: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF8606000 Size: 36352 File Visible: -

Status: -

Name: dmio.sys

Image Path: dmio.sys

Address: 0xF8511000 Size: 153344 File Visible: -

Status: -

Name: dmload.sys

Image Path: dmload.sys

Address: 0xF8ABA000 Size: 5888 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF8826000 Size: 61440 File Visible: -

Status: -

Name: dsNcAdpt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys

Address: 0xF8666000 Size: 40960 File Visible: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF2456000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8AC8000 Size: 8192 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF67AB000 Size: 12288 File Visible: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF8C84000 Size: 4096 File Visible: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xF246E000 Size: 143360 File Visible: -

Status: -

Name: fdc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys

Address: 0xF8996000 Size: 27392 File Visible: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF86E6000 Size: 34944 File Visible: -

Status: -

Name: flpydisk.sys

Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys

Address: 0xF888E000 Size: 20480 File Visible: -

Status: -

Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF84D9000 Size: 128896 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF8B10000 Size: 7936 File Visible: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF8537000 Size: 125056 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806FD000 Size: 134400 File Visible: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF8716000 Size: 36864 File Visible: -

Status: -

Name: hidir.sys

Image Path: C:\WINDOWS\System32\DRIVERS\hidir.sys

Address: 0xF88F6000 Size: 19200 File Visible: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS

Address: 0xF889E000 Size: 28672 File Visible: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF83C1000 Size: 9600 File Visible: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xF08AE000 Size: 262784 File Visible: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys

Address: 0xF87E6000 Size: 41856 File Visible: -

Status: -

Name: intelppm.sys

Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Address: 0xF87A6000 Size: 36096 File Visible: -

Status: -

Name: ipfltdrv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys

Address: 0xF8686000 Size: 32896 File Visible: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xF3463000 Size: 134912 File Visible: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys

Address: 0xF3505000 Size: 74752 File Visible: -

Status: -

Name: IrBus.sys

Image Path: C:\WINDOWS\System32\DRIVERS\IrBus.sys

Address: 0xF86F6000 Size: 46592 File Visible: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF85B6000 Size: 35840 File Visible: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys

Address: 0xF89BE000 Size: 24576 File Visible: -

Status: -

Name: kbdhid.sys

Image Path: C:\WINDOWS\System32\DRIVERS\kbdhid.sys

Address: 0xF67BF000 Size: 14848 File Visible: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF8AB6000 Size: 8192 File Visible: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xEE351000 Size: 172416 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\drivers\ks.sys

Address: 0xF6BEA000 Size: 143360 File Visible: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF84C2000 Size: 92032 File Visible: -

Status: -

Name: ltmdmnt.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys

Address: 0xF6B06000 Size: 633568 File Visible: -

Status: -

Name: mfeavfk.sys

Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys

Address: 0xEFB65000 Size: 72576 File Visible: -

Status: -

Name: mfebopk.sys

Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys

Address: 0xF8936000 Size: 28512 File Visible: -

Status: -

Name: mfehidk.sys

Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys

Address: 0xF328B000 Size: 194592 File Visible: -

Status: -

Name: mfesmfk.sys

Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys

Address: 0xF0659000 Size: 33760 File Visible: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF8B14000 Size: 4224 File Visible: -

Status: -

Name: Modem.SYS

Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Address: 0xF898E000 Size: 30080 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys

Address: 0xF8856000 Size: 23040 File Visible: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys

Address: 0xF67BB000 Size: 12160 File Visible: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF85E6000 Size: 42240 File Visible: -

Status: -

Name: Mpfp.sys

Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys

Address: 0xF343F000 Size: 147456 File Visible: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys

Address: 0xF093F000 Size: 179584 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys

Address: 0xF32BB000 Size: 453632 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF88AE000 Size: 19072 File Visible: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys

Address: 0xF78D1000 Size: 35072 File Visible: -

Status: -

Name: MSPQM.sys

Image Path: C:\WINDOWS\system32\drivers\MSPQM.sys

Address: 0xF8B2A000 Size: 4992 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF6F1D000 Size: 15488 File Visible: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF83ED000 Size: 107904 File Visible: -

