Jump to content

Can someone please help me make sense of his?


Recommended Posts

I had a few viruses on my PC a few weeks ago, but was able to get rid of them. They were nasty. I could not work the computer at all. Anyway, for a few days now my PC has been working rather slow in addition to freezing a couple of times. I have cleaned it, ran Malwarebytes, Windows Safety, McAffee... nothing. So, how about this? Only, I have no idea how to read it... HELP! PLEASE!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:33:25 PM, on 3/25/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O22 - SharedTaskScheduler: jugezatag - {64e8ab68-05b3-469f-b9d3-528ac31f97b2} - (no file)

O22 - SharedTaskScheduler: tokatiluy - {e2334743-e35d-4fdb-9163-5ef8d3d8781c} - (no file)

O23 - Service: McAfee Application Installer Cleanup (0247001269424428) (0247001269424428mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\024700~1.EXE

O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--

End of file - 9070 bytes

Link to post
Share on other sites

Hi Amazon And

:)

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

WOW! Long errand.... :) You still with me Amazon?

Yeah... I'm still here, Kenny94... :) Hopping you are still around... :) :

So, here we go:

ComboFix 10-04-02.01 - TEST 04/03/2010 12:15:52.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.219 [GMT -5:00]

Running from: c:\documents and settings\TEST\My Documents\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\program files\Common

c:\program files\Common\_helper.sig

c:\windows\AppPatch\AcAdProc.dll

c:\windows\system32\_000111_.tmp.dll

c:\windows\system32\jiwupepo.dll

c:\windows\system32\lulilupa.dll

c:\windows\system32\yeyanasi.dll

c:\windows\system32\zokozaro.dll

c:\windows\Tasks\etgputny.job

c:\windows\Tasks\qsrwgtfr.job

c:\windows\Temp\0100111270062129mcinst.exe

c:\windows\wiaservim.log

.

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))

.

2010-03-11 15:31 . 2010-03-11 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-03 14:56 . 2010-02-28 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-03 12:54 . 2009-03-29 22:34 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-02 20:43 . 2009-11-19 03:34 34988 ----a-w- c:\documents and settings\TEST\Application Data\wklnhst.dat

2010-04-01 06:49 . 2006-03-30 03:39 -------- d-----w- c:\program files\McAfee

2010-04-01 06:46 . 2010-04-01 06:46 699904 ----a-w- c:\windows\isRS-000.tmp

2010-04-01 06:45 . 2010-04-01 06:45 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 05:46 . 2010-02-28 16:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 05:45 . 2010-02-28 16:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 20:24 . 2009-05-29 16:00 -------- d-----w- c:\program files\Windows Live Safety Center

2010-03-10 22:18 . 2006-06-04 13:47 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-03-10 22:18 . 2006-06-04 13:47 56 --sh--r- c:\windows\system32\052D24DE9B.sys

2010-03-09 07:25 . 2010-03-09 07:25 30784 ----a-w- c:\windows\system32\drivers\sehlnvny.sys

2010-03-08 07:05 . 2010-03-08 07:05 30784 ----a-w- c:\windows\system32\drivers\gfqpmsvx.sys

2010-03-07 21:13 . 2010-03-07 21:13 30784 ----a-w- c:\windows\system32\drivers\hktxsgca.sys

2010-03-06 17:14 . 2010-03-06 17:14 30784 ----a-w- c:\windows\system32\drivers\uhsunsyl.sys

2010-03-04 02:19 . 2010-03-04 02:19 348160 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7db26cf0-n\msvcr71.dll

2010-03-04 02:19 . 2010-03-04 02:19 61440 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62e3469f-n\decora-sse.dll

2010-03-04 02:19 . 2010-03-04 02:19 503808 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7db26cf0-n\msvcp71.dll

2010-03-04 02:19 . 2010-03-04 02:19 499712 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7db26cf0-n\jmc.dll

2010-03-04 02:19 . 2010-03-04 02:19 12800 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62e3469f-n\decora-d3d.dll

2010-03-04 02:19 . 2010-03-04 02:19 -------- d-----w- c:\program files\Common Files\Java

2010-03-04 02:18 . 2010-03-04 02:19 411368 ----a-w- c:\windows\system32\REN957.tmp

