• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
jimbo8500

Can't Remove Jkkkjgf.dll Associated With Pmnki.dll

25 posts in this topic

Somehow some malware got onto my machine from a webpage.

 

It put files called snapsnet.exe, wavesnet and xpre.exe in my user temp file which I removed.

 

I got rid of pmnki.dll with VundoFix.

 

It appeared to try to connect to 82.98.235.61, (Cyber Technology BV BA/SPRL) which I blocked with my firewall.

 

I have cleaned pmnki.dll and jkkkjgf.dll from my registry, but jkkkjgf.dll keeps being restored!

 

Stopping processes that it might be associated with hasn't helped ... :)

 

Does anyone have any ideas about how to get rid of jkkkjgf.dll?

Share this post


Link to post
Share on other sites

Hello,

 

* Download Trend Micro Hijack Thisâ„¢

Doubleclick the HJTInstall.exe to start it.

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

HijackThis will open after install. Press the Scan button below.

This will start the scan and open a log.

Copy and paste the contents of the log in your next reply.

Share this post


Link to post
Share on other sites

Here is the Hijackthis file. I have added space between the lines to hilite the file I'm talking about.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:34:57 PM, on 7/27/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\taskmgr.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\WINDOWS\System32\cmd.exe

C:\WINDOWS\system32\netstat.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Webbie\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.earthlink.net/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

 

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"

O4 - Startup: Shortcut to Remind_Me.rtf.lnk = C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Remind_Me.rtf

O4 - Global Startup: Printkey.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20be8c8ce5b63d...ip/RdxIE601.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AE25CC8-A709-4296-9B6C-CE6434051298}: NameServer = 207.69.188.172 207.69.188.171

 

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

 

O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOW\System32\WLTRYSVC.EXE

 

--

End of file - 10787 bytes

Share this post


Link to post
Share on other sites

Hi,

 

Do you know this program?

 

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

 

Please let me know as well.

 

I see you are running AdWatch.

I suggest you disable it because it can interfere with the fixes.

 

To disable AdWatch:

 

Open AdAware SE.

Go to AdWatch User Interface.

Go to Tools and Preferences.

At the bottom of the screen you will see 2 options Active and Automatic.

Active: This will turn Ad-Watch On\Off without closing it

Automatic: Suspicious activity will be blocked automatically

Uncheck both options. You can enable these after resolving your problem

 

Then, * Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

 

Btw, no need to highlight anything in your logs, I know what files should be deleted or not :(

Share this post


Link to post
Share on other sites

First, thank you so much for responding. I an VERY grateful.

 

Printkey is a screen capture utility. You can print all or part of the screen or save it as a file. See:

 

http://www.geocities.com/~gigaman/

 

I will follow your instructions and report back later today.

 

If it helps, in the midst of trying to stop the installation of the malware, I got an error message from something called NSIS installer. I can't find such a program on my machine. I captured an image of the error box using printkey!

 

Thank you again.

 

~Jim~

 

--- you asked ---

 

Do you know this program?

 

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

Share this post


Link to post
Share on other sites

I have run Combofix, and Hijackthis again.

 

The file jkkkjgf.dll is still there? What did Combofix quarantine?

 

Logs follow:

---------------------------------------------------------------------------------------------------

ComboFix 07-07-28 - "Froggy" 07/28/2007 13:19:40.1 [GMT -4:00] - NTFS

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True

* Created a new restore point

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\DOWNLO~1.\Quarantine

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_IPRIP

 

 

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))

 

 

2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-27 19:01 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll

2007-07-27 19:01 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys

2007-07-27 19:01 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys

2007-07-27 19:01 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys

2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll

2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll

2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll

2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban

2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc

2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN

2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys

2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys

2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys

2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys

2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys

2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-27 20:10 --------- d-------- C:\Program Files\Apoint

2007-07-27 08:39 --------- d-------- C:\Program Files\EarthLink 5.0

2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat

2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee

2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware

2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee

2007-06-08 18:41 --------- d-------- C:\Program Files\Celebpics #1

2007-06-08 18:41 --------- d-------- C:\Program Files\CallWave

2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback

2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!