Status: -

Name: MxlW2k.SYS

Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS

Address: 0xF899E000 Size: 25504 File Visible: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF8408000 Size: 182912 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys

Address: 0xF6F29000 Size: 9600 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys

Address: 0xF13A7000 Size: 14592 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys

Address: 0xF685E000 Size: 91776 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF78B1000 Size: 38016 File Visible: -

Status: -

Name: NEOFLTR_500_8897.SYS

Image Path: C:\WINDOWS\system32\Drivers\NEOFLTR_500_8897.SYS

Address: 0xF86B6000 Size: 54112 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys

Address: 0xF86C6000 Size: 34560 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys

Address: 0xF3377000 Size: 162816 File Visible: -

Status: -

Name: nic1394.sys

Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys

Address: 0xF8656000 Size: 61824 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF88B6000 Size: 30848 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF8435000 Size: 574464 File Visible: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2252800 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF8D0D000 Size: 2944 File Visible: -

Status: -

Name: nv4_disp.dll

Image Path: C:\WINDOWS\System32\nv4_disp.dll

Address: 0xBF9D5000 Size: 3723264 File Visible: -

Status: -

Name: nv4_mini.sys

Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys

Address: 0xF6C6C000 Size: 2738592 File Visible: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF85C6000 Size: 61056 File Visible: -

Status: -

Name: parport.sys

Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys

Address: 0xF6AD8000 Size: 80128 File Visible: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF883E000 Size: 18688 File Visible: -

Status: -

Name: ParVdm.SYS

Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS

Address: 0xF8B48000 Size: 6784 File Visible: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF8556000 Size: 68224 File Visible: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF8B7E000 Size: 3328 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF8836000 Size: 28672 File Visible: -

Status: -

Name: pfc.sys

Image Path: C:\WINDOWS\system32\drivers\pfc.sys

Address: 0xF83B5000 Size: 9856 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2252800 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF6887000 Size: 147456 File Visible: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF8AF0000 Size: 7872 File Visible: No

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys

Address: 0xF684D000 Size: 69120 File Visible: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys

Address: 0xF89AE000 Size: 17792 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF8846000 Size: 19936 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys

Address: 0xF8A9A000 Size: 8832 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys

Address: 0xF7901000 Size: 51328 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys

Address: 0xF78F1000 Size: 41472 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys

Address: 0xF78E1000 Size: 48384 File Visible: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys

Address: 0xF89B6000 Size: 16512 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2252800 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys

Address: 0xF332A000 Size: 174592 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF8B16000 Size: 4224 File Visible: -

Status: -

Name: rdpdr.sys

Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys

Address: 0xF681C000 Size: 196864 File Visible: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys

Address: 0xF8816000 Size: 57472 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEEF7C000 Size: 45056 File Visible: No

Status: -

Name: Rtnicxp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

Address: 0xF6AEC000 Size: 104320 File Visible: -

Status: -

Name: secdrv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys

Address: 0xF0619000 Size: 40960 File Visible: -

Status: -

Name: serenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xF83B9000 Size: 15488 File Visible: -

Status: -

Name: serial.sys

Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xF87D6000 Size: 64896 File Visible: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys

Address: 0xF0734000 Size: 333184 File Visible: -

Status: -

Name: STREAM.SYS

Image Path: C:\WINDOWS\system32\drivers\STREAM.SYS

Address: 0xF87B6000 Size: 49152 File Visible: -

Status: -

Name: sunkfilt.sys

Image Path: C:\WINDOWS\System32\Drivers\sunkfilt.sys

Address: 0xF88DE000 Size: 26368 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys

Address: 0xF8B04000 Size: 4352 File Visible: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xF09DB000 Size: 60800 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys

Address: 0xF34AC000 Size: 360960 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS

Address: 0xF89A6000 Size: 20480 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys

Address: 0xF78C1000 Size: 40704 File Visible: -

Status: -

Name: UACmejwqolw.sys

Image Path: C:\WINDOWS\system32\drivers\UACmejwqolw.sys

Address: 0xF7871000 Size: 61440 File Visible: -

Status: Hidden from Windows API!

