• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
lechau

System Integrity Threats, Winantivirus Pop-ups

11 posts in this topic

Hello, well since last Saturday my computer has been acting up, and I've been trying to remove the viruses through ad-aware, Windows Defender, and McAfee Anti-Virus. A lot of Trojans have been removed, but my computer's still getting pop-ups stating my computer is corrupted and to download certain files. On my taskbar there's an icon that's constantly appearing saying that there are system integrity threats. Another problem I seem to be having is that every time I start up my computer, I get messages saying that certain dll could not be found. I'm a little new to all of this, so I'm sorry if I couldn't be more helpful. My hijackthis log is underneath.

 

Thank you,

Sidney

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 4:25:34 PM, on 7/26/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\windows\system32\rundll32.exe

C:\Program Files\USoft\usoft32.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\system32\ctfmon.exe

C:\windows\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Nikon\NkView4\NkVwMon.exe

C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\wuauclt.exe

C:\windows\explorer.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\windows\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HiJackThis\HiJackThis_v2.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll

O2 - BHO: (no name) - {5768FB7D-841C-494B-8FA5-75597FA1ACAB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8F69F76B-00D0-4ACE-A9DD-9329558AC184} - C:\windows\system32\jkkjh.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\windows\system32\pbysmknq.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [runner1] C:\windows\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkid.dll,startup

O4 - HKLM\..\Run: [lkdopwtu] rundll32.exe "C:\Program Files\lkdopwtu\tevkzyzo.dll",Init

O4 - HKLM\..\Run: [sC2] C:\Program Files\USoft\usoft32.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\windows\system32\aqinvwnd.dll",forkonce

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [sen] "C:\windows\ICROSO~1.NET\javaw.exe" -vt yazb

O4 - HKCU\..\Run: [gf1.0.0.2] C:\windows\fezydups.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: ddayy - C:\windows\system32\ddayy.dll (file missing)

O20 - Winlogon Notify: jkkjh - C:\windows\system32\jkkjh.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll

O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\system32\dlbtcoms.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Share this post


Link to post
Share on other sites

Hello,

 

* Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Ah ok, here's the log from Combofix and hijackthis. Um, when I ran Combofix and it rebooted, a blue screen appeared and said that windows was forced to shut down. Was that supposed to happened?

 

ComboFix 07-07-27 - "Sarah Tran" 2007-07-26 18:14:47.1 [GMT -4:00] - NTFS

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True

* Created a new restore point

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\windows\system32\pbysmknq.dll

C:\windows\system32\ssqroom.dll

C:\windows\system32\pbysmknq.dll

C:\windows\system32\ssqroom.dll

C:\WINDOWS\SYSTEM32\hjkkj.bak1

C:\WINDOWS\SYSTEM32\hjkkj.bak2

C:\WINDOWS\SYSTEM32\hjkkj.ini

C:\WINDOWS\SYSTEM32\hjkkj.tmp

C:\windows\system32\jkkjh.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode

C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\M2DNA85Q\www.broadcaster.com

C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\M2DNA85Q\www.broadcaster.com\played_list.sol

C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\M2DNA85Q\www.broadcaster.com\video_queue.sol

C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com

C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

C:\Program Files\Common Files\companion wizard

C:\Program Files\Common Files\companion wizard\CompWiz.xml

C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe

C:\windows\icroso~1.net

C:\windows\system32\bszip.dll

C:\windows\system32\lhpmemff.exe

C:\windows\wr.txt

 

 

((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))

 

 

2007-07-26 18:11 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-26 15:41 126,016 --a------ C:\WINDOWS\SYSTEM32\aqinvwnd.dll

