Jump to content

PLEASE help me remove this virus or Malware. Thank you!


Recommended Posts

  • Root Admin

Well now that you've reset the permissions lets try running this tool again.

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
    Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
    Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

From within IE go to Tools/Internet Options/Advanced and click on the RESET button. Then quit IE.

Then try running this Anti-Virus scanner from Kaspersky.

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

It could be that something is broken with MSCONFIG too so let me do some research and see if I can find anything on that.

Link to post
Share on other sites

  • Root Admin

Is this the exact message you're getting?

"An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."

If so it could be due to yourself or someone else attempting to set a Service to Disabled that can not be disabled via MSCONFIG.

Start MSCONFIG and go to the SERVICES tab and try to click on ENABLE ALL and click OK and immediately reboot the computer.

Link to post
Share on other sites

Yes. I tried that many times and it still doesn't work. From the beginning, I used the MSCONFIG to check to see if there were any weird stuff on the Startup Tab. It was so I tried to unchecked that weird Chinese Characters and then I clicked apply. This message showed up. "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes." And I clicked ok the above message showed up again. And then it gives me a choice to select either restart or exit restart. I clicked restart. Since then I can't make any changes at all. Firefox acting kind of funny. Some of the website I went to is redirecting me to my internet provider site. When I use my Internet Explorer and my internet provider brower doesn't do that.

Should I just follow the steps on the massage you posted on 11pm? THANK YOU!

Here is the new log from Malwarebytes Anti-Malware:

Malwarebytes' Anti-Malware 1.37

Database version: 2260

Windows 5.1.2600 Service Pack 3

6/10/2009 11:54:30 PM

mbam-log-2009-06-10 (23-54-30).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 266524

Time elapsed: 2 hour(s), 34 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Okay, well let's try looking one more time for something hidden but I'm not so sure it there is.

STEP 01

Please download the following scanning tool. GMER

  • Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
  • Double click on
    random named exe file
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

STEP 02

RootRepeal - Rootkit Detector

    Close ALL applications and as many items in the task tray that will stop and exit.
  • Please download the following tool:
    RootRepeal - Rootkit Detector

  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

STEP 03

Please download Rootkit Revealer

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

STEP 04

Please visit this site for instructions on using this tool: Haxfix instructions - updated

You can download haxfix from site, or from Bleeping computer.

On both sites you will find always an updated version of the tool.

Follow the directions from that site and post back the log.

STEP 05

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the
    F8
    key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit
    enter
    .


  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory

  • Startup Objects

  • Disk Boot Sectors.

  • My Computer.

  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.

Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

I just tested the Safe Mode. Is it the Safe Mode suppose to have many lines something

like" multi(0)disk(0)........ and it is in black screen

before going to the Safe Mode? If it is then I can run it

in Safe Mode. I think maybe I added the Recovery console

then they let me boot on Safe Mode. I am not sure.I tried

Step 2 but it won't let me scan it and it crashes. I have

also attached the GMER log file. Thanks for explaining

the joke about the cat. Now I understand it. It is funny.

I hope you have a sweet dream. THANK YOU!

ROOTREPEAL CRASH REPORT

-------------------------

Exception Code: 0xc0000005

Exception Address: 0x00412d1a

Attempt to read from address: 0x00ee2004

Link to post
Share on other sites

Hi I only did the log file, because I don't know if you want me to run autofix from HAXFIX. I have attached the log file for Rootkit Revealer. For some reason the Rootkit Revealer doesn't save correctly. I tried to save it on the desktop but then it shows up an alert saying something Rootkit Revealer program needs to be closed. It's kind of like frozen. It did that twice because I tried to scan it again. When I look for the log files on the desktop it doesn't show up. Then I run the Rootkit Revealer program again and click file save and clicked rootkitrevealer and then open. That's how I got the log file. I hope nothings wrong with it. I thought I should let you know. THANK YOU!