Name: update.sys

Image Path: C:\WINDOWS\System32\DRIVERS\update.sys

Address: 0xF67C3000 Size: 364160 File Visible: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xF88CE000 Size: 31616 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF8B06000 Size: 8192 File Visible: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF8986000 Size: 26624 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF78A1000 Size: 57600 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF6C35000 Size: 143360 File Visible: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xF88E6000 Size: 26496 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF897E000 Size: 20480 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF88A6000 Size: 20992 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS

Address: 0xF6C58000 Size: 81920 File Visible: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF85F6000 Size: 52352 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys

Address: 0xF8696000 Size: 34560 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF896E000 Size: 20480 File Visible: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xF0786000 Size: 82944 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF8AB8000 Size: 8192 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2252800 File Visible: -

Status: -

Sorry post takes so long, I have to transfer info from pc to my laptop.

And MBAM will not start.

Share this post


Link to post
Share on other sites

Okay, let's try this then. Please see if this will run in normal mode, if not then try in Safe Mode.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Share this post


Link to post
Share on other sites

I downloaded ComboFix on my laptop then moved it to my pc via SD card & placed it on my pc's desktop.

Stopped McAfee A/V & firewall, double clicked ComboFix & it will not start. You can see it in the Windows

Task Manager, but it doesn't start.

What's next??

Share this post


Link to post
Share on other sites

Well if you can't get any of these tools running then please try the following.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescuecd.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Share this post


Link to post
Share on other sites

Hey Advanced,

I remember seeing somewherer on this forum that said to download ComboFix but save it as Comb-Fix.

So while waiting for my laptop to burn the Avira Antivir Rescue System, I decided to try it.

ComboFix started working & found the following Rootkit files.

ComboFix has detected the presence of rootkit activity and needs to reboot the machine.

Kindly note down on paper, the name of each file. We may need it later.

C:WINDOWS\system32\drivers\UACmejwqolw.sys

C:WINDOWS\system32\UAChxvrbltf.dll

C:WINDOWS\system32\UACiqpxuwkm.dat

C:WINDOWS\system32\UACxypiexwk.dll

C:WINDOWS\system32\UACosvtxbxn.dll

C:WINDOWS\system32\UACeoeuyful.dll

C:WINDOWS\system32\UAChtargskd.db

C:WINDOWS\system32\UACpbpxuvuo.dll

C:WINDOWS\system32\UACfwqvtxbw.dll

C:WINDOWS\system32\UACajkmgxti.log

C:WINDOWS\system32\UACfeeqtklr.log

C:WINDOWS\system32\UACloyqxvml.log

I let ComboFix continue after writing these down, it rebooted the system, then said that it was deleting

these files. It just finished running all of the stages & it just rebooted again.

More to come after booting back up.

Share this post


Link to post
Share on other sites

Sorry for the typo, I saved ComboFix when I downloaded it to Combo-Fix.

I am now running MBAM & no more internet re-directs. When I am finished running MBAM, I will start HiJackThis &

send you the log file for it.

For now, here's the ComboFix Log File.

ComboFix 09-04-04.01 - Mom 2009-04-07 22:06:04.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.252 [GMT -5:00]

Running from: c:\documents and settings\Mom\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *disabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\Quarantine

c:\windows\system\oeminfo.ini

c:\windows\system32\drivers\UACmejwqolw.sys

c:\windows\system32\ntnet.drv

c:\windows\system32\UACajkmgxti.log

c:\windows\system32\UACeoeuyful.dll

c:\windows\system32\UACfeeqtklr.log

c:\windows\system32\UACfwqvtxbw.dll

c:\windows\system32\UAChtargskd.db

c:\windows\system32\UAChxvrbltf.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACiqpxuwkm.dat

c:\windows\system32\UACloyqxvml.log

c:\windows\system32\UACosvtxbxn.dll

c:\windows\system32\UACpbpxuvuo.dll

c:\windows\system32\UACxypiexwk.dll

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_RPCPATCH

-------\Legacy_RPCTFTPD

((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))

.