2007-07-24 02:50 6,471 --ahs---- C:\WINDOWS\SYSTEM32\jlnmp.bak1

2007-07-24 00:39 6,471 --ahs---- C:\WINDOWS\SYSTEM32\jjllm.bak1

2007-07-22 20:20 6,489 --ahs---- C:\WINDOWS\SYSTEM32\dgjlm.bak1

2007-07-22 20:07 <DIR> d-------- C:\Program Files\Windows Defender

2007-07-22 19:48 <DIR> d-------- C:\QUARANTINE

2007-07-22 19:43 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys

2007-07-22 19:43 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys

2007-07-22 19:43 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys

2007-07-22 19:43 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys

2007-07-22 19:43 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys

2007-07-22 19:43 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll

2007-07-22 19:43 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems

2007-07-22 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee

2007-07-22 19:42 <DIR> d-------- C:\Program Files\McAfee

2007-07-22 19:42 <DIR> d-------- C:\Program Files\Common Files\McAfee

2007-07-22 19:41 <DIR> d-------- C:\VirusScan85_Installer

2007-07-22 19:24 <DIR> d-------- C:\DOCUME~1\SARAHT~1\WINDOWS

2007-07-22 16:57 68,608 --a------ C:\WINDOWS\ktqbebyf.dll

2007-07-22 16:56 1,803,710 ---hs---- C:\WINDOWS\SYSTEM32\yyadd.bak2

2007-07-22 00:24 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll

2007-07-21 23:55 6,489 ---hs---- C:\WINDOWS\SYSTEM32\yyadd.bak1

2007-07-21 23:51 68,608 --a------ C:\WINDOWS\vuzgjkrg.dll

2007-07-21 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\mfwsikcn

2007-07-21 23:51 <DIR> d-------- C:\Program Files\USoft

2007-07-21 23:51 <DIR> d-------- C:\Program Files\lkdopwtu

2007-07-18 18:28 <DIR> d-------- C:\Program Files\iTunes

2007-07-10 23:51 <DIR> d-------- C:\Program Files\Common Files\Apple

2007-07-10 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

2007-07-10 23:50 <DIR> d--hs---- C:\WINDOWS\Installer

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-26 18:21 17277 --a------ C:\windows\system32\tablet.dat

2007-07-24 00:36 --------- d-------- C:\DOCUME~1\SARAHT~1\APPLIC~1\WeatherBug

2007-07-22 18:32 4 --a------ C:\windows\RM_RESULT.DAT

2007-07-22 01:45 --------- d-------- C:\Program Files\Digital Line Detect

2007-07-22 01:45 --------- d-------- C:\Program Files\Dell Photo AIO Printer 922

2007-07-22 01:42 --------- d-------- C:\Program Files\BitComet

2007-07-22 00:45 69689 --a------ C:\windows\UNZIP.DLL

2007-07-22 00:45 208896 --a------ C:\windows\PATCH.EXE

2007-07-22 00:45 1142784 --a------ C:\windows\TMUPDATE.DLL

2007-07-22 00:24 0 --a------ C:\windows\system32\drivers\is-MLJT7.tmp

2007-07-18 19:19 --------- d-------- C:\Program Files\Windows Journal Viewer

2007-07-18 19:17 --------- d-------- C:\Program Files\MSN Messenger

2007-07-18 19:14 --------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE

2007-07-18 18:28 --------- d-------- C:\Program Files\iPod

2007-07-18 18:27 --------- d-------- C:\Program Files\QuickTime

2007-07-18 18:25 --------- d-------- C:\Program Files\Apple Software Update

2007-06-12 18:49 1163344 --a------ C:\windows\vsapi32.dll

2007-06-10 00:25 58880 --a------ C:\windows\system32\ATL.DLL

2007-06-09 23:53 --------- d-------- C:\Program Files\Your Company Name

2007-06-09 23:53 --------- d-------- C:\Program Files\Yahoo!

2007-06-09 23:52 --------- d-------- C:\Program Files\WordPerfect Office 12

2007-06-09 23:50 --------- d--h----- C:\Program Files\WindowsUpdate

2007-06-09 23:50 --------- d-------- C:\Program Files\Windows NT

2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital Technologies

2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital

2007-06-09 23:50 --------- d-------- C:\Program Files\Viewpoint

2007-06-09 23:50 --------- d-------- C:\Program Files\Tablet

2007-06-09 23:50 --------- d-------- C:\Program Files\Sonic

2007-06-09 23:48 --------- d-------- C:\Program Files\Real

2007-06-09 23:47 --------- d-------- C:\Program Files\portalgraphics

2007-06-09 23:47 --------- d-------- C:\Program Files\Photo Watermark Professional

2007-06-09 23:47 --------- d-------- C:\Program Files\Online Services

2007-06-09 23:46 --------- d-------- C:\Program Files\Nikon

2007-06-09 23:46 --------- d-------- C:\Program Files\NetZeroInstallers

2007-06-09 23:46 --------- d-------- C:\Program Files\Network Associates

2007-06-09 23:46 --------- d-------- C:\Program Files\NetWaiting

2007-06-09 23:46 --------- d-------- C:\Program Files\MyWebSearchWB

2007-06-09 23:45 --------- d-------- C:\Program Files\MUSICMATCH

2007-06-09 23:45 --------- d-------- C:\Program Files\MSXML 4.0

2007-06-09 23:45 --------- d-------- C:\Program Files\MSN Gaming Zone

2007-06-09 23:45 --------- d-------- C:\Program Files\Movie Maker

2007-06-09 23:45 --------- d-------- C:\Program Files\Modem Helper

2007-06-09 23:44 --------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition

2007-06-09 23:43 --------- d-------- C:\Program Files\Microsoft Money 2006

2007-06-09 23:42 --------- d-------- C:\Program Files\microsoft frontpage

2007-06-09 23:42 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-06-09 23:42 --------- d-------- C:\Program Files\Messenger

2007-06-09 23:40 --------- d-------- C:\Program Files\LimeWire

2007-06-09 23:39 --------- d-------- C:\Program Files\Learn2.com

2007-06-09 23:39 --------- d-------- C:\Program Files\Lavasoft

2007-06-09 23:39 --------- d-------- C:\Program Files\K-Lite Codec Pack

2007-06-09 23:39 --------- d-------- C:\Program Files\JSLMC

2007-06-09 23:29 --------- d-------- C:\Program Files\Jasc Software Inc

2007-06-09 23:20 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-06-09 23:20 --------- d-------- C:\Program Files\Intuit

2007-06-09 23:20 --------- d-------- C:\Program Files\Intel

2007-06-09 23:19 --------- d-------- C:\Program Files\Incomplete

2007-06-09 23:18 --------- d-------- C:\Program Files\ImTOO

2007-06-09 23:18 --------- d-------- C:\Program Files\H&R Block Tax Offer

2007-06-09 23:18 --------- d-------- C:\Program Files\Google

2007-06-09 23:07 --------- d-------- C:\Program Files\GalaNet

2007-06-09 23:07 --------- d-------- C:\Program Files\Filzip

2007-06-09 23:07 --------- d-------- C:\Program Files\EphPod

2007-06-09 23:07 --------- d-------- C:\Program Files\EclipseCrossword

2007-06-09 23:06 --------- d-------- C:\Program Files\EarthLink Setup

2007-06-09 22:57 --------- d-------- C:\Program Files\EA GAMES

2007-06-09 21:47 --------- d-------- C:\Program Files\e frontier

2007-06-09 21:47 --------- d-------- C:\Program Files\DVD Shrink

2007-06-09 21:47 --------- d-------- C:\Program Files\DiscWizard for Windows

2007-06-09 21:47 --------- d-------- C:\Program Files\directx

2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Support

2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Inc

2007-06-09 21:47 --------- d-------- C:\Program Files\Dell

2007-06-09 21:45 --------- d-------- C:\Program Files\D-Link

2007-06-09 21:45 --------- d-------- C:\Program Files\CyberLink

2007-06-09 21:42 --------- d-------- C:\Program Files\Corel

2007-06-09 21:42 --------- d-------- C:\Program Files\CONEXANT

2007-06-09 21:42 --------- d-------- C:\Program Files\Common Files\Viewpoint

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SWF Studio

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SpeechEngines

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic Shared

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Scanner

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Real

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Panda Software

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\ODBC

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nullsoft

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nikon

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Network Associates

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\MSSoap

2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Macromedia Shared

2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Jasc Software Inc

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Intuit

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\InstallShield

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\cuatoabu

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Corel

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Canon

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Borland Shared

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\aolshare

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\AOL

2006-11-02 20:25:09 952 --sha-w C:\windows\SYSTEM32\KGyGaAvL.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]

2007-07-22 16:57 68608 --a------ C:\windows\ktqbebyf.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5768FB7D-841C-494B-8FA5-75597FA1ACAB}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]

"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]

"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 20:36]

"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2005-04-26 13:27]

"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-09-22 13:08]

"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-08-16 16:45]

"HostManager"="C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe" [2006-05-09 20:24]

"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

"lkdopwtu"="C:\Program Files\lkdopwtu\tevkzyzo.dll" [2007-07-21 23:51]

"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]

"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" []

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []

"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]

"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 06:00]

"Sen"="C:\windows\ICROSO~1.NET\javaw.exe" []

"gf1.0.0.2"="C:\windows\fezydups.exe" []

 

C:\Documents and Settings\Sarah Tran\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]

DESKTOP.INI [2004-08-10 14:04:12]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

DESKTOP.INI [2004-08-10 14:04:12]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-04 13:00:33]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

NkVwMon.exe.lnk - C:\Program Files\Nikon\NkView4\NkVwMon.exe [2006-04-24 22:42:48]

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]

TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-07-06 18:00:17]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-04-09 18:58:35]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"= C:\windows\ktqbebyf.dll [2007-07-22 16:57 68608]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy]

C:\windows\system32\ddayy.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

 