HAXFIX logfile - by Marckie

version 5.081

Thu 06/11/2009 21:59:52.79

running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files

a3d files not found

checking for matching notify keys

no matching notify keys found

checking for matching services

matching services found

Aspi32

checking for matching safeboot services

no matching safeboot services found

--- Checking for Goldun - Spybanker ---

checking for SSODL keys

no ssodl keys found

checking for notify keys

no notify keys found

checking for services

no services found

checking for random used files and services

-- these files are not necessarily malicious

-- scanning all folders

C:\I386\NETEL90A.INF

C:\I386\NETEL980.INF

C:\I386\EVENTVWR.EXE

C:\I386\LPRHELP.DLL

C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\startStopIS.dll

no matching random used services found

checking for browser helper objects

no known browser helper objects found

checking for appinit files

no files found

checking for possible infected files

please submit these file here: http://www.bleepingcomputer.com/submit-mal....php?channel=11

no files found

checking for Active Setup Installed Components

no known Active Setup Installed Components found

checking iexplore.exe

iexplore.exe is not infected

--- Checking for other Goldun, Spybanker and Haxdoor files ---

no other Haxdoor or Goldun files found

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1380.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-11 22:04:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

C:\WINDOWS\SYSTEM32\findstr.exe [2116] 0x82CD4840

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:19,da,35,d3,79,b1,46,f4,31,cb,51,2d,c2,25,55,76,60,69,84,9a,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:19,da,35,d3,79,b1,46,f4,31,cb,51,2d,c2,25,55,76,60,69,84,9a,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:19,da,35,d3,79,b1,46,f4,31,cb,51,2d,c2,25,55,76,60,69,84,9a,a1,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:000039d5

scanning hidden files ...

scan completed successfully

hidden processes: 1

hidden services: 0

hidden files: 0

--- Analysing Catchme logfile ---

no matching regkeys found

Finished!

Link to post
Share on other sites

  • Root Admin

I thought I asked you to remove the following programs but I don't see that I did when looking back, so let's please take care of that now.

STEP 01

Please fully uninstall the following programs. Once we're done and your system is clean you can reinstall any of them you want.

If any are paid versions make sure you have the information required to reregister or activate them first.

BitTorrent 4.4.1

eMule

J2SE Runtime Environment 5.0 Update 3

LimeWire 4.12.11

Macromedia Shockwave Player

mIRC

ParetoLogic Anti-Spyware

ParetoLogic Privacy Controls

Shockwave

Then follow the directions below.

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
AtJob::
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
Driver::
sptd
File::
C:\Windows\System32\Drivers\sptd.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, download but (DO NOT install) the latest version from here. http://www.malwarebytes.org/mbam/program/mbam-setup.exe

STEP 04

Then FULLY DISABLE McAfee Anti-Virus (you may be able to set the Services to DISABLED using this method.)

Click on START - RUN and type in SERVICES.MSC and hit the OK button. Then scroll through all the services and locate all of them that are McAfee or NAI and set them to DISABLED

DO NOT try to stop the service, just write it down on a piece of paper the name and what its current startup type is set to, then set it to DISABLED and reboot the computer.

After the reboot NOW try to install MBAM - DO NOT try to register it if you have a license for it, just install it and try to update it.

Let me know how all of this goes.

Link to post
Share on other sites

It was fine I guess. When I tried to uninstall mIRC it said it might be already uninstalled do you want me to take it out of the add/Remove and I clicked yes. Also I believe I have uninstall J2SE Runtime Environment 5.0 Update 3 and upgraded to 6, so I didn't uninstall JRE 6. Malwarebytes Anti-Malware lets me do updates and I also did a scan but found nothing. The problem is still the same. Those Characters looks different everytime I restart the computer. I went back and changed my McAfree to be enabled. Almost forgot to include the combofix logs. What should I do next? THANK YOU!

ComboFix 09-06-11.06 - Cindy06/12/2009 4:15.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.270 [GMT -5:00]

Running from: c:\documents and settings\Cindy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Cindy\Desktop\CFscript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\System32\Drivers\sptd.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\RootRepeal.exe

.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))

.