2009-04-05 18:09 . 2009-04-05 18:11 <DIR> d-------- c:\program files\Help

2009-04-01 22:41 . 2009-04-01 22:41 <DIR> d-------- c:\documents and settings\Mom\DoctorWeb

2009-03-31 22:08 . 2009-03-31 22:08 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-31 16:01 . 2009-03-31 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks

2009-03-29 17:01 . 2009-04-07 18:44 1,896,749 --a------ c:\windows\system32\uactmp.db

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-05 23:30 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft

2009-04-05 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-05 23:05 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-02 03:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-01 17:47 --------- d-----w c:\program files\ArcSoft

2009-02-18 00:16 --------- d-----w c:\documents and settings\Mom\Application Data\Juniper Networks

2009-02-17 00:16 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-02-17 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-17 00:13 --------- d-----w c:\program files\Common Files\Intuit

2009-02-17 00:10 --------- d-----w c:\program files\TurboTax

2005-01-22 01:56 0 -csha-w c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-15 3092480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-22 98304]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]

"nwiz"="nwiz.exe" [2004-09-20 c:\windows\system32\nwiz.exe]

"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\Alcxmntr.exe]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\

AutoTBar.exe [2003-06-18 53248]

mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= sysaudio.sys

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Sid Registration.lnk]

path=c:\documents and settings\Dad\Start Menu\Programs\Startup\Sid Registration.lnk

backup=c:\windows\pss\Sid Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

--a--c--- 2003-06-22 23:25 24576 c:\program files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

--a--c--- 2002-10-07 09:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a--c--- 2003-05-28 22:12 143360 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

--a--c--- 2003-12-10 04:52 380928 c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2005-01-22 18:09 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2004-09-28 21:26 32881 c:\program files\Java\j2re1.4.2_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a--c--- 2005-01-28 16:15 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a--c--- 2003-08-19 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

--a--c--- 2004-05-10 19:40 64512 c:\program files\WildTangent\Apps\CDA\CDAEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\dxdiag.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\mshta.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);c:\windows\system32\drivers\NEOFLTR_500_8897.sys [2005-07-27 56038]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-17 203280]

S2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys --> c:\windows\system32\drivers\CX88XBARDUAL.sys [?]

S3 krdpdre;krdpdre;\??\c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sys --> c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sys [?]

S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2006-06-30 32000]

S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2006-06-30 28057]

S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2006-06-30 21081]

S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-26 6795333]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.

Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-12-18 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-12-23 c:\windows\Tasks\{0E71A998-55BF-44C3-828D-3E422D0F2561}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 14:00]

2009-04-01 c:\windows\Tasks\{2038B94A-6254-4988-A85D-8118BC8D2482}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 14:00]

2009-03-27 c:\windows\Tasks\{F98E5278-55E0-4992-8DC0-BFF9E90747B8}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 14:00]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mobile.coair.com/llclient/postsp/winxp/,DanaInfo=10.192.130.35,CT=java+AXXPEE.dll

DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} - hxxp://insidetis.coair.com/edocs/cabs/ssdw3b32.cab

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-07 22:13:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\windows\eHome\ehrecvr.exe

c:\windows\eHome\ehSched.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\fxssvc.exe

c:\windows\eHome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\rundll32.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

.

**************************************************************************

.

Completion time: 2009-04-07 22:18:41 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-08 03:18:38

Pre-Run: 51,692,417,024 bytes free

Post-Run: 51,876,364,288 bytes free

214 --- E O F --- 2009-03-24 01:56:02

#########################################################################

All of this happened when my wife was logged on the pc under her logon. Will I need to run any other the programs

under my login & my sons. Or do I need to boot into Safe Mode & run any programs as the Administrator.

More logs to come later!

Thanks for your help tonight!

Regards,

NeedhelpinTX

Share this post


Link to post
Share on other sites

Ok, Here's my MBAM scan. While I was doing the scan, McAfee alerted me to the Trojans again & they were quarantined.

Malwarebytes' Anti-Malware 1.36

Database version: 1950

Windows 5.1.2600 Service Pack 2

4/8/2009 12:22:51 AM

mbam-log-2009-04-08 (00-22-51).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 276582

Time elapsed: 1 hour(s), 53 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here's what McAfee did during the MBAM scan.