R0 agpCPQ;Compaq AGP Bus Filter;C:\windows\system32\DRIVERS\agpCPQ.sys

R0 PenClass;Pen Class;C:\windows\system32\drivers\PenClass.sys

R0 Vax347b;Vax347b;C:\windows\system32\DRIVERS\Vax347b.sys

R0 Vax347s;Vax347s;C:\windows\system32\Drivers\Vax347s.sys

R1 mfetdik;McAfee Inc.;C:\windows\system32\drivers\mfetdik.sys

R1 sscdbhk5;sscdbhk5;C:\windows\system32\drivers\sscdbhk5.sys

R1 ssrtln;ssrtln;C:\windows\system32\drivers\ssrtln.sys

R2 ANIO;ANIO Service;\??\C:\WINDOWS\system32\ANIO.SYS

R2 drvnddm;drvnddm;C:\windows\system32\drivers\drvnddm.sys

R2 ithsgt;ithsgt;C:\windows\system32\DRIVERS\ithsgt.sys

R2 lilsgt;lilsgt;C:\windows\system32\DRIVERS\lilsgt.sys

R2 tfsnboio;tfsnboio;C:\windows\system32\dla\tfsnboio.sys

R2 tfsncofs;tfsncofs;C:\windows\system32\dla\tfsncofs.sys

R2 tfsndrct;tfsndrct;C:\windows\system32\dla\tfsndrct.sys

R2 tfsndres;tfsndres;C:\windows\system32\dla\tfsndres.sys

R2 tfsnifs;tfsnifs;C:\windows\system32\dla\tfsnifs.sys

R2 tfsnopio;tfsnopio;C:\windows\system32\dla\tfsnopio.sys

R2 tfsnpool;tfsnpool;C:\windows\system32\dla\tfsnpool.sys

R2 tfsnudf;tfsnudf;C:\windows\system32\dla\tfsnudf.sys

R2 tfsnudfa;tfsnudfa;C:\windows\system32\dla\tfsnudfa.sys

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys

R3 E100B;Intel® PRO Adapter Driver;C:\windows\system32\DRIVERS\e100b325.sys

R3 mfeapfk;McAfee Inc.;C:\windows\system32\drivers\mfeapfk.sys

R3 senfilt;senfilt;C:\windows\system32\drivers\senfilt.sys

R3 Tetris;Tetris driver;C:\windows\system32\Drivers\Tetris.sys

S3 AvFlt;Antivirus Filter Driver;C:\windows\system32\drivers\av5flt.sys

S3 Tearock;Tearock;C:\WINDOWS\system32\drivers\P3.SYS

S3 wanatw;WAN Miniport (ATW);C:\windows\system32\DRIVERS\wanatw4.sys

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{664e760c-f02f-11d9-abb2-001320014ca3}]

AutoRun\command- E:\Intro.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15444a9-fd3d-11d9-abd2-001320014ca3}]

AutoRun\command- E:\Setup.exe -auto

 

 

Contents of the 'Scheduled Tasks' folder

2007-07-18 22:25:20 C:\windows\tasks\AppleSoftwareUpdate.job

2007-07-20 22:30:00 C:\windows\tasks\McAfee.com Scan for Viruses - My Computer (SARAH-Bach Tran).job

2007-07-26 19:40:53 C:\windows\tasks\MP Scheduled Scan.job

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-26 18:22:38

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]

"DisplayName"="Alcohol 120"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:00000169

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-26 18:25:10 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-26 18:24

 

--- E O F ---

 

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:31:04 PM, on 7/26/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\windows\Explorer.EXE

C:\windows\system32\wuauclt.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\windows\System32\svchost.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\windows\system32\rundll32.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Nikon\NkView4\NkVwMon.exe

C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HiJackThis\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll

O2 - BHO: (no name) - {5768FB7D-841C-494B-8FA5-75597FA1ACAB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [lkdopwtu] rundll32.exe "C:\Program Files\lkdopwtu\tevkzyzo.dll",Init

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [sen] "C:\windows\ICROSO~1.NET\javaw.exe" -vt yazb

O4 - HKCU\..\Run: [gf1.0.0.2] C:\windows\fezydups.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: ddayy - C:\windows\system32\ddayy.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll

O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\system32\dlbtcoms.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Share this post


Link to post
Share on other sites

Hi,

 

Um, when I ran Combofix and it rebooted, a blue screen appeared and said that windows was forced to shut down. Was that supposed to happened?
This depends. On terrible infected systems as in your case, it is normal that this happens, because, after all, malware causes a system very instable.

 

Do next please..

