Jump to content

can't remove 8 infected files


aeroswine
 Share

Recommended Posts

Here's latest Malware log:

Malwarebytes' Anti-Malware 1.41

Database version: 2865

Windows 5.1.2600 Service Pack 3

9/27/2009 10:36:42 PM

mbam-log-2009-09-27 (22-36-42).txt

Scan type: Quick Scan

Objects scanned: 131786

Time elapsed: 18 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\calc.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Backdoor.Bot) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\calc.dll (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\Leenda\Start Menu\Programs\Startup\scandisk.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leenda\protect.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leenda\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Leenda\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

Here's the Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:13:20 AM, on 9/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Azigo Services\azigo-service.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\Azigo Services\ss-runner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton Ghost\Agent\GhostTray.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WhiteCanyon\MySecurityVault\MySecurityVault_TrayIcon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Registry Mechanic\RegMech.exe

C:\WINDOWS\system32\dlcdcoms.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: MySecurityVault Toolbar - {D3117279-E115-4C9B-A8FE-D2983653EC51} - C:\Program Files\WhiteCanyon\MySecurityVault\WCVaultToolbar.dll

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: 100% Free Cribbage Toolbar - {F6387320-2466-42C3-9E7C-6A7BD7BD1F61} - C:\Program Files\100% Free Cribbage Toolbar\v3.3.0.1\100%_Free_Cribbage_Toolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MySecurityVault Tray] C:\Program Files\WhiteCanyon\MySecurityVault\MySecurityVault_TrayIcon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ATT-SST] C:\Program Files\ATT-SST\McciBrowser.exe -AppKey=ATT-SST -URL=file://C:\Program Files\ATT-SST\OCB\8c33ce28-529e-448d-a1c3-077f0ebf2162\Start.htm?VendorID=ATT-SST,isHidden=false,ConnectivityRequired=true,flowId=HOMEPAGE,FlowParams=

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Leenda\protect.dll,_IWMPEvents@0

O4 - HKUS\S-1-5-21-2782739445-2286252365-1006991020-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Ben Dover')

O4 - HKUS\S-1-5-21-2782739445-2286252365-1006991020-1007\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'Ben Dover')

O4 - HKUS\S-1-5-21-2782739445-2286252365-1006991020-1007\..\Run: [iSUSPM] C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\11\ISUSPM.exe -scheduler (User 'Ben Dover')

O4 - HKUS\S-1-5-21-2782739445-2286252365-1006991020-1007\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@0 (User 'Ben Dover')

O4 - HKUS\S-1-5-21-2782739445-2286252365-1006991020-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {6081DC41-E874-4313-A2CB-83EA00B921FD} - res://C:\Program Files\Azigo Services\remindme@azigo.com.dll/201 (file missing)

O9 - Extra 'Tools' menuitem: Refresh Azigo RemindMe - {6081DC41-E874-4313-A2CB-83EA00B921FD} - res://C:\Program Files\Azigo Services\remindme@azigo.com.dll/201 (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198695552046

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...414/mcfscan.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: tinajepu.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: azigo-service - Unknown owner - C:\Program Files\Azigo Services\azigo-service.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 16470 bytes

Link to post
Share on other sites

  • Staff

Hi,

I notice from your log that there's more than 1 Antivirus installed. Mcafee and Norton.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.

Then reboot after uninstalling.

I've actually had exactly the same case with someone else dealing with this infection. The entries appeared everytime after reboot and it was their Registry Mechanic interfering here. And I see you're having Registry Mechanic as well.

In either way, Mbam should detect and remove this all, but please do the following (because I also see some other malware leftovers here, so I want to have an extra look)...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

The only Norton program I could find is Norton Ghost. I had downloaded the Registry Mechanic as a possible fix to my trouble, so it wasn't part of the original problem. Thanks for your advice. Here's the ComboFix log:

ComboFix 09-09-29.01 - Leenda 09/29/2009 23:57.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.541 [GMT -4:00]

Running from: c:\documents and settings\Leenda\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\dyfuxirujy.sys

c:\documents and settings\All Users\Documents\ahisusi.dl

c:\documents and settings\All Users\Documents\oquru.scr

c:\documents and settings\All Users\Documents\uhugy.reg

c:\documents and settings\All Users\Documents\volofeha.com

c:\documents and settings\Ben Dover\Cookies\eqaqi.vbs

c:\documents and settings\Ben Dover\Cookies\hevu.scr

c:\documents and settings\Ben Dover\Cookies\nozadyv.scr

c:\documents and settings\Ben Dover\Local Settings\Application Data\bafiki.pif

c:\documents and settings\Ben Dover\Local Settings\Temporary Internet Files\bawokeq.bin

c:\documents and settings\Ben Dover\Local Settings\Temporary Internet Files\seku.dll