McAfee Real-Time Scan report:

4/7/09 11:45:03 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:45:09 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:45:15 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:46:55 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:47:02 PM DNSChanger.gen (Trojan), DNSChanger.gen (Trojan) - Repaired (removed)

4/7/09 11:47:08 PM DNSChanger.gen (Trojan), DNSChanger.gen (Trojan) - Repaired (removed)

4/7/09 11:47:11 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:47:13 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:47:15 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

4/7/09 11:47:17 PM DNSChanger.r (Trojan), DNSChanger.r (Trojan) - Repaired (removed)

At least there isn't any FakeAlert.k or FakeAlert-AB this time.

I will be running HiJackThis in the afternoon when I get home from work. I will post that log too.

Regards

Share this post


Link to post
Share on other sites

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\uactmp.db
c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sys

Driver::
krdpdre

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Click on START - RUN and type in MSCONFIG and set it to Normal Startup and RESTART the computer

STEP 03

Click on START - RUN and type in or copy / paste NETSH FIREWALL RESET (there is a space between each word) then hit the OK button.

STEP 04

Download this, then disconnect from the Internet and disable your current Anti-Virus (delete you current AV quarantine area first)

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Share this post


Link to post
Share on other sites

Here's my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:53:07 PM, on 4/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')

O4 - Startup: Sid Registration.lnk = E:\ATR1.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe

--

End of file - 9906 bytes

I will continue with the next steps from your last post.

Share this post


Link to post
Share on other sites

Here's the 2nd ComboFix Scan Log Report

ComboFix 09-04-04.01 - Mom 2009-04-08 17:11:26.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.198 [GMT -5:00]

Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mom\Desktop\CFscript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

* Created a new restore point

FILE ::

c:\docume~1\Dad\LOCALS~1\Temp\krdpdre.sys

c:\windows\system32\uactmp.db

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\uactmp.db

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_KRDPDRE

-------\Service_krdpdre

((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))

.

2009-04-08 16:52 . 2009-04-08 16:52 <DIR> d-------- c:\program files\Trend Micro

2009-04-05 18:09 . 2009-04-05 18:11 <DIR> d-------- c:\program files\Help

2009-04-01 22:41 . 2009-04-01 22:41 <DIR> d-------- c:\documents and settings\Mom\DoctorWeb

2009-03-31 22:08 . 2009-03-31 22:08 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-03-31 16:01 . 2009-03-31 16:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-08 03:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-06 20:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 20:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-05 23:30 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft

2009-04-05 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-05 23:05 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-01 17:47 --------- d-----w c:\program files\ArcSoft

2009-02-18 00:16 --------- d-----w c:\documents and settings\Mom\Application Data\Juniper Networks

2009-02-17 00:16 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-02-17 00:14 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-02-17 00:13 --------- d-----w c:\program files\Common Files\Intuit

2009-02-17 00:10 --------- d-----w c:\program files\TurboTax

2005-01-22 01:56 0 -csha-w c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_22.17.30.98 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-04-08 01:56:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-04-08 21:56:04 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-04-08 01:56:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-08 21:56:04 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-04-08 01:56:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-08 21:56:04 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-15 3092480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-22 98304]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]

"nwiz"="nwiz.exe" [2004-09-20 c:\windows\system32\nwiz.exe]

"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\Alcxmntr.exe]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\

AutoTBar.exe [2003-06-18 53248]

mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= sysaudio.sys

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Sid Registration.lnk]

path=c:\documents and settings\Dad\Start Menu\Programs\Startup\Sid Registration.lnk

backup=c:\windows\pss\Sid Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

--a--c--- 2003-06-22 23:25 24576 c:\program files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]

--a--c--- 2002-10-07 09:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

--a--c--- 2003-05-28 22:12 143360 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

--a--c--- 2003-12-10 04:52 380928 c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2005-01-22 18:09 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2004-09-28 21:26 32881 c:\program files\Java\j2re1.4.2_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a--c--- 2005-01-28 16:15 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

--a--c--- 2003-08-19 02:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

--a--c--- 2004-05-10 19:40 64512 c:\program files\WildTangent\Apps\CDA\CDAEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\dxdiag.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\WINDOWS\\system32\\mshta.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);c:\windows\system32\drivers\NEOFLTR_500_8897.sys [2005-07-27 56038]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-17 203280]

S2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys --> c:\windows\system32\drivers\CX88XBARDUAL.sys [?]