2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat

2007-06-01 14:25 --------- d-------- C:\Program Files\DivX

2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll

2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat

2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat

2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log

2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]

2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA51629-E62B-4FF9-857F-9A609F7D6F06}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]

"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]

"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]

"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]

"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

 

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Start Menu\Programs\Startup\

Reminder.lnk - C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat [2004-01-29 12:50:10]

 

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Printkey.exe [1998-11-27 19:41:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"= C:\WINDOWS\System32\httge.dll [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]

jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk

backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]

"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]

"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]

C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"gusvc"=3 (0x3)

"wltrysvc"=2 (0x2)

 

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys

R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys

R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys

R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys

R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe

R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe

R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys

S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys

S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc

S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe

S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

 

Contents of the 'Scheduled Tasks' folder

2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe

2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-28 13:29:51

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:000001f4

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-28 13:35:30 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-28 13:35

 

--- E O F ---

 

---------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:56:13 PM, on 7/28/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WgaTray.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat

O4 - Global Startup: Printkey.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20be8c8ce5b63d...ip/RdxIE601.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 10872 bytes

 

-----------------------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Hi,

 

In your previous log, this entry was present:

 

O4 - Startup: Shortcut to Remind_Me.rtf.lnk = C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Remind_Me.rtf

 

Now I see that one is gone and now this one is present:

 

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat

 

This is really confusing now since I don't know what you have been doing in between... So please don't do anything else apart from following my instructions, this to prevent confusion, otherwise I have no clue if some are created by you or created by malware.

 

Do you know above blastcln.bat?

 

The NSIS installer can be anything. This is because a certain program uses this installer and when you get an error, this means that t

 

Anyway, perform next please...

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat <== check this if you don't know it

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20be8c8ce5b63d...ip/RdxIE601.cab

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Remove these folders if you don't know them, because the Celebpics folder certainly looks fishy and the fact that Callwave was modified the same time, they should be related in a way:

 

C:\Program Files\Celebpics #1

C:\Program Files\CallWave

 

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

 

File::

C:\WINDOWS\system32\jkkkjgf.dll

 

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA51629-E62B-4FF9-857F-9A609F7D6F06}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{3964D8D6-86D0-493A-B460-A805B5401114}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]

 

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites

Instructions were followed EXACTLY.

 

"Remind_Me.rtf" is a To Do List. "blastcln.bat" is a batch file that runs the Microsoft Blaster Worm Removal Tool. I move things in and out of my "Startup" folder. Sorry.

 

In your previous log, this entry was present:

O4 - Startup: Shortcut to Remind_Me.rtf.lnk = C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Remind_Me.rtf

Now I see that one is gone and now this one is present:

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat

 

Sorry, I will not change anything else.

 

This is really confusing now since I don't know what you have been doing in between... So please don't do anything else apart from following my instructions, this to prevent confusion, otherwise I have no clue if some are created by you or created by malware.

 

Do you know above blastcln.bat? <---<<< Microsoft Blaster Worm Removal Toll Batch file

 

Did exactly below:

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <---<<<< WAS MISSING <<<<<<<

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: (no name) - {5CA51629-E62B-4FF9-857F-9A609F7D6F06} - (no file)

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat <== check this if you don't know it

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20be8c8ce5b63d...ip/RdxIE601.cab

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Remove these folders if you don't know them, because the Celebpics folder certainly looks fishy and the fact that Callwave was modified the same time, they should be related in a way:

 

C:\Program Files\Celebpics #1 <---<<< Uninstalled and folder deleted - is a screensaver

C:\Program Files\CallWave <---<<< deleted

 

Did exactly below:

 

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

 

Then drag the CFScript into ComboFix.exe as you see in the screenshot below. <---<<< CFScript disappeared after Combofix ran

 

CFScript.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

 

After Combofix finished, ran Hijackthis scan. Combofix did NOT reboot.