 

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

C:\windows\ktqbebyf.dll

C:\WINDOWS\SYSTEM32\aqinvwnd.dll

C:\WINDOWS\SYSTEM32\jlnmp.bak1

C:\WINDOWS\SYSTEM32\jjllm.bak1

C:\WINDOWS\SYSTEM32\dgjlm.bak1

C:\WINDOWS\ktqbebyf.dll

C:\WINDOWS\SYSTEM32\yyadd.bak2

C:\WINDOWS\SYSTEM32\yyadd.bak1

C:\WINDOWS\vuzgjkrg.dll

 

Folder::

C:\Program Files\lkdopwtu

C:\Program Files\MyWebSearchWB

C:\WINDOWS\SYSTEM32\mfwsikcn

 

DirLook::

C:\DOCUME~1\SARAHT~1\WINDOWS

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5768FB7D-841C-494B-8FA5-75597FA1ACAB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lkdopwtu"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sen"=-

"gf1.0.0.2"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

Also do next.. Because the fact that all your folders in your Program files are modified recently makes it suspicious and you may be dealing with a file infector as well...

 

Please perform this online scan: Kaspersky Webscan

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. When the download is complete it will say ready, click "Next"

6. Select a target to scan: Click on "My Computer"

7. When the scan is complete choose to save the results as "Save as Text"

8. Post the Kaspersky scan results in your next reply as well.

Share this post


Link to post
Share on other sites

Combofix text:

 

ComboFix 07-07-27 - "Sarah Tran" 2007-07-27 18:06:45.2 [GMT -4:00] - NTFS

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True

Command switches used :: C:\Documents and Settings\Sarah Tran\Desktop\CFScript.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\lkdopwtu

C:\Program Files\lkdopwtu\tevkzyzo.dll

C:\Program Files\MyWebSearchWB

C:\Program Files\MyWebSearchWB\bar\History\search

C:\windows\ktqbebyf.dll

C:\WINDOWS\SYSTEM32\aqinvwnd.dll

C:\WINDOWS\SYSTEM32\dgjlm.bak1

C:\WINDOWS\SYSTEM32\jjllm.bak1

C:\WINDOWS\SYSTEM32\jlnmp.bak1

C:\WINDOWS\SYSTEM32\mfwsikcn

C:\WINDOWS\SYSTEM32\mfwsikcn\bg1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\bgtop.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\bottom1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\essentials.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\icon1.ico

C:\WINDOWS\SYSTEM32\mfwsikcn\install1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\left1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\li.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\logo.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\main.htm

C:\WINDOWS\SYSTEM32\mfwsikcn\mainframe.htm

C:\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn1.exe

C:\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn2.exe

C:\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn3.exe

C:\WINDOWS\SYSTEM32\mfwsikcn\reinstall1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\right1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\s1.htm

C:\WINDOWS\SYSTEM32\mfwsikcn\s2.htm

C:\WINDOWS\SYSTEM32\mfwsikcn\s3.htm

C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop2.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop3.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop4.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_off.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_off_ext.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_on.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_on_ext.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_off.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_off_ext.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_on.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_on_ext.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_off.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_off_ext.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_on.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_on_ext.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\softbottom_off.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\softbottom_on.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\softleft_off.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\softleft_on.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\top1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\top2.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\turnoff1.gif

C:\WINDOWS\SYSTEM32\mfwsikcn\turnon1.gif

C:\WINDOWS\SYSTEM32\yyadd.bak1

C:\WINDOWS\SYSTEM32\yyadd.bak2

C:\WINDOWS\vuzgjkrg.dll

 

 

((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))

 

 

2007-07-26 18:11 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-22 20:07 <DIR> d-------- C:\Program Files\Windows Defender

2007-07-22 19:48 <DIR> d-------- C:\QUARANTINE

2007-07-22 19:43 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys

2007-07-22 19:43 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys

2007-07-22 19:43 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys

2007-07-22 19:43 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys

2007-07-22 19:43 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys

2007-07-22 19:43 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll

2007-07-22 19:43 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems

2007-07-22 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee

2007-07-22 19:42 <DIR> d-------- C:\Program Files\McAfee

2007-07-22 19:42 <DIR> d-------- C:\Program Files\Common Files\McAfee

2007-07-22 19:41 <DIR> d-------- C:\VirusScan85_Installer

2007-07-22 19:24 <DIR> d-------- C:\DOCUME~1\SARAHT~1\WINDOWS

2007-07-22 00:24 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll

2007-07-21 23:51 <DIR> d-------- C:\Program Files\USoft

2007-07-18 18:28 <DIR> d-------- C:\Program Files\iTunes

2007-07-10 23:51 <DIR> d-------- C:\Program Files\Common Files\Apple

2007-07-10 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

2007-07-10 23:50 <DIR> d--hs---- C:\WINDOWS\Installer

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-27 17:56 17277 --a------ C:\windows\system32\tablet.dat