S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2006-06-30 32000]

S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2006-06-30 28057]

S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2006-06-30 21081]

S3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-26 6795333]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.

Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-12-18 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 14:32]

2008-12-23 c:\windows\Tasks\{0E71A998-55BF-44C3-828D-3E422D0F2561}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 14:00]

2009-04-01 c:\windows\Tasks\{2038B94A-6254-4988-A85D-8118BC8D2482}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 14:00]

2009-03-27 c:\windows\Tasks\{F98E5278-55E0-4992-8DC0-BFF9E90747B8}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 14:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = localhost

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://mobile.coair.com/llclient/postsp/winxp/,DanaInfo=10.192.130.35,CT=java+AXXPEE.dll

DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} - hxxp://insidetis.coair.com/edocs/cabs/ssdw3b32.cab

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-08 17:19:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\windows\eHome\ehrecvr.exe

c:\windows\eHome\ehSched.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\fxssvc.exe

c:\windows\eHome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\rundll32.exe

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

.

**************************************************************************

.

Completion time: 2009-04-08 17:25:04 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-08 22:25:00

ComboFix2.txt 2009-04-08 03:18:44

Pre-Run: 51,842,473,984 bytes free

Post-Run: 51,822,358,528 bytes free

211 --- E O F --- 2009-03-24 01:56:02

I also finished the following:

Step 2 MSCONFIG = Normal Startup

Step 3 - NETSH FIREWALL RESET

Step 4 - Downloaded Dr Web-cureit, disconnected internet, disabled McAfee A/V & removed AV quarantines.

Now this Warning message pops up eavery once in a while.

Microsoft .NET Framework Alert Box Message

An unhandled exception has occurred in your application. If you click

Continue, the application will ignore this erro and attempt to continue.

If you click Quit, the application will be shut down immediately.

The system cannot find the file specified.

Details

See the end of this message for details on invoking

just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************

System.ComponentModel.Win32Exception: The system cannot find the file specified

at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)

at System.Diagnostics.Process.Start()

at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)

at System.Diagnostics.Process.Start(String fileName, String arguments)

at BackupNotify.BackupNotify.LaunchReminder()

at BackupNotify.BackupNotify.timer1_Tick(Object sender, EventArgs e)

at System.Windows.Forms.Timer.OnTick(EventArgs e)

at System.Windows.Forms.Timer.Callback(IntPtr hWnd, Int32 msg, IntPtr idEvent, IntPtr dwTime)

************** Loaded Assemblies **************

mscorlib

Assembly Version: 1.0.5000.0

Win32 Version: 1.1.4322.2407

CodeBase: file:///c:/windows/microsoft.net/framework/v1.1.4322/mscorlib.dll

----------------------------------------

BackupNotify

Assembly Version: 1.0.1268.24163

Win32 Version: 1.0.1268.24163

CodeBase: file:///C:/Program%20Files/Hewlett-Packard/Digital%20Imaging/bin/backupnotify.exe

----------------------------------------

System.Windows.Forms

Assembly Version: 1.0.5000.0

Win32 Version: 1.1.4322.2032

CodeBase: file:///c:/windows/assembly/gac/system.windows.forms/1.0.5000.0__b77a5c561934e089/system.windows.forms.dll

----------------------------------------

System

Assembly Version: 1.0.5000.0

Win32 Version: 1.1.4322.2407

CodeBase: file:///c:/windows/assembly/gac/system/1.0.5000.0__b77a5c561934e089/system.dll

----------------------------------------

Utilities

Assembly Version: 1.0.0.0

Win32 Version: 1.0.0.662

CodeBase: file:///C:/Program%20Files/Hewlett-Packard/Digital%20Imaging/bin/Utilities.DLL

----------------------------------------

System.Drawing

Assembly Version: 1.0.5000.0

Win32 Version: 1.1.4322.2032

CodeBase: file:///c:/windows/assembly/gac/system.drawing/1.0.5000.0__b03f5f7f11d50a3a/system.drawing.dll