 

------------------------------------------------------------------------------------------

ComboFix 07-07-28 - "Froggy" 2007-07-28 22:06:48.2 [GMT -4:00] - NTFS

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True

Command switches used :: C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript

* Created a new restore point

 

 

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

 

 

2007-07-28 19:01 <DIR> d-------- C:\WINDOWS\LastGood

2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-27 19:01 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll

2007-07-27 19:01 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys

2007-07-27 19:01 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys

2007-07-27 19:01 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys

2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll

2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll

2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll

2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban

2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc

2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN

2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys

2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys

2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys

2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys

2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys

2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-27 20:10 --------- d-------- C:\Program Files\Apoint

2007-07-27 08:39 --------- d-------- C:\Program Files\EarthLink 5.0

2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat

2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee

2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware

2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee

2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback

2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!

2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat

2007-06-01 14:25 --------- d-------- C:\Program Files\DivX

2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll

2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat

2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat

2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log

2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]

2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]

"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]

"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]

"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]

"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

 

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Start Menu\Programs\Startup\

Reminder.lnk - C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat [2004-01-29 12:50:10]

 

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Printkey.exe [1998-11-27 19:41:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]

jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk

backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]

"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]

"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]

C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"gusvc"=3 (0x3)

"wltrysvc"=2 (0x2)

 

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys

R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys

R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys

R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys

R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe

R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe

R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys

S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys

S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc

S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe

S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

 

Contents of the 'Scheduled Tasks' folder

2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe

2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-28 22:18:18

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:00000508

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-28 22:21:42

C:\ComboFix-quarantined-files.txt ... 2007-07-28 22:21

C:\ComboFix2.txt ... 2007-07-28 13:35

 

--- E O F ---

 

------------------------------------------------------------------------------------------

jkkLogfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:29:23 PM, on 7/28/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\nvsvc32.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

O4 - Startup: Reminder.lnk = C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.bat

O4 - Global Startup: Printkey.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 10242 bytes

 

------------------------------------------------------------------------------------------

The offending file remains. I followed your instructions VERY carefully. Thank you for spending this time to help me.

Share this post


Link to post
Share on other sites

Hi,

 

"Remind_Me.rtf" is a To Do List. "blastcln.bat" is a batch file that runs the Microsoft Blaster Worm Removal Tool. I move things in and out of my "Startup" folder. Sorry.
This is not needed since you're not dealing with Blaster, so please remove this from your startup folder.

 

You'll have to run CFScript again, because I don't see it was a txt file you created. The CFScript should be a txt file as it displayed in the screenshot, but as I see from the switch, I see a CFScript without an extension:

 

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript

 

So please try again... Most probably you have extensions shown, so in your case it should be CFScript.txt you have to create.

Share this post


Link to post
Share on other sites

Hi,

 

I removed the blaster batch file.

 

This is not needed since you're not dealing with Blaster, so please remove this from your startup folder. <--<<< DONE

 

I created a new script file and named it "CFScript.txt"

 

You'll have to run CFScript again, because I don't see it was a txt file you created. The CFScript should be a txt file as it displayed in the screenshot, but as I see from the switch, I see a CFScript without an extension:

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript

 

So please try again... Most probably you have extensions shown, so in your case it should be CFScript.txt you have to create.

 

I ran Hijackthis and "fixed" the items listed in your previous post. The items below did NOT appear in the scan list before fixing:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20be8c8ce5b63d...ip/RdxIE601.cab

O22 - SharedTaskScheduler: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll (file missing)

 

Next, I ran Combofix by pasting "CFScript.txt" into Combofix as shown in your previous post. Combofix ran OK and did NOT reboot my system. I got alerts from McAfee, which I accepted.