2009-06-12 02:58 . 2009-06-12 03:19 -------- d-----w- C:\HaxFix

2009-06-12 02:58 . 2009-06-11 07:16 517790 ----a-w- C:\HaxFix.exe

2009-06-11 08:13 . 2009-06-11 08:13 -------- d-sh--w- c:\documents and settings\Administrator.SMILEFACE.000\IETldCache

2009-06-11 07:59 . 2009-06-11 07:59 0 ----a-w- C:\settings.dat

2009-06-11 05:31 . 2009-06-11 05:31 -------- d-sh--w- c:\documents and settings\Daniel\PrivacIE

2009-06-10 15:52 . 2009-06-12 09:14 -------- d-----w- c:\windows\system32\CatRoot2

2009-06-10 00:21 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-06-10 00:21 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-06-09 17:15 . 2009-06-09 17:15 -------- d-----w- c:\documents and settings\Cindy\DoctorWeb

2009-06-08 21:31 . 2009-06-08 21:31 -------- d-----w- c:\program files\ESET

2009-06-08 21:26 . 2009-06-08 21:26 -------- d-sh--w- c:\documents and settings\Cindy\PrivacIE

2009-06-08 21:14 . 2009-06-08 21:12 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-06-08 21:12 . 2009-06-08 21:12 -------- d-----w- c:\program files\Java

2009-06-08 20:36 . 2009-06-08 20:36 -------- d-----w- c:\program files\CCleaner

2009-06-06 23:11 . 2009-06-06 23:11 -------- d-----w- c:\program files\Trend Micro

2009-06-06 21:28 . 2009-06-06 21:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-06 15:04 . 2009-06-06 15:04 -------- d-----w- c:\documents and settings\Cindy\Application Data\Malwarebytes

2009-06-06 15:03 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-06 15:03 . 2009-06-06 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-06 15:03 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-06 15:03 . 2009-06-06 15:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-06 11:25 . 2009-06-06 11:25 -------- d-sh--w- c:\documents and settings\Daniel\IETldCache

2009-06-06 10:57 . 2009-06-06 11:17 -------- d-----w- c:\program files\XoftSpySE

2009-06-05 18:48 . 2009-06-05 18:48 -------- d-sh--w- c:\documents and settings\Cindy\IETldCache

2009-06-05 18:10 . 2009-06-05 18:45 -------- d-----w- c:\windows\SxsCaPendDel

2009-06-05 17:49 . 2009-06-05 17:49 -------- d-----w- c:\windows\ie8updates

2009-06-05 17:46 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-06-05 17:38 . 2009-06-05 17:46 -------- dc-h--w- c:\windows\ie8

2009-06-05 07:44 . 2009-06-05 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2009-06-05 07:40 . 2009-06-05 07:40 -------- d-----w- c:\documents and settings\Cindy\Local Settings\Application Data\Citrix

2009-06-05 07:39 . 2009-06-05 07:39 61224 ----a-w- c:\documents and settings\Cindy\GoToAssistDownloadHelper.exe

2009-06-05 06:22 . 2009-06-05 06:22 49152 ----a-r- c:\documents and settings\Cindy\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe

2009-06-05 06:22 . 2009-06-05 06:22 49152 ----a-r- c:\documents and settings\Cindy\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-12 08:32 . 2007-09-14 06:17 -------- d-----w- c:\program files\ParetoLogic

2009-06-12 08:31 . 2008-02-09 18:38 -------- d-----w- c:\program files\eMule

2009-06-09 21:45 . 2005-01-21 17:31 -------- d-----w- c:\program files\Common Files\Motive

2009-06-08 08:16 . 2009-06-08 08:15 108856 ----a-w- c:\documents and settings\Daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-08 03:46 . 2008-12-16 20:52 1457 ----a-w- c:\windows\AC6A35BD-5292-43f6-B548-5FE3C42C144C.bat