----------------------------------------

System.Xml

Assembly Version: 1.0.5000.0

Win32 Version: 1.1.4322.2032

CodeBase: file:///c:/windows/assembly/gac/system.xml/1.0.5000.0__b77a5c561934e089/system.xml.dll

----------------------------------------

Localization

Assembly Version: 1.0.0.0

Win32 Version: 1.0.0.607

CodeBase: file:///C:/Program%20Files/Hewlett-Packard/Digital%20Imaging/bin/Localization.DLL

----------------------------------------

************** JIT Debugging **************

To enable just in time (JIT) debugging, the config file for this

application or machine (machine.config) must have the

jitDebugging value set in the system.windows.forms section.

The application must also be compiled with debugging

enabled.

For example:

<configuration>

<system.windows.forms jitDebugging="true" />

</configuration>

When JIT debugging is enabled, any unhandled exception

will be sent to the JIT debugger registered on the machine

rather than being handled by this dialog.

###################################################

I always click on "Continue".

Now I'm running Dr. Web-cureit as instructed. I will post the finished Dr Web log along with another

HiJackThis log & then await further instructions.

Share this post


Link to post
Share on other sites

Here's my Dr.Web-cureit log.

ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Program.PsExec.171;;

data002;C:\Documents and Settings\Mom\Desktop;Archive contains infected objects;;

ComboFix.exe;C:\Documents and Settings\Mom\Desktop;Container contains infected objects;Moved.;

InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;;

A0000039.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Probably BATCH.Virus;;

A0000042.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Program.PsExec.170;Moved.;

A0000128.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Probably BATCH.Virus;;

A0000128.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Program.PsExec.171;;

data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Archive contains infected objects;;

A0000128.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Container contains infected objects;Moved.;

A0000163.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Probably BATCH.Virus;;

A0000166.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Program.PsExec.170;Moved.;

A0000233.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Probably BATCH.Virus;;

A0000233.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Program.PsExec.171;;

data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Archive contains infected objects;;

A0000233.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Container contains infected objects;Moved.;

#############################################################

I think I made a mistake, because I accidently clicked on the "Rename" button when I was trying to click on the

"Cure" button at the bottom of the program. The program then renamed the following files.

InstallHelper.exe, A0000039.bat & A0000163.bat

The program left the 5 moved the same, but now I cannot go back & do anything with the other 9 items. The next

post is another Dr.Web log that I saved after my goof.

Share this post


Link to post
Share on other sites

This is the 2nd Dr.Web log after clicking the "Rename" button.

ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Mom\Desktop\ComboFix.exe/data002;Program.PsExec.171;;

data002;C:\Documents and Settings\Mom\Desktop;Archive contains infected objects;;

ComboFix.exe;C:\Documents and Settings\Mom\Desktop;Container contains infected objects;Moved.;

InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Renamed.;

A0000039.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Probably BATCH.Virus;Renamed.;

A0000042.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Program.PsExec.170;Moved.;

A0000128.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Probably BATCH.Virus;;

A0000128.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0\A0000128.exe/data002;Program.PsExec.171;;

data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Archive contains infected objects;;

A0000128.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP0;Container contains infected objects;Moved.;

A0000163.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Probably BATCH.Virus;Renamed.;

A0000166.EXE;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Program.PsExec.170;Moved.;

A0000233.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Probably BATCH.Virus;;

A0000233.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1\A0000233.exe/data002;Program.PsExec.171;;

data002;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Archive contains infected objects;;

A0000233.exe;C:\System Volume Information\_restore{A52B9333-83B8-4BCA-9C88-7ECB161F3534}\RP1;Container contains infected objects;Moved.;

Do I need to redo the scan again? I need to close Dr.Web, reboot & do another HiJackThis. Please let me know my

next steps.

Share this post


Link to post
Share on other sites

Here's the HiJackThis log to finish Step 4.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:34:13 PM, on 4/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\dllhost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')

O4 - Startup: Sid Registration.lnk = E:\ATR1.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe

--

End of file - 10899 bytes

Share this post


Link to post
Share on other sites

No that looks fine.

You can delete Dr Web and the folder where under your profile where it stored all the data.