 

Next, I ran Hijackthis and saved the log. Logs follow:

 

-----------------------------------------------------------------------------

ComboFix 07-07-28 - "Froggy" 2007-07-29 10:07:28.3 [GMT -4:00] - NTFS

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True

Command switches used :: C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript.txt

* Created a new restore point

 

 

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

 

 

2007-07-28 19:01 <DIR> d-------- C:\WINDOWS\LastGood

2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-27 19:01 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll

2007-07-27 19:01 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys

2007-07-27 19:01 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys

2007-07-27 19:01 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys

2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll

2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll

2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll

2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban

2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc

2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN

2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys

2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys

2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys

2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys

2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys

2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-29 08:21 --------- d-------- C:\Program Files\EarthLink 5.0

2007-07-27 20:10 --------- d-------- C:\Program Files\Apoint

2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat

2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee

2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware

2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee

2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback

2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!

2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat

2007-06-01 14:25 --------- d-------- C:\Program Files\DivX

2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll

2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat

2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat

2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log

2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]

2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]

"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]

"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]

"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

 

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Printkey.exe [1998-11-27 19:41:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]

jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk

backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]

"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]

"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]

C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"gusvc"=3 (0x3)

"wltrysvc"=2 (0x2)

 

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys

R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys

R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys

R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys

R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe

R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe

R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys

S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys

S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc

S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe

S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

 

Contents of the 'Scheduled Tasks' folder

2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe

2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-29 10:18:30

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:0000058b

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-29 10:21:48

C:\ComboFix-quarantined-files.txt ... 2007-07-29 10:21

C:\ComboFix2.txt ... 2007-07-28 22:21

C:\ComboFix3.txt ... 2007-07-28 13:35

 

--- E O F ---

 

-----------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:27:36 AM, on 7/29/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WgaTray.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

O4 - Global Startup: Printkey.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 10093 bytes

 

-----------------------------------------------------------------------------

The offending file, jkkkjgf.dll, remains. I have followed your instructions exactly. Thank you for your patience. I think the Malware is altering my mouse driver. AdWatch pops-up changes to "Appoint". I also get Adwatch alerts for "NvCpl.dll". I attach recent events from my Adwatch log:

 

7/29/2007 10:34:47 AM> Registry modification detected

7/29/2007 10:34:47 AM>

7/29/2007 10:34:47 AM> Root:HKEY_LOCAL_MACHINE

7/29/2007 10:34:47 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run

7/29/2007 10:34:47 AM> Value:Apoint

7/29/2007 10:34:47 AM> Data:C:\Program Files\Apoint\Apoint.exe

7/29/2007 10:34:47 AM> New Data:

7/29/2007 10:34:47 AM>

7/29/2007 10:34:58 AM> Registry modification detected

7/29/2007 10:34:58 AM>

7/29/2007 10:34:58 AM> Root:HKEY_LOCAL_MACHINE

7/29/2007 10:34:58 AM> Key:Software\Microsoft\Internet Explorer\Main

7/29/2007 10:34:58 AM> Value:Start Page

7/29/2007 10:34:58 AM> Data:http://my.earthlink.net

7/29/2007 10:34:58 AM> New Data:about:blank

7/29/2007 10:34:58 AM>

7/29/2007 10:39:07 AM> Registry modification detected

7/29/2007 10:39:07 AM>

7/29/2007 10:39:07 AM> Root:HKEY_LOCAL_MACHINE

7/29/2007 10:39:07 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run

7/29/2007 10:39:07 AM> Value:Apoint

7/29/2007 10:39:07 AM> Data:

7/29/2007 10:39:07 AM> New Data:

7/29/2007 10:39:07 AM>

7/29/2007 10:39:33 AM> Registry modification detected

7/29/2007 10:39:33 AM>

7/29/2007 10:39:33 AM> Root:HKEY_LOCAL_MACHINE

7/29/2007 10:39:33 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run

7/29/2007 10:39:33 AM> Value:NvCplDaemon

7/29/2007 10:39:33 AM> Data:RUNDLL32.EXE C:\WINDOWS1\System32\NvCpl.dll,NvStartup

7/29/2007 10:39:33 AM> New Data:

7/29/2007 10:39:33 AM>

7/29/2007 10:46:31 AM> Registry modification detected

7/29/2007 10:46:31 AM>

7/29/2007 10:46:31 AM> Root:HKEY_LOCAL_MACHINE

7/29/2007 10:46:31 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run

7/29/2007 10:46:31 AM> Value:NvCplDaemon

7/29/2007 10:46:31 AM> Data:

7/29/2007 10:46:31 AM> New Data:RUNDLL32.EXE C:\WINDOWS1\System32\NvCpl.dll,NvStartup

7/29/2007 10:46:31 AM>

 

I really do not know what "NvCpl.dll" is doing!

 

Thank you again. I very much appreciate your patience and tolerance of my lesser skills.

Share this post


Link to post
Share on other sites

NvCpl.dll is related with your NVIDIA Display Properties Extension, nothing to worry about.. also Appoint is ok.

 

I think your adwatch is also interfering with the CFScript since it also modifies some startup entries.

 

I already asked you previously to disable adwatch during cleeanup, but it seems like it is still running and displaying alerts and interfering, so I recommend you uninstall Adaware in a meanwhile. You can reinstall it again afterwards when we are done here.

 

Then recreate the CFScript once again and drag it into combofix.

 

The post the logs afterwards. If that didn't work, we still have some other methods to try.

Share this post


Link to post
Share on other sites

I did an "End Process" in Windows Task Manager for the Adwatch process, BEFORE I ran Hijackthis and ComboFix. I didn't see any activity from Adwatch while running Combofix or Hijackthis. The "Appoint" change(s) change the display I see when I go to "Mouse" in Control Panel. It gets changed from my laptop touchpad to a regular mouse.

 

Can I just "turn off" Ad-watch and Ad-Aware using the System Configuration Utility (MSCONFIG)? I have a dailup connection, so downloading the software again is a PITA!

 

--- you wrote ---

 

NvCpl.dll is related with your NVIDIA Display Properties Extension, nothing to worry about.. also Appoint is ok.

 

I think your adwatch is also interfering with the CFScript since it also modifies some startup entries.

 

I already asked you previously to disable adwatch during cleeanup, but it seems like it is still running and displaying alerts and interfering, so I recommend you uninstall Adaware in a meanwhile. You can reinstall it again afterwards when we are done here.

 

Then recreate the CFScript once again and drag it into combofix.

 

The post the logs afterwards. If that didn't work, we still have some other methods to try.

Share this post


Link to post
Share on other sites

If I am not mistaken, even if you disable Adwatch via msconfig, it will be reloaded after Windows logon anyway. You can give it a try though..

Share this post


Link to post
Share on other sites

Hi,

 

I ran Combofix and Hijackthis again with McAfee disabled and Adwatch not loaded. I unchecked "Load on Windows startup" in Adwatch Tools/Options and unchecked it in MSCONFIG/Startup. After the reboot, I checked "Task Manager" to assure Adwatch and McAfee were not loaded. Both were not shown in running processes. Combofix ran but did not reboot. When I scanned with Hijackthis, only two items remained from your previous "fix list", as below:

 

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

 

After I had run Combofix and Hijackthis, I again checked Taskmanager/Processes and neither McAfee nor Adwatch were running. I got no McAfee alerts during the process and no Adwatch alerts when I rebooted. Previously, Adwatch had popped-up asking for approval of what Combofix/Hijackthis changed.

 

If I am not mistaken, even if you disable Adwatch via msconfig, it will be reloaded after Windows logon anyway. You can give it a try though..
<---<<< It will be reloaded unless you uncheck it at Adwatch Tools/Options.