2007-07-24 00:36 --------- d-------- C:\DOCUME~1\SARAHT~1\APPLIC~1\WeatherBug

2007-07-22 18:32 4 --a------ C:\windows\RM_RESULT.DAT

2007-07-22 01:45 --------- d-------- C:\Program Files\Digital Line Detect

2007-07-22 01:45 --------- d-------- C:\Program Files\Dell Photo AIO Printer 922

2007-07-22 01:42 --------- d-------- C:\Program Files\BitComet

2007-07-22 00:45 69689 --a------ C:\windows\UNZIP.DLL

2007-07-22 00:45 208896 --a------ C:\windows\PATCH.EXE

2007-07-22 00:45 1142784 --a------ C:\windows\TMUPDATE.DLL

2007-07-22 00:24 0 --a------ C:\windows\system32\drivers\is-MLJT7.tmp

2007-07-18 19:19 --------- d-------- C:\Program Files\Windows Journal Viewer

2007-07-18 19:17 --------- d-------- C:\Program Files\MSN Messenger

2007-07-18 19:14 --------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE

2007-07-18 18:28 --------- d-------- C:\Program Files\iPod

2007-07-18 18:27 --------- d-------- C:\Program Files\QuickTime

2007-07-18 18:25 --------- d-------- C:\Program Files\Apple Software Update

2007-06-12 18:49 1163344 --a------ C:\windows\vsapi32.dll

2007-06-10 00:25 58880 --a------ C:\windows\system32\ATL.DLL

2007-06-09 23:53 --------- d-------- C:\Program Files\Your Company Name

2007-06-09 23:53 --------- d-------- C:\Program Files\Yahoo!

2007-06-09 23:52 --------- d-------- C:\Program Files\WordPerfect Office 12

2007-06-09 23:50 --------- d--h----- C:\Program Files\WindowsUpdate

2007-06-09 23:50 --------- d-------- C:\Program Files\Windows NT

2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital Technologies

2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital

2007-06-09 23:50 --------- d-------- C:\Program Files\Viewpoint

2007-06-09 23:50 --------- d-------- C:\Program Files\Tablet

2007-06-09 23:50 --------- d-------- C:\Program Files\Sonic

2007-06-09 23:48 --------- d-------- C:\Program Files\Real

2007-06-09 23:47 --------- d-------- C:\Program Files\portalgraphics

2007-06-09 23:47 --------- d-------- C:\Program Files\Photo Watermark Professional

2007-06-09 23:47 --------- d-------- C:\Program Files\Online Services

2007-06-09 23:46 --------- d-------- C:\Program Files\Nikon

2007-06-09 23:46 --------- d-------- C:\Program Files\NetZeroInstallers

2007-06-09 23:46 --------- d-------- C:\Program Files\Network Associates

2007-06-09 23:46 --------- d-------- C:\Program Files\NetWaiting

2007-06-09 23:45 --------- d-------- C:\Program Files\MUSICMATCH

2007-06-09 23:45 --------- d-------- C:\Program Files\MSXML 4.0

2007-06-09 23:45 --------- d-------- C:\Program Files\MSN Gaming Zone

2007-06-09 23:45 --------- d-------- C:\Program Files\Movie Maker

2007-06-09 23:45 --------- d-------- C:\Program Files\Modem Helper

2007-06-09 23:44 --------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition

2007-06-09 23:43 --------- d-------- C:\Program Files\Microsoft Money 2006

2007-06-09 23:42 --------- d-------- C:\Program Files\microsoft frontpage

2007-06-09 23:42 --------- d-------- C:\Program Files\Microsoft ActiveSync

2007-06-09 23:42 --------- d-------- C:\Program Files\Messenger

2007-06-09 23:40 --------- d-------- C:\Program Files\LimeWire

2007-06-09 23:39 --------- d-------- C:\Program Files\Learn2.com

2007-06-09 23:39 --------- d-------- C:\Program Files\Lavasoft

2007-06-09 23:39 --------- d-------- C:\Program Files\K-Lite Codec Pack

2007-06-09 23:39 --------- d-------- C:\Program Files\JSLMC

2007-06-09 23:29 --------- d-------- C:\Program Files\Jasc Software Inc

2007-06-09 23:20 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-06-09 23:20 --------- d-------- C:\Program Files\Intuit