2009-06-05 07:40 . 2007-07-19 23:56 -------- d-----w- c:\program files\Citrix

2009-06-05 06:21 . 2008-12-16 20:34 -------- d-----w- c:\program files\McAfee

2009-05-14 19:16 . 2009-05-06 18:55 -------- d-----w- c:\program files\Coupons

2009-05-13 05:15 . 2005-06-18 04:49 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 21:23 . 2005-10-25 20:50 -------- d-----w- c:\documents and settings\Cindy\Application Data\Canon

2009-05-12 21:08 . 2009-02-17 11:09 266400 ----a-r- c:\documents and settings\Cindy\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-05 03:46 . 2009-05-04 23:48 -------- d-----w- c:\documents and settings\Cindy\Application Data\Nero

2009-05-04 23:31 . 2009-05-04 21:34 -------- d-----w- c:\program files\Common Files\Nero

2009-05-04 22:42 . 2009-05-04 21:37 -------- d-----w- c:\program files\Nero

2009-05-04 22:13 . 2009-05-04 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-05-04 20:36 . 2009-05-04 20:36 -------- d-----w- c:\program files\MSBuild

2009-05-04 20:35 . 2009-05-04 20:35 -------- d-----w- c:\program files\Reference Assemblies

2009-05-04 11:06 . 2009-05-04 11:06 -------- d-----w- c:\program files\Windows Sidebar

2009-04-17 12:26 . 2002-08-29 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-04-28 18:57 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2004-01-10 07:27 . 2004-01-10 07:27 693840 -c--a-w- c:\program files\wmv9VCMsetup.exe

2003-10-28 20:50 . 2003-10-28 20:50 5313488 -c--a-w- c:\program files\DivX51Bundle.exe

2003-10-23 02:56 . 2003-10-23 02:56 723963 -c--a-w- c:\program files\netvampire.zip

2003-10-06 20:32 . 2003-10-06 20:32 765 -c-ha-w- c:\program files\hpothb07.tif

2003-10-06 20:32 . 2003-10-06 20:32 452 -c-ha-w- c:\program files\hpothb07.dat

2003-08-16 03:02 . 2003-08-16 03:02 3120360 -c--a-w- c:\program files\Install_AIM.exe

2003-08-15 16:22 . 2003-08-15 15:51 9130944 -c--a-w- c:\program files\AdbeRdr60_enu.exe

2002-05-19 08:48 . 2003-10-28 19:42 102 -c--a-w- c:\program files\Readme.txt

2002-05-19 07:57 . 2003-10-28 19:42 944797 -c--a-w- c:\program files\wrar300.exe

2002-05-15 06:37 . 2003-10-28 19:42 473 -c--a-w- c:\program files\rarreg.key

2008-12-16 20:52 . 2008-12-16 20:54 94208 ----a-w- c:\program files\mozilla firefox\components\blsfflock.dll

2008-09-04 19:03 . 2008-09-04 19:03 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-09-04 19:03 . 2008-09-04 19:03 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-09-04 19:03 . 2008-09-04 19:03 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_04.12.27 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-12 09:26 . 2009-06-12 09:26 16384 c:\windows\temp\Perflib_Perfdata_604.dat

- 2002-08-29 10:00 . 2009-03-08 09:33 25600 c:\windows\SYSTEM32\jsproxy.dll

+ 2002-08-29 10:00 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\jsproxy.dll

+ 2006-05-10 05:22 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll

- 2006-05-10 05:22 . 2009-03-08 09:33 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll

- 2009-06-05 05:40 . 2009-06-08 01:15 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-06-05 05:40 . 2009-06-12 07:38 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-06-05 05:40 . 2009-06-12 07:38 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat

- 2009-06-05 05:40 . 2009-06-08 01:15 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat

+ 2002-09-30 10:11 . 2009-06-10 19:10 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe

+ 2009-06-10 19:10 . 2009-06-10 19:10 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2009-06-05 17:24 . 2009-06-05 17:24 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe

+ 2009-04-03 23:01 . 2009-04-03 23:01 71504 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\XL12CNVP.DLL

+ 2009-04-03 22:57 . 2009-04-03 22:57 21320 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\WRD12EXE.EXE