 

Logs follow:

 

--------------------------------------------------------------------------------------------

ComboFix 07-07-28 - "Froggy" 2007-07-29 13:57:55.4 [GMT -4:00] - NTFS

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True

Command switches used :: C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\ComboFix\CFScript.txt

* Created a new restore point

 

 

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

 

 

2007-07-29 10:39 95,511 -ra------ C:\WINDOWS\system32\Vxdif.dll

2007-07-29 10:39 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys

2007-07-29 10:39 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys

2007-07-29 10:39 113,847 -ra------ C:\WINDOWS\system32\drivers\Apfiltr.sys

2007-07-28 19:01 <DIR> d-------- C:\WINDOWS\LastGood

2007-07-28 13:17 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-27 19:01 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-07-26 21:37 31,254 --------- C:\WINDOWS\system32\jkkkjgf.dll

2007-07-26 14:19 69,632 --a------ C:\WINDOWS\system32\netos32.dll

2007-07-26 14:19 65,536 --a------ C:\WINDOWS\system32\netsrv32.dll

2007-07-25 11:01 <DIR> d-------- C:\Program Files\Orban

2007-07-15 22:54 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\vlc

2007-07-15 22:50 <DIR> d-------- C:\Program Files\VideoLAN

2007-07-11 01:12 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys

2007-07-11 01:12 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys

2007-07-11 01:12 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys

2007-07-11 01:12 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys

2007-07-11 01:12 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys

2007-07-09 06:27 <DIR> d-------- C:\DOCUME~1\Webbie\APPLIC~1\McAfee

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-29 10:39 --------- d-------- C:\Program Files\Apoint

2007-07-29 08:21 --------- d-------- C:\Program Files\EarthLink 5.0

2007-07-25 10:03 23016 --a------ C:\WINDOWS\system32\nvModes.dat

2007-07-24 19:59 --------- d-------- C:\Program Files\McAfee

2007-07-20 18:56 --------- d-------- C:\Program Files\Microsoft AntiSpyware

2007-07-11 01:12 --------- d-------- C:\Program Files\Common Files\McAfee

2007-06-03 16:12 --------- d-------- C:\DOCUME~1\ADMINI~1.HAL\APPLIC~1\Talkback

2007-06-03 02:23 --------- d-------- C:\Program Files\Yahoo!

2007-06-03 00:41 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat

2007-06-01 14:25 --------- d-------- C:\Program Files\DivX

2007-05-31 02:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-05-31 02:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-05-31 02:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-05-31 02:44 740442 --a------ C:\WINDOWS\system32\DivX.dll

2007-05-21 17:41 335 --a------ C:\WINDOWS\mozregistry.dat

2007-05-21 14:03 1156 --a------ C:\WINDOWS\mozver.dat

2003-05-02 03:23 2047 --a------ C:\Program Files\uninstal.log

2003-05-01 01:16 13053 --a------ C:\Program Files\uninstaljoy.log

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]

2007-07-26 21:37 31254 --------- C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]

"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]

"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2003-01-31 12:27]

"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [2002-01-04 00:18]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

 

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Printkey.exe [1998-11-27 19:41:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\jkkkjgf.dll [2007-07-26 21:37 31254]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkkjgf]

jkkkjgf.dll 2007-07-26 21:37 31254 C:\WINDOWS\system32\jkkkjgf.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EarthLink ToolBar 5.0.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\EarthLink ToolBar 5.0.lnk

backup=C:\WINDOWS\pss\EarthLink ToolBar 5.0.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]

"C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]

"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]

"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastStart]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster2]

C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPodService"=3 (0x3)

"gusvc"=3 (0x3)

"wltrysvc"=2 (0x2)

"MpfService"=2 (0x2)

"McSysmon"=2 (0x2)

"McShield"=2 (0x2)

"McRedirector"=2 (0x2)

"mcpromgr"=2 (0x2)

"McODS"=2 (0x2)

"McNASvc"=2 (0x2)

"mcmscsvc"=2 (0x2)

"mcmispupdmgr"=3 (0x3)

"McDetect.exe"=2 (0x2)

"McAfee HackerWatch Service"=2 (0x2)

"McAfee AntiSpyware Service"=2 (0x2)

"Emproxy"=3 (0x3)

 

R1 MPFP;MPFP;C:\WINDOWS\System32\Drivers\Mpfp.sys

R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip6.sys

R2 6to4;IPv6 Helper Service;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys

R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\System32\DRIVERS\dsunidrv.sys

R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe

R2 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\System32\tcpsvcs.exe

R3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\System32\DRIVERS\tunmp.sys

S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys

S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\System32\tcpsvcs.exe

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc

S4 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe

S4 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe

S4 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

 

 

Contents of the 'Scheduled Tasks' folder

2007-03-15 05:26:34 C:\WINDOWS\Tasks\McDefragTask.job - C:\WINDOWS\System32\defrag.exe

2006-12-01 06:00:53 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-29 14:09:05

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:0000050d

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-29 14:11:53

C:\ComboFix-quarantined-files.txt ... 2007-07-29 14:11

C:\ComboFix2.txt ... 2007-07-29 10:21

C:\ComboFix3.txt ... 2007-07-28 22:21

 

--- E O F ---

 

--------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:23:27 PM, on 7/29/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

C:\WINDOWS\System32\taskmgr.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Utilities\Printkey.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Global Startup: Printkey.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O20 - Winlogon Notify: jkkkjgf - C:\WINDOWS\SYSTEM32\jkkkjgf.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 8108 bytes

 

--------------------------------------------------------------------------------------------

 

The file, jkkkjgf.dll, remains. Whatever this thing is it tries to dial out using the "Windows Explorer" process. I keep wondering if it can collect passwords, etc?

 

I Googled for "jkkkjgf.dll" and found hits, but they are all in languages I can't read!

 

This thing is attached to "Winlogon.exe" and "explorer.exe", both of which are requied to function.

 

Do you think running Combofix and/or Hijackthis in safe mode would work? Somehow, a fix has to get in ahead of "Winlogon" and/or "explorer.exe", I think.

 

This seems to be a stubborn littel bug!

 

Thanks, again, for your patience and tolerance. I hope there is a more potent Malware killer in your arsenal.

 

~Jim~

Share this post


Link to post
Share on other sites

.. Yes, I know what this file is .. It is one of these Vundo/Virtumundo/Conhook variants and I know what it does.

Normally Combofix can deal with it without any problems, so not sure here if it's a third party interfering here with Combofix or anything else.

 

Anyway, don't bother about Combofix for now, but do next instead..

 

* Please download VundoFix.exe to your C:\.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\jkkkjgf.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

After reboot,

 

Post a new hijackthislog and the contents of C:\vundofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Hi,

 

Can you please tell me if "Vundo/Virtumundo/Conhook" can capture and transmit personal information and/or passwords. I am trying to assess my exposure as I work through this?

 

.. Yes, I know what this file is .. It is one of these Vundo/Virtumundo/Conhook variants and I know what it does.

 

I need a break, so I will run Vundofix and post my logs in a while.

 

Thank you again for your help and patience.

 

~Jim~

Share this post


Link to post
Share on other sites
Can you please tell me if "Vundo/Virtumundo/Conhook" can capture and transmit personal information and/or passwords
No, it won't capture passwords etc...read here for more info:

http://www.symantec.com/security_response/...-112111-3912-99

http://research.sunbelt-software.com/threa...?threatid=45786

 

It's mainly adware, displaying popups/advertisements.

Share this post


Link to post
Share on other sites

Well ... at last it seems to be gone. If only I had known about the "Add More Files" Finction of VundoFix! If I had, it would have been fixed last Thursday night ... alas!

 

I'm glad to know Vundo isn't a serious threat ... thanks.

 

No, it won't capture passwords etc...read here for more info:

http://www.symantec.com/security_response/...-112111-3912-99

http://research.sunbelt-software.com/threa...?threatid=45786

It's mainly adware, displaying popups/advertisements.

 

I followed your instructions for VundoFix and "jkkkjgf.dll" is gone from "...\system32" folder! Logs follow:

 

--------------------------------------------------------------------------------------------

 

VundoFix V6.5.6

 

Checking Java version...

 

Java version is 1.4.2.4

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.10

 

Java version is 1.5.0.11

 

Scan started at 5:26:16 PM 7/29/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

Beginning removal...