2007-06-09 23:20 --------- d-------- C:\Program Files\Intel

2007-06-09 23:19 --------- d-------- C:\Program Files\Incomplete

2007-06-09 23:18 --------- d-------- C:\Program Files\ImTOO

2007-06-09 23:18 --------- d-------- C:\Program Files\H&R Block Tax Offer

2007-06-09 23:18 --------- d-------- C:\Program Files\Google

2007-06-09 23:07 --------- d-------- C:\Program Files\GalaNet

2007-06-09 23:07 --------- d-------- C:\Program Files\Filzip

2007-06-09 23:07 --------- d-------- C:\Program Files\EphPod

2007-06-09 23:07 --------- d-------- C:\Program Files\EclipseCrossword

2007-06-09 23:06 --------- d-------- C:\Program Files\EarthLink Setup

2007-06-09 22:57 --------- d-------- C:\Program Files\EA GAMES

2007-06-09 21:47 --------- d-------- C:\Program Files\e frontier

2007-06-09 21:47 --------- d-------- C:\Program Files\DVD Shrink

2007-06-09 21:47 --------- d-------- C:\Program Files\DiscWizard for Windows

2007-06-09 21:47 --------- d-------- C:\Program Files\directx

2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Support

2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Inc

2007-06-09 21:47 --------- d-------- C:\Program Files\Dell

2007-06-09 21:45 --------- d-------- C:\Program Files\D-Link

2007-06-09 21:45 --------- d-------- C:\Program Files\CyberLink

2007-06-09 21:42 --------- d-------- C:\Program Files\Corel

2007-06-09 21:42 --------- d-------- C:\Program Files\CONEXANT

2007-06-09 21:42 --------- d-------- C:\Program Files\Common Files\Viewpoint

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SWF Studio

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SpeechEngines

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic Shared

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Scanner

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Real

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Panda Software

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\ODBC

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nullsoft

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nikon

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Network Associates

2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\MSSoap

2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Macromedia Shared

2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Jasc Software Inc

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Intuit

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\InstallShield

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\cuatoabu

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Corel

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Canon

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Borland Shared

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\aolshare

2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\AOL

2007-06-09 21:38 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0

2006-11-02 20:25:09 952 --sha-w C:\windows\SYSTEM32\KGyGaAvL.sys

 

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

---- Directory of C:\DOCUME~1\SARAHT~1\WINDOWS ----

 

2007-07-22 19:24 587 --a------ C:\DOCUME~1\SARAHT~1\WINDOWS\win.ini

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]

"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]

"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 20:36]

"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2005-04-26 13:27]

"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-09-22 13:08]

"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-08-16 16:45]

"HostManager"="C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe" [2006-05-09 20:24]

"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]

"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []

"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]

"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 06:00]

 

C:\Documents and Settings\Sarah Tran\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]

DESKTOP.INI [2004-08-10 14:04:12]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

DESKTOP.INI [2004-08-10 14:04:12]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-04 13:00:33]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

NkVwMon.exe.lnk - C:\Program Files\Nikon\NkView4\NkVwMon.exe [2006-04-24 22:42:48]

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]

TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-07-06 18:00:17]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-04-09 18:58:35]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

 