2010-03-04 02:18 . 2010-03-04 02:18 -------- d-----w- c:\program files\Java

2010-03-04 01:10 . 2006-03-30 03:36 -------- d-----w- c:\program files\Microsoft Money 2006

2010-02-28 19:51 . 2010-02-28 19:51 -------- d-----w- c:\program files\Trend Micro

2010-02-08 03:26 . 2010-02-08 03:26 -------- d-----w- c:\documents and settings\TEST\Application Data\Uniblue

2010-02-08 03:25 . 2010-02-08 03:25 -------- d-----w- c:\program files\Uniblue

2010-01-03 14:57 . 2010-01-03 14:57 61952 --sha-w- c:\windows\system32\jabopibo.dll

2010-01-03 14:56 . 2010-01-03 14:56 61952 --sha-w- c:\windows\system32\mepagasa.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39f25fab-2478-4748-8c37-6fde9b5d4973}]

2010-01-03 14:56 61952 --sha-w- c:\windows\system32\mepagasa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-20 122880]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-30 98304]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]

2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=

"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/26/2009 9:31 AM 93320]

S2 0100111270062129mcinstcleanup;McAfee Application Installer Cleanup (0100111270062129);c:\windows\TEMP\010011~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010011~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 6:36 AM 135664]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/29/2006 10:40 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 11:36]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 11:36]

2006-04-09 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 10:00]

2010-03-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 17:22]

2010-04-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 17:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.charter.net/

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: musicmatch.com\online

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-jonunugelo - jiwupepo.dll

HKLM-Run-devenafin - c:\windows\system32\yeyanasi.dll

SharedTaskScheduler-{64e8ab68-05b3-469f-b9d3-528ac31f97b2} - (no file)

SharedTaskScheduler-{e2334743-e35d-4fdb-9163-5ef8d3d8781c} - (no file)

SharedTaskScheduler-{abe0126d-e79a-4a92-8f87-5c0fa9d7c72a} - c:\windows\system32\yeyanasi.dll

SSODL-mehupuvil-{abe0126d-e79a-4a92-8f87-5c0fa9d7c72a} - c:\windows\system32\yeyanasi.dll

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-03 12:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3240)

c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

c:\windows\system32\Rundll32.exe

c:\windows\system32\Rundll32.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2010-04-03 12:43:57 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-03 17:43

Pre-Run: 32,950,534,144 bytes free

Post-Run: 33,150,353,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F3FEFDCFB2ED1AF955D63BA5FA9464ED

Link to post
Share on other sites

Check a file/files

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to

c:\windows\system32\052D24DE9B.sys

then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Link to post
Share on other sites

You will need to enable hidden files and folders by doing the following:

Windows XP

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

Then upload the file.

Link to post
Share on other sites

Thanx. I thought I had "unhidden" files before...I guess some of my settings have changed...

BTW: I just noticed that I may have a problem with Malwarebytes. The icon has gone blank... :)

Anyway: Here are the results:

a-squared 4.5.0.50 2010.04.03 -

AhnLab-V3 5.0.0.2 2010.04.03 -

AntiVir 7.10.6.24 2010.04.03 -

Antiy-AVL 2.0.3.7 2010.04.02 -

Authentium 5.2.0.5 2010.04.03 -

Avast 4.8.1351.0 2010.04.03 -

Avast5 5.0.332.0 2010.04.03 -

AVG 9.0.0.787 2010.04.03 -

BitDefender 7.2 2010.04.03 -

CAT-QuickHeal 10.00 2010.04.03 -

ClamAV 0.96.0.0-git 2010.04.03 -

Comodo 4488 2010.04.03 -

DrWeb 5.0.2.03300 2010.04.03 -

eSafe 7.0.17.0 2010.04.01 -

eTrust-Vet 35.2.7405 2010.04.02 -

F-Prot 4.5.1.85 2010.04.03 -

F-Secure 9.0.15370.0 2010.04.03 -

Fortinet 4.0.14.0 2010.04.03 -

GData 19 2010.04.03 -

Ikarus T3.1.1.80.0 2010.04.03 -

Jiangmin 13.0.900 2010.04.03 -

K7AntiVirus 7.10.1004 2010.03.22 -

Kaspersky 7.0.0.125 2010.04.03 -

McAfee 5937 2010.03.31 -

McAfee+Artemis 5937 2010.03.31 -

McAfee-GW-Edition 6.8.5 2010.04.03 -

Microsoft 1.5605 2010.04.03 -

NOD32 4997 2010.04.03 -

Norman 6.04.10 2010.04.03 -

nProtect 2009.1.8.0 2010.04.03 -

Panda 10.0.2.2 2010.04.03 -

PCTools 7.0.3.5 2010.04.03 -

Prevx 3.0 2010.04.03 -

Rising 22.41.04.05 2010.04.02 -

Sophos 4.52.0 2010.04.03 -

Sunbelt 6134 2010.04.03 -

Symantec 20091.2.0.41 2010.04.03 -

TheHacker 6.5.2.0.251 2010.04.02 -

TrendMicro 9.120.0.1004 2010.04.03 -

VBA32 3.12.12.4 2010.04.02 -

ViRobot 2010.4.3.2259 2010.04.03 -

VirusBuster 5.0.27.0 2010.04.03 -

Additional information

File size: 56 bytes

MD5...: 3bff8a8a93cddfa5939db4c73be76db9

SHA1..: e474853790f4540c404c67b8636209293639a252

SHA256: b8995b28dd64498954f4d2585856c47b278e17ed301d3e4cbadb3f65e810ef64

ssdeep: 3:/lCC/ju5dn:QCLun

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: MS Flight Simulator Aircraft Performance Info (100.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Link to post
Share on other sites

I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

Link to post
Share on other sites

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=44633
KILLALL::

Collect::
c:\windows\system32\jabopibo.dll
c:\windows\system32\mepagasa.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a"Add/Remove Software list

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

OK, this is the first portion. The second one coming up...

PS: I am getting some strange messsages from my system (strange, as in: I have not seen them before, like "adv windows client service encountered problem and needs to shut down?")

32 Bit HP CIO Components Installer

Adobe Download Manager 2.0 (Remove Only)

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.8

Adobe

Link to post
Share on other sites

So, here is the Combofix log. Now, I hope the CFScript worked, as before the combofix ran, I allowed it to update and then start again... Please let me know if I should re-do this. I don't know how to tell if it worked...

Thanx!

ComboFix 10-04-03.02 - TEST 04/03/2010 21:56:39.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.228 [GMT -5:00]

Running from: c:\documents and settings\TEST\My Documents\Combo-Fix.exe

Command switches used :: c:\documents and settings\TEST\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\system32\jabopibo.dll

file zipped: c:\windows\system32\mepagasa.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\jabopibo.dll

c:\windows\system32\mepagasa.dll

.

((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))

.

2010-03-11 15:31 . 2010-03-11 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-03 23:35 . 2009-03-29 22:34 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-03 14:56 . 2010-02-28 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-02 20:43 . 2009-11-19 03:34 34988 ----a-w- c:\documents and settings\TEST\Application Data\wklnhst.dat

2010-04-01 06:49 . 2006-03-30 03:39 -------- d-----w- c:\program files\McAfee

2010-04-01 06:46 . 2010-04-01 06:46 699904 ----a-w- c:\windows\isRS-000.tmp

2010-04-01 06:45 . 2010-04-01 06:45 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-03-30 05:46 . 2010-02-28 16:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 05:45 . 2010-02-28 16:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 20:24 . 2009-05-29 16:00 -------- d-----w- c:\program files\Windows Live Safety Center

2010-03-10 22:18 . 2006-06-04 13:47 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-03-10 22:18 . 2006-06-04 13:47 56 --sh--r- c:\windows\system32\052D24DE9B.sys

2010-03-09 07:25 . 2010-03-09 07:25 30784 ----a-w- c:\windows\system32\drivers\sehlnvny.sys

2010-03-08 07:05 . 2010-03-08 07:05 30784 ----a-w- c:\windows\system32\drivers\gfqpmsvx.sys

2010-03-07 21:13 . 2010-03-07 21:13 30784 ----a-w- c:\windows\system32\drivers\hktxsgca.sys

2010-03-06 17:14 . 2010-03-06 17:14 30784 ----a-w- c:\windows\system32\drivers\uhsunsyl.sys

2010-03-04 02:19 . 2010-03-04 02:19 348160 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7db26cf0-n\msvcr71.dll