C:\p2hhr.bat

c:\program files\100% Free Cribbage Toolbar\v3.3.0.1\100%_free_cribbage_toolbar.dll

c:\program files\Common Files\bikyqid.dll

c:\program files\Common Files\emyvagyf.ban

c:\windows\100%_Free_Cribbage_Toolbar_Uninstaller_984.exe

c:\windows\Installer\151ead.msp

c:\windows\Installer\151f3b.msp

c:\windows\Installer\151f5f.msp

c:\windows\Installer\151f60.msp

c:\windows\Installer\151f72.msp

c:\windows\Installer\151f85.msp

c:\windows\Installer\377d2ef.msp

c:\windows\Installer\377d333.msp

c:\windows\Installer\3a90fe6.msp

c:\windows\Installer\490ad4d.msp

c:\windows\Installer\699fbc.msp

c:\windows\Installer\9cb43ef.msp

c:\windows\Installer\b102.msp

c:\windows\Installer\fe3aa63.msp

c:\windows\Installer\fe3aa75.msp

c:\windows\kb913800.exe

c:\windows\patch.exe

c:\windows\system32\41.exe

c:\windows\system32\edixo.dl

c:\windows\system32\umefaq.scr

c:\windows\system32\wozyfodu.ban

.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))

.

2009-09-28 15:12 . 2009-09-28 15:12 -------- d-----w- c:\program files\Trend Micro

2009-09-27 13:32 . 2009-09-27 13:32 -------- dc-h--w- c:\windows\ie8

2009-09-26 15:13 . 2009-09-26 15:13 -------- d-sh--w- c:\documents and settings\Ben Dover\IECompatCache

2009-09-26 13:44 . 2009-09-26 13:44 13362 ----a-w- c:\windows\system32\xecywu.com

2009-09-26 13:44 . 2009-09-26 13:44 18864 ----a-w- c:\documents and settings\Ben Dover\Local Settings\Application Data\petawota.dat

2009-09-26 13:41 . 2009-09-26 13:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-09-26 13:28 . 2009-09-26 20:25 -------- d-----w- c:\documents and settings\Ben Dover\Application Data\BitTorrent

2009-09-09 20:56 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-30 04:08 . 2008-08-13 01:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-30 04:07 . 2006-02-20 16:47 -------- d-----w- c:\program files\Dl_cats

2009-09-30 04:06 . 2005-12-19 01:48 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat

2009-09-30 04:06 . 2005-12-19 01:48 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat

2009-09-29 10:34 . 2008-09-03 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-09-26 14:58 . 2008-10-24 23:40 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-26 14:26 . 2005-12-19 02:01 -------- d-----w- c:\program files\McAfee

2009-09-26 13:44 . 2009-09-26 13:44 12017 ----a-w- c:\documents and settings\Ben Dover\Application Data\efag.dat

2009-09-26 13:44 . 2009-09-26 13:44 12765 ----a-w- c:\documents and settings\All Users\Application Data\cyrac.dat

2009-09-13 09:38 . 2008-06-06 13:35 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-11 11:27 . 2008-10-24 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-10 20:17 . 2009-03-29 03:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-10 18:54 . 2008-10-24 23:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2008-10-24 23:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-05 14:26 . 2006-04-23 03:53 -------- d-----w- c:\documents and settings\Ben Dover\Application Data\Yahoo!

2009-09-03 13:41 . 2005-12-19 01:41 -------- d-----w- c:\program files\Java

2009-08-17 16:50 . 2009-06-02 15:44 -------- d-----w- c:\program files\ATT-SST

2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 09:23 . 2008-11-23 15:32 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 16:32 . 2007-01-20 23:14 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-07-14 03:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-08 17:44 . 2007-01-20 23:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-07-08 17:44 . 2007-01-20 23:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-07-08 17:44 . 2007-01-20 23:14 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-08 17:44 . 2007-01-20 23:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-07-08 17:43 . 2007-01-20 23:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll

2008-09-20 19:40 . 2006-03-05 15:29 88 --sh--r- c:\windows\system32\E8A1BFC656.sys

2008-09-20 19:40 . 2005-12-31 17:17 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]

@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"

[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]

2006-08-27 22:27 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MySecurityVault Tray"="c:\program files\WhiteCanyon\MySecurityVault\MySecurityVault_TrayIcon.exe" [2008-10-24 1447624]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 68856]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]