+ 2009-06-10 19:09 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll

+ 2009-06-10 19:09 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll

- 2002-09-30 10:11 . 2009-04-16 05:57 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

+ 2002-09-30 10:11 . 2009-06-10 19:10 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

- 2002-09-30 10:11 . 2009-04-16 05:57 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

+ 2009-06-08 21:14 . 2009-06-08 21:12 148888 c:\windows\SYSTEM32\javaws.exe

+ 2009-06-08 21:14 . 2009-06-08 21:12 144792 c:\windows\SYSTEM32\javaw.exe

+ 2009-06-08 21:14 . 2009-06-08 21:12 144792 c:\windows\SYSTEM32\java.exe

+ 2002-08-29 10:00 . 2009-04-30 21:22 385536 c:\windows\SYSTEM32\iedkcs32.dll

- 2002-08-29 10:00 . 2009-03-08 09:32 173056 c:\windows\SYSTEM32\ie4uinit.exe

+ 2002-08-29 10:00 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\ie4uinit.exe

- 2002-09-30 10:15 . 2009-06-05 18:45 336256 c:\windows\SYSTEM32\FNTCACHE.DAT

+ 2002-09-30 10:15 . 2003-05-20 05:00 336256 c:\windows\SYSTEM32\FNTCACHE.DAT

+ 2006-05-10 05:23 . 2009-05-13 05:15 915456 c:\windows\SYSTEM32\DLLCACHE\wininet.dll

+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\SYSTEM32\DLLCACHE\rpcrt4.dll

+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\SYSTEM32\DLLCACHE\localspl.dll

+ 2006-11-07 09:27 . 2009-04-30 21:22 385536 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll

+ 2006-11-07 09:26 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe

- 2006-11-07 09:26 . 2009-03-08 09:32 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe

- 2009-06-06 21:28 . 2009-06-06 17:35 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat

+ 2009-06-06 21:28 . 2009-06-10 19:41 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat

+ 2009-06-12 09:12 . 2009-06-12 09:12 389120 c:\windows\SYSTEM32\CF17690.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe

+ 2003-07-17 22:58 . 2009-06-08 08:18 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe

- 2003-07-17 22:58 . 2003-09-23 17:46 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe

+ 2009-06-10 19:09 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll

+ 2009-06-10 19:09 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll

+ 2009-06-10 19:09 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe

+ 2009-06-10 19:09 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll

+ 2009-06-10 19:09 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll

+ 2009-06-10 19:09 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe

+ 2005-09-02 20:19 . 2009-04-30 21:22 1207808 c:\windows\SYSTEM32\urlmon.dll

+ 2005-10-04 17:19 . 2009-05-13 05:15 5936128 c:\windows\SYSTEM32\mshtml.dll

- 2006-10-17 17:57 . 2009-03-08 09:32 1985024 c:\windows\SYSTEM32\iertutil.dll

+ 2006-10-17 17:57 . 2009-04-30 21:22 1985024 c:\windows\SYSTEM32\iertutil.dll

+ 2008-10-15 17:44 . 2009-04-17 12:26 1847168 c:\windows\SYSTEM32\DLLCACHE\win32k.sys

+ 2006-05-10 05:23 . 2009-04-30 21:22 1207808 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll

+ 2006-05-19 15:08 . 2009-05-13 05:15 5936128 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll

- 2007-05-10 06:30 . 2009-03-08 09:32 1985024 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll

+ 2007-05-10 06:30 . 2009-04-30 21:22 1985024 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll

+ 2009-04-03 22:57 . 2009-04-03 22:57 4671320 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\WRD12CNV.DLL

+ 2009-06-10 19:09 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll

+ 2009-06-10 19:09 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll

+ 2009-06-10 19:09 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll

+ 2005-10-17 01:20 . 2009-06-01 16:51 23635392 c:\windows\SYSTEM32\MRT.exe

+ 2006-11-08 03:03 . 2009-04-30 21:22 11064832 c:\windows\SYSTEM32\ieframe.dll

+ 2007-05-10 06:30 . 2009-04-30 21:22 11064832 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll

+ 2009-04-03 23:01 . 2009-04-03 23:01 15108448 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\XL12CNV.EXE

+ 2009-06-10 19:09 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-09-15 380928]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]

"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 98304]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-31 185896]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-08 148888]

c:\documents and settings\Cindy\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-1-21 217088]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-7-14 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]

backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^MostFun.lnk]

backup=c:\windows\pss\MostFun.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

S2 IcRecUsb;IC Recorder Driver;c:\windows\SYSTEM32\DRIVERS\IcRecUsb.sys [7/9/2007 7:38 PM 17432]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/16/2008 3:45 PM 203280]

S3 JFMGBVTWO;JFMGBVTWO;c:\docume~1\CINDY~2\LOCALS~1\Temp\JFMGBVTWO.exe [6/11/2009 9:38 PM 355200]

S3 YION;YION;c:\docume~1\CINDY~2\LOCALS~1\Temp\YION.exe [6/11/2009 8:51 PM 514944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-16 19:32]

2009-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-16 19:32]

2005-10-19 c:\windows\Tasks\XoftSpy.job

- c:\program files\XoftSpy\XoftSpy.exe [2006-05-12 20:40]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://yahoo.sbc.com/dsl

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {3492AC37-16C6-42FC-A2CA-439E9CFDACDF} - hxxp://falcon.web2server.info/install/1.4/ie/install.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-12 04:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2500)

c:\windows\system32\WININET.dll

c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\windows\SYSTEM32\UStorSrv.exe

c:\windows\wanmpsvc.exe

c:\windows\SYSTEM32\fxssvc.exe

c:\windows\SYSTEM32\CF17690.exe

c:\program files\Yahoo!\browser\ycommon.exe

c:\program files\SBC Self Support Tool\bin\mpbtn.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\progra~1\McAfee\MSC\mcuimgr.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\Real\RealPlayer\realplay.exe

.

**************************************************************************

.

Completion time: 2009-06-12 4:39 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-12 09:39

ComboFix2.txt 2009-06-10 03:45

ComboFix3.txt 2009-06-08 04:22

Pre-Run: 6,038,839,296 bytes free

Post-Run: 6,049,865,728 bytes free

319 --- E O F --- 2009-06-10 19:11

Link to post
Share on other sites

  • Root Admin

Please find and delete the current logs from this scanner. DDS.TXT and ATTACH.TXT which should be on your desktop now.

Then download a new version and run it again.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Here is the logs. Thank You!

DDS (Ver_09-05-14.01) - NTFSx86

Run by Cindy at 16:13:19.71 on Fri 06/12/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.257 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\Program Files\McAfee\VirusScan\McShield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\UStorSrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Cindy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://yahoo.sbc.com/dsl

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = hxxp://yahoo.sbc.com/dsl

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [iPInSightMonitor 01] "c:\program files\sbc yahoo!\connection manager\ip insight\IPMon32.exe"

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\cindy~2\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3492AC37-16C6-42FC-A2CA-439E9CFDACDF} - hxxp://falcon.web2server.info/install/1.4/ie/install.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab

DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - hxxp://216.249.24.142/code/PWActiveXImgCtl.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152515880921

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab

DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX/download/kdx.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cindy~2\applic~1\mozilla\firefox\profiles\uhgesm42.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\components\blsfflock.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-16 201320]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-16 203280]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-16 359248]

R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-12-16 144704]

R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-16 79304]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-16 35240]

S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [2007-7-9 17432]

S3 JFMGBVTWO;JFMGBVTWO;c:\docume~1\cindy~2\locals~1\temp\jfmgbvtwo.exe --> c:\docume~1\cindy~2\locals~1\temp\JFMGBVTWO.exe [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-16 33832]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-16 40488]

S3 YION;YION;c:\docume~1\cindy~2\locals~1\temp\yion.exe --> c:\docume~1\cindy~2\locals~1\temp\YION.exe [?]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-16 695624]