Please remove or update your Adobe Acrobat.

Security Updates available for Adobe Reader and Acrobat

Also remove Java

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Then download and run this

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup218.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Then update MBAM again and scan again.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Share this post


Link to post
Share on other sites

No problem, I'll do those next. One question, I've been holding off on updating to XP SP3 for a while.

Ok to do that after I get the all clear?

Share this post


Link to post
Share on other sites

Hello Advanced,

Ok, Java removed as instructed.

CCleaner ran, no problem with either.

Here's my MBAM Quaick Scan & HiJackThis log as requested.

Malwarebytes' Anti-Malware 1.36

Database version: 1959

Windows 5.1.2600 Service Pack 2

4/9/2009 4:31:51 PM

mbam-log-2009-04-09 (16-31-51).txt

Scan type: Quick Scan

Objects scanned: 95765

Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

##################################################

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:36:04 PM, on 4/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.exe

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')

O4 - Startup: Sid Registration.lnk = E:\ATR1.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe

--

End of file - 10525 bytes

###################################################################

How does it look?

Once I get an all clear, I'll upgrade to XP SP3. What about the new IE8??

Thanks!,

Soon to be NOT-NeedinghelpinTX!

Share this post


Link to post
Share on other sites

That looks good except the Adobe Acrobat Reader - did you go get an update? If not you really need to.

If it's just the reader you may want to remove the 7.x and install the 9.1.x version.

Then if you're all set let's do an online Anti-Virus scan to confirm no remaining issues.

Please run an Online Anti-Virus scan with either the Java or ActiveX version of Kaspersky

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Share this post


Link to post
Share on other sites

I upgraded to Adobe Reader 9.1 after I ran MBAM & HiJackThis. I have ver 9.1.0 & the latest update.

I'll be doing the Kaspersky ActiveX version.

What about IE8??

Share this post


Link to post
Share on other sites

Okay let's use HJT to remove some old entries then for Adobe Reader.

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  • O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
  • O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

As for the IE8 - some people like it, others are having some conflicts with certain sites and or pluggins. You can install it (wait till SP3 is done and running well first) and then if you do run into issues with any software that is not compatible you can uninstall it and go back to IE7 if you really have to.

Share this post


Link to post
Share on other sites

Ok, I had to run Kaspersky using Java. So I downloaded the latest Java Version you asked me to.

Kaspersky would only say that I needed Java when both of the links you gave were clicked.

And you're right, I put the kettle on (3 hour scan).

Here's the Kaspersky log.

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, April 9, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, April 10, 2009 00:26:31

Records in database: 2029347

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

Scan statistics:

Files scanned: 173116

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 03:09:19

No malware has been detected. The scan area is clean.

The selected area was scanned.

#################################################

I then opened HiJackThis & deleted the old Java stuff. The only one left was

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

These two didn't show, I think that is because Reader 9.1 repalced them.

- O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

- O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

#################################################

Here's my HiJackThis log after running Kaspersky & after I deleted that one Java remnant:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:49:13 PM, on 4/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.exe

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - .DEFAULT User Startup: Sid Registration.lnk = E:\ATR1.exe (User 'Default user')

O4 - Startup: Sid Registration.lnk = E:\ATR1.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mobile.coair.com/llclient/postsp/wi...java+AXXPEE.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106426461718

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab

O16 - DPF: {A9C70AF0-0F2A-11D1-B230-0000C08C00C4} (SSDBCombo Control 3.1) - http://insidetis.coair.com/edocs/cabs/ssdw3b32.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} (HostFront ActiveX Display) - http://sna.coair.com/HFACTX/HFDSP.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\SAMSUNG\SAMSUNG PC Share Manager\WiselinkPro.exe

--

End of file - 11136 bytes

#############################################################

The pc seems to be running like it did before the rootkit attack. I will try to put it through the paces tomorrow.

I will also logon under my login & my boys to see how it runs there.

Let me know if it's okay & I'll download SP3 tomorrow or over the weekend. I'll hold off on IE8 for a while.

My next biggest task is to school my family on adware, malware, etc.

I really appreciate you, Malwarebytes & all the fighters against the bad for what you do!!

Have a good night!

Regards,

NHITX

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.