R0 agpCPQ;Compaq AGP Bus Filter;C:\windows\system32\DRIVERS\agpCPQ.sys

R0 PenClass;Pen Class;C:\windows\system32\drivers\PenClass.sys

R0 Vax347b;Vax347b;C:\windows\system32\DRIVERS\Vax347b.sys

R0 Vax347s;Vax347s;C:\windows\system32\Drivers\Vax347s.sys

R1 mfetdik;McAfee Inc.;C:\windows\system32\drivers\mfetdik.sys

R1 sscdbhk5;sscdbhk5;C:\windows\system32\drivers\sscdbhk5.sys

R1 ssrtln;ssrtln;C:\windows\system32\drivers\ssrtln.sys

R2 ANIO;ANIO Service;\??\C:\WINDOWS\system32\ANIO.SYS

R2 drvnddm;drvnddm;C:\windows\system32\drivers\drvnddm.sys

R2 ithsgt;ithsgt;C:\windows\system32\DRIVERS\ithsgt.sys

R2 lilsgt;lilsgt;C:\windows\system32\DRIVERS\lilsgt.sys

R2 tfsnboio;tfsnboio;C:\windows\system32\dla\tfsnboio.sys

R2 tfsncofs;tfsncofs;C:\windows\system32\dla\tfsncofs.sys

R2 tfsndrct;tfsndrct;C:\windows\system32\dla\tfsndrct.sys

R2 tfsndres;tfsndres;C:\windows\system32\dla\tfsndres.sys

R2 tfsnifs;tfsnifs;C:\windows\system32\dla\tfsnifs.sys

R2 tfsnopio;tfsnopio;C:\windows\system32\dla\tfsnopio.sys

R2 tfsnpool;tfsnpool;C:\windows\system32\dla\tfsnpool.sys

R2 tfsnudf;tfsnudf;C:\windows\system32\dla\tfsnudf.sys

R2 tfsnudfa;tfsnudfa;C:\windows\system32\dla\tfsnudfa.sys

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys

R3 E100B;Intel® PRO Adapter Driver;C:\windows\system32\DRIVERS\e100b325.sys

R3 mfeapfk;McAfee Inc.;C:\windows\system32\drivers\mfeapfk.sys

R3 senfilt;senfilt;C:\windows\system32\drivers\senfilt.sys

R3 Tetris;Tetris driver;C:\windows\system32\Drivers\Tetris.sys

S3 AvFlt;Antivirus Filter Driver;C:\windows\system32\drivers\av5flt.sys

S3 Tearock;Tearock;C:\WINDOWS\system32\drivers\P3.SYS

S3 wanatw;WAN Miniport (ATW);C:\windows\system32\DRIVERS\wanatw4.sys

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{664e760c-f02f-11d9-abb2-001320014ca3}]

AutoRun\command- E:\Intro.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15444a9-fd3d-11d9-abd2-001320014ca3}]

AutoRun\command- E:\Setup.exe -auto

 

 

Contents of the 'Scheduled Tasks' folder

2007-07-18 22:25:20 C:\windows\tasks\AppleSoftwareUpdate.job

2007-07-20 22:30:00 C:\windows\tasks\McAfee.com Scan for Viruses - My Computer (SARAH-Bach Tran).job

2007-07-27 21:59:43 C:\windows\tasks\MP Scheduled Scan.job

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-27 18:10:32

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]

"DisplayName"="Alcohol 120"

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-27 18:11:39

C:\ComboFix-quarantined-files.txt ... 2007-07-27 18:11

C:\ComboFix2.txt ... 2007-07-26 18:25

 

--- E O F ---

 

 

Hijackthis log:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:18:04 PM, on 7/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\windows\System32\svchost.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Nikon\NkView4\NkVwMon.exe

C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\wuauclt.exe

C:\windows\EXPLORER.EXE

C:\windows\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HiJackThis\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"

O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\system32\dlbtcoms.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

 

Kaspersky Scan Log:

 

KASPERSKY ONLINE SCANNER REPORT

Sunday, July 29, 2007 1:27:59 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.93.0

Kaspersky Anti-Virus database last update: 29/07/2007

Kaspersky Anti-Virus database records: 369040

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

E:\

F:\

G:\

 

Scan Statistics:

Total number of scanned objects: 343275

Number of viruses found: 8

Number of infected objects: 15

Number of suspicious objects: 0

Duration of the scan process: 07:23:06

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_SARAH.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_SARAH.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07222007-200825.log Object is locked skipped

C:\Documents and Settings\Bach Tran\Local Settings\Temporary Internet Files\Content.IE5\DM2609Z3\adfcook[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Bach Tran\Local Settings\Temporary Internet Files\Content.IE5\H3QOUPRC\kcehc_eicooc20070702[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Bach Tran\Local Settings\Temporary Internet Files\Content.IE5\H3QOUPRC\masiyxanidi[1] Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Sarah Tran\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0B01DC60-F17D-4C7C-9DDC-EC7F7EA1C934} Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\History\History.IE5\MSHist012007072820070729\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Temp\NAILogs\UpdaterUI_SARAH.log Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Temp\~DFAD62.tmp Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Temp\~DFAD74.tmp Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Temp\~DFCEA5.tmp Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Sarah Tran\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Tran\ntuser.dat Object is locked skipped

C:\Documents and Settings\Sarah Tran\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-07-28.17-54-05.log Object is locked skipped

C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\QooBox\Quarantine\C\Program Files\lkdopwtu\tevkzyzo.dll.vir Infected: Trojan.Win32.Agent.atq skipped

C:\QooBox\Quarantine\C\WINDOWS\ktqbebyf.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cw skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lhpmemff.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn1.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn2.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn3.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ssqroom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\QooBox\Quarantine\C\WINDOWS\vuzgjkrg.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cw skipped

C:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP854\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{6C8B2B7A-4C4E-4D9F-8D0F-21CBCE773736}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

F:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

F:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Share this post


Link to post
Share on other sites

Hi,

 

Delete next file and folder:

 

C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll <== file

C:\Qoobox <== folder

 

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window

* Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Let me know in your next reply how things are now...

Share this post


Link to post
Share on other sites

Everything is running smoothly now. My only question is that at start-up I've been getting a notice saying that qbupdate.exe failed to start because MFC71.DLL was not found, but I don't know what was this for.

Share this post


Link to post
Share on other sites

Hi,

 

The error you receive is related with this:

 

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

 

Or, you check and fix that entry in HijackThis, or you reinstall Quickbooks.

 

Glad I could help. ;)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

You're most welcome :angry:

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0