=============== Created Last 30 ================

2009-06-12 05:15 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-12 05:15 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-06-12 05:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-06-12 04:12 <DIR> --ds---- C:\ComboFix

2009-06-12 04:12 389,120 a------- c:\windows\system32\CF17690.exe

2009-06-11 21:58 517,790 a------- C:\HaxFix.exe

2009-06-11 21:58 <DIR> --d----- C:\HaxFix

2009-06-11 03:01 118,353 a------- C:\RootRepeal.dmp

2009-06-11 02:59 0 a------- C:\settings.dat

2009-06-10 17:25 2,105,344 a------- c:\windows\system32\secsetup.sdb

2009-06-10 10:52 <DIR> --d----- c:\windows\system32\CatRoot2

2009-06-09 19:21 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll

2009-06-09 19:21 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

2009-06-09 12:15 <DIR> --d----- c:\documents and settings\cindy\DoctorWeb

2009-06-08 16:31 <DIR> --d----- c:\program files\ESET

2009-06-08 16:26 <DIR> --dsh--- c:\documents and settings\cindy\PrivacIE

2009-06-08 16:14 73,728 a------- c:\windows\system32\javacpl.cpl

2009-06-08 16:14 410,984 a------- c:\windows\system32\deploytk.dll

2009-06-08 15:36 <DIR> --d----- c:\program files\CCleaner

2009-06-08 00:39 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat

2009-06-07 22:57 <DIR> a-dshr-- C:\cmdcons

2009-06-07 22:54 161,792 a------- c:\windows\SWREG.exe

2009-06-07 22:54 155,136 a------- c:\windows\PEV.exe

2009-06-07 22:54 98,816 a------- c:\windows\sed.exe

2009-06-06 18:11 <DIR> --d----- c:\program files\Trend Micro

2009-06-06 10:04 <DIR> --d----- c:\docume~1\cindy~2\applic~1\Malwarebytes

2009-06-06 10:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-06-06 05:57 <DIR> --d----- c:\program files\XoftSpySE

2009-06-05 13:48 <DIR> --dsh--- c:\documents and settings\cindy\IETldCache

2009-06-05 13:10 <DIR> --d----- c:\windows\SxsCaPendDel

2009-06-05 12:49 <DIR> --d----- c:\windows\ie8updates

2009-06-05 12:46 102,912 -------- c:\windows\system32\dllcache\iecompat.dll

2009-06-05 12:38 <DIR> -cd-h--- c:\windows\ie8

2009-06-05 02:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix

2009-06-05 02:39 61,224 a------- c:\documents and settings\cindy\GoToAssistDownloadHelper.exe

2009-06-02 19:11 54,156 a---h--- c:\windows\QTFont.qfn

2009-06-02 19:11 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-06-07 20:33 108,856 a------- c:\docume~1\cindy~2\applic~1\GDIPFONTCACHEV1.DAT