2010-03-04 02:19 . 2010-03-04 02:19 61440 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62e3469f-n\decora-sse.dll

2010-03-04 02:19 . 2010-03-04 02:19 503808 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7db26cf0-n\msvcp71.dll

2010-03-04 02:19 . 2010-03-04 02:19 499712 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7db26cf0-n\jmc.dll

2010-03-04 02:19 . 2010-03-04 02:19 12800 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62e3469f-n\decora-d3d.dll

2010-03-04 02:19 . 2010-03-04 02:19 -------- d-----w- c:\program files\Common Files\Java

2010-03-04 02:18 . 2010-03-04 02:19 411368 ----a-w- c:\windows\system32\REN957.tmp

2010-03-04 02:18 . 2010-03-04 02:18 -------- d-----w- c:\program files\Java

2010-03-04 01:10 . 2006-03-30 03:36 -------- d-----w- c:\program files\Microsoft Money 2006

2010-02-28 19:51 . 2010-02-28 19:51 -------- d-----w- c:\program files\Trend Micro

2010-02-08 03:26 . 2010-02-08 03:26 -------- d-----w- c:\documents and settings\TEST\Application Data\Uniblue

2010-02-08 03:25 . 2010-02-08 03:25 -------- d-----w- c:\program files\Uniblue

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-20 122880]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-30 98304]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"jonunugelo"="jiwupepo.dll" [bU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]

2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=

"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/26/2009 9:31 AM 93320]

S2 0100111270062129mcinstcleanup;McAfee Application Installer Cleanup (0100111270062129);c:\windows\TEMP\010011~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010011~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 6:36 AM 135664]

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/29/2006 10:40 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 11:36]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 11:36]

2006-04-09 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 10:00]

2010-03-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 17:22]

2010-04-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 17:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.charter.net/

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: musicmatch.com\online

.

- - - - ORPHANS REMOVED - - - -

BHO-{39f25fab-2478-4748-8c37-6fde9b5d4973} - mepagasa.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-03 22:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3108)

c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\Rundll32.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-04-03 22:18:04 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-04 03:17

ComboFix2.txt 2010-04-03 17:43

Pre-Run: 32,859,987,968 bytes free

Post-Run: 32,992,993,280 bytes free

- - End Of File - - B36971CA399C98C4C1A8B7B5580953F2

Link to post
Share on other sites

How are things now? By the way, Google Desktop uses a lot of your pc system resource.

Things are MUCH improved. You helped me address an issue a Windows tech could not.. As soon as I performed the first Combofix run, pages started to download MUCH faster, the occasional pop ups were no longer, and the processor calmed down. Unfortunately, as I was on the internet last night, I think I may have caught something again... I went on a news site I had not previously visited. There was this odd hiccup and the processor started to work hard again. Would it be ok if I ran Combofix again? :)

BTW: do you suggest I remove Google Desktop to speed things up?

Link to post
Share on other sites

We are not done yet... :) I wanted a update. If you don't use Google Desktop? I would remove it.

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

MBAM Report

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Well, I spoke too soon. The Malwarebytes icon did come back in full, but the system would not find the file. So, I uninstalled and downloaded again. It worked fine (I updated before running). Here is the log (Vundo is one of the viruses that have been dogging me for a while now; I delete it, it comes back...):

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3953

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

4/4/2010 12:23:50 PM

mbam-log-2010-04-04 (12-23-50).txt

Scan type: Quick scan

Objects scanned: 123367

Time elapsed: 16 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonunugelo (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Now, working on the rest.

Link to post
Share on other sites

Here is what ESET picked up:

C:\Qoobox\Quarantine\C\WINDOWS\system32\lulilupa.dll.vir a variant of Win32/Adware.SuperJuan.U application

I saved the above and checked off the Uninstall box. Once I pressed FINISH, the box showed me suggested product for sale, but nothing else happened. There was no file automatically saved, and I guess I will have to uninstall ESET manually. Strange...

Link to post
Share on other sites

And here is the last one:

Results of screen317's Security Check version 0.99.2

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee SecurityCenter

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 18

Adobe Flash Player 10

Adobe Reader 7.0.8

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee VIRUSS~1 mcshield.exe

McAfee VIRUSS~1 mcsysmon.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.