"ATT-SST"="c:\program files\ATT-SST\McciBrowser.exe" [2008-12-03 1040896]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-19 26112]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]

"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 1537648]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2004-03-11 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-18 24576]

Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2005-12-18 917611]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-26 14:58 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-03-23 23:17 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Ben Dover^Start Menu^Programs^Startup^scandisk.dll]

path=c:\documents and settings\Ben Dover\Start Menu\Programs\Startup\scandisk.dll

backup=c:\windows\pss\scandisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ben Dover^Start Menu^Programs^Startup^scandisk.lnk]

path=c:\documents and settings\Ben Dover\Start Menu\Programs\Startup\scandisk.lnk

backup=c:\windows\pss\scandisk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ben Dover^Start Menu^Programs^Startup^VirtualExpander.lnk]

path=c:\documents and settings\Ben Dover\Start Menu\Programs\Startup\VirtualExpander.lnk

backup=c:\windows\pss\VirtualExpander.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\WildTangent\\Apps\\Dell Game Console\\GameConsole.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\WINDOWS\\system32\\dlcdcoms.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcdPSWX.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\The Weather Channel FW\\Desktop\\DesktopWeather.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McProxy\\McProxy.exe"=

"c:\\Program Files\\McAfee\\SiteAdvisor\\McSACore.exe"=

"c:\\WINDOWS\\system32\\dwwin.exe"=

"c:\\WINDOWS\\ehome\\ehtray.exe"=

"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 74480]

R2 azigo-service;azigo-service;c:\program files\Azigo Services\azigo-service.exe -u --> c:\program files\Azigo Services\azigo-service.exe -u [?]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/30/2008 11:04 PM 210216]

R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [12/18/2005 9:22 PM 485888]

R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [12/18/2005 9:43 PM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-30 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-05 11:51]

2008-09-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-20 01:26]

2009-02-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-20 01:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{6081DC41-E874-4313-A2CB-83EA00B921FD} - res://c:\program files\Azigo Services\remindme@azigo.com.dll/201

Trusted Zone: facebook.com\apps

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: motive.com\patttbc.att

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-calc - c:\docume~1\Leenda\protect.dll

AddRemove-bpbkeccufxnj - c:\windows\system32\bpbkeccufxnj.exe

AddRemove-SBC Self Support Tool - c:\docume~1\Leenda\LOCALS~1\Temp\SST\CustomUninstall.exe

AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-30 00:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,64,ce,bd,b0,a8,80,4b,90,6e,0b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,64,ce,bd,b0,a8,80,4b,90,6e,0b,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(5448)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\VirtualExpander\VEShellExt.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE

c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\McAfee\MSK\msksrver.exe

c:\program files\Norton Ghost\Agent\VProSvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\fxssvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\PRISMSVR.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\windows\system32\dlcdcoms.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Azigo Services\azigo-service.exe

c:\program files\Azigo Services\ss-runner.exe

.

**************************************************************************

.

Completion time: 2009-09-30 0:11 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-30 04:11

Pre-Run: 61,772,382,208 bytes free

Post-Run: 61,992,579,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

327 --- E O F --- 2009-09-29 11:44

Link to post
Share on other sites

  • Staff

Hi,

I wasn't saying that Registry Mechanic was the cause here, I'm saying that Registry Mechanic interfered with the Mbam cleanup after reboot. ;)

Navigate to and delete the following files:

c:\windows\system32\xecywu.com

c:\documents and settings\Ben Dover\Local Settings\Application Data\petawota.dat

c:\documents and settings\Ben Dover\Application Data\efag.dat

c:\documents and settings\All Users\Application Data\cyrac.dat

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

HI,

Computer is doing much better. Followed your instructions and deleted specified files. Have run Malwarebytes twice...no errors, and SuperAnti Spyware which found just usual tracking cookies. Can open emails now and Internet Explorer no longer shuts down due to Data Execution problem. Ran script to delete ComboFix...all is well. PC is actually running faster than it has in a long time. Many thanks for your speedy help.

Just one note...I really didn't explain it well so will try again. When the PC first got infected and I ran Malware and did a reboot, I didn't have Registry Mechanic loaded on my PC. Malwarebytes found 30 files and deleted all but these 8 files on the reboot. Two days later I downloaded Registry Mechanic and Spy Doctor as a possible fix but never used them.

Thanks again for all your help...you really saved the day for me!!!!! :D:D:D

Link to post
Share on other sites

  • Staff

Glad I could help. :D

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.