2009-05-13 00:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll

2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll

2009-05-13 00:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll

2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll

2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll

2009-04-30 16:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll

2009-04-30 16:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll

2009-04-30 16:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll

2009-04-30 16:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll

2009-04-30 16:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll

2009-04-30 06:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe

2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys

2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys

2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll

2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll

2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

2009-02-17 15:00 47,360 a------- c:\docume~1\cindy~2\applic~1\pcouffin.sys

2008-11-19 21:00 60,744 a------- c:\documents and settings\cindy\g2mdlhlpx.exe

2007-07-16 00:49 110 ac------ c:\docume~1\alluse~1\applic~1\MostFunGameId.bin

2004-01-10 02:27 693,840 ac------ c:\program files\wmv9VCMsetup.exe

2003-10-28 15:50 5,313,488 ac------ c:\program files\DivX51Bundle.exe

2003-10-22 21:56 723,963 ac------ c:\program files\netvampire.zip

2003-10-06 15:32 765 ac--h--- c:\program files\hpothb07.tif

2003-10-06 15:32 452 ac--h--- c:\program files\hpothb07.dat

2003-09-30 15:16 0 ac--h--- c:\documents and settings\cindy\hpothb07.dat

2003-08-15 22:02 3,120,360 ac------ c:\program files\Install_AIM.exe

2003-08-15 11:22 9,130,944 ac------ c:\program files\AdbeRdr60_enu.exe

2002-05-19 03:48 102 ac------ c:\program files\Readme.txt

2002-05-19 02:57 944,797 ac------ c:\program files\wrar300.exe

2002-05-15 01:37 473 ac------ c:\program files\rarreg.key

============= FINISH: 16:14:40.46 ===============

Link to post
Share on other sites

Okay, I have set it back to default setting based on those two websites. I have a question. I don't know if you know what it is. On the SERVICES, I see something called "YION " and I don't know what it is. It gives an executable path of C:\DOCUME~1\CINDY~2\LOCALS~1\Temp\YION.exe . It was set it to manual and I tried to change it to disabled but nothing happen. Thank you!

Link to post
Share on other sites

  • Root Admin

Please see if this removes it. It was probably already removed but maybe not properly so its left over there.

Do you share this computer with someone else? That appears to possibly be from a key generator designed to steal software, but its possible its from something else as well.

Click on START - RUN and Copy / Paste this into the Run line and click the OK button.

CMD /K SC DELETE YION

Let me know if you get an error message or a success message. You can close the DOS window when you're done.

Link to post
Share on other sites

  • Root Admin

Please try using a couple of these BootCD AV scanners. At this point it does not look like you are infected and what ever you're seeing may be due to some odd misconfiguration and / or some poorly installed software because the scans lately do not show anything that would cause this.

Also see if you can set MSCONFIG back to normal now or not.

LiveCD for Malware and Virus Removal

Here are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair if needed.

All of them except Avira are in the ISO image file format. Avira uses an EXE that has built-in CD burning capability.

Avira AntiVir Rescue System

BitDefender LiveCD

Dr Web LiveCD

F-Secure Rescue CD

Kaspersky RescueDisk

For those users that need a FREE utility to properly burn the ISO image

ImgBurn

How to write an image file to a disc with ImgBurn

Link to post
Share on other sites

I deleted it successfully. I used F-Secure Rescue CD and find nothing. I was going to use Avira AntiVir Rescue System, but it was in a different language and I don't understand them. I will try to use BitDefender Rescue CD too, if it lets me. The MSCONFIG is NOT back to normal. It's still doing the same thing. Maybe it can't be fixed. Thank you!

Link to post
Share on other sites

  • Root Admin

Here are the directions for the Avira CD. You can use it in English, you just need to choose it.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescuecd.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Yipee....... It is fixed now. That nasty Chinese Characters are gone now. I didn't think this is going to work. All I did was to start the computer in SAFE MODE and clicked on Normal mode. It's still gave me that ignoring Access Denied error thingy twice and I restarted the computer and then checked the MSCONFIG with curiosity. I am serious I was expecting it is not going to work, but it has selected with Normal Startup. Then I checked the Startup Tab and it is finally gone. I haven't test the MSCONFIG to see if it is still giving me that Access Denied error thingy. I am afraid to do it. I am so happy it has been fixed. :) THANK YOU SO MUCH "AdvancedSetup". If wasn't for your help, it's more likely it wouldn't make a difference. You guys have excellent customer services. To show you how thankful I am, I will buy the full version to support you guys. :) KEEP UP THE GOOD WORK AND THANK YOU!

Link to post
Share on other sites

  • Root Admin

That's great news. Glad to be of help. Take care and keep safe out there.

If you still have Combofix installed we need to remove that. You can click on START - RUN and type in COMBOFIX.EXE /U and it will remove it.

Make sure you keep your Anti-Virus up to date daily and do periodic scans. Also keep up with the Microsoft Critical Updates.

Please tell your friends and family about Malwarebytes.

Thanks.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.