 

VundoFix V6.5.6

 

Checking Java version...

 

Java version is 1.4.2.4

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.10

 

Java version is 1.5.0.11

 

Scan started at 5:30:52 PM 7/29/2007

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\SYSTEM32\jkkkjgf.dll

C:\WINDOWS\SYSTEM32\jkkkjgf.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\SYSTEM32\jkkkjgf.dll

C:\WINDOWS\SYSTEM32\jkkkjgf.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

--------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:55:54 PM, on 7/29/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

c:\program files\mcafee\msc\mcuimgr.exe

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll (file missing)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - Global Startup: Printkey.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 10061 bytes

 

--------------------------------------------------------------------------------------------

 

After I finished, I edited out the last registry entry, just to be sure!

 

My machine labors a bit after connecting to my ISP. Is there any lint that can be cleaned up?

 

My "mouse" software finally settled down. The Malware must have been tinkering with it.

 

You must have assumed I knew more about VundoFix than I really did!

 

I do, very much, appreciate your time and patience ... THANKS !!!

 

~Jim~

Share this post


Link to post
Share on other sites

Hi,

 

Check and fix next lefover in HijackThis:

 

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll (file missing)

 

Delete next folders:

 

C:\Vundofix backups

C:\Qoobox

 

Glad I could help. ;)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Hi,

 

--- miekiemoes wrote ---

 

Hi,

Check and fix next lefover in HijackThis:

O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\jkkkjgf.dll (file missing)

Delete next folders:

C:\Vundofix backups

C:\Qoobox

 

Hi,

 

I performed the clean-up as above. I uninstalled old versions of "Java" as listed in the ComboFix log.

 

I am still having some problems. My "etc\HOSTS" file keeps getting deleted. McAfee does not alert when the HOSTS file is moved, even though all alerts are turned on. McAfee's MVT reports no problems! Adaware runs but hangs at "C:\WUTemp", which is empty! "When I open a folder and create or rename a file, I have to "refresh", sometimes, to see the name in the list. IE is crashing, but restarts without a reboot. Sometimes if I search for a file while IE is open the machine locks up and I have to wait a while and then kill processes with Task Manager. Trend Micro's "Housecall" reports no malware, beyond one tracking cookie.

 

Some new files have appeared:

 

vfind.exe <--- no version data created 7/28/07

swxcacls.exe <--- SteelwerX Freeware created 7/28/07

swsc.exe <--- SteelwerX Freeware created 7/28/07

swreg.exe <--- SteelwerX Freeware created 7/28/07

mcrh.tmp <--- no version data created 7/28/07

 

I don't find any files or folders named, explicitly, "SteelwerX".

 

Could these files have been left behind by VundoFix or Combofix?

 

I wonder if I should boot-F8 and do a "Last Good"? Should I copy the explorers executables from backups and paste them over their current directory?

 

My connection seems slower than the usual, slow 56k!

 

HJT log attached:

 

______________________________________________________________________________________

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:46:33 PM, on 7/31/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

c:\program files\mcafee.com\agent\mcdetect.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\EarthLink 5.0\ConMgr.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Printkey.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Documents and Settings\Administrator.HAL-NP2FSH6XLD6\Desktop\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"

O4 - Global Startup: Printkey.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147560527

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181147516373

O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://64.84.107.59/activex/AMC.cab

O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...769/mcfscan.cab

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

--

End of file - 10161 bytes

______________________________________________________________________________________

 

Glad I could help. :huh:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

 

Thanks for all your help and thanks for your great links. You have a great looking dog!

 

~Jim~

Share this post


Link to post
Share on other sites

Hi,

 

The C:\WUTemp is needed for downloading Windows Updates. Just exclude that folder from your Adaware scans.

 

Are you sure your Hosts file is getting deleted?

 

Anyway, all your other freezing issues and slow internet issues are most probably caused by Mcafee. This is a known with McAfee and the forums are full with similar problems.

 

I wonder if I should boot-F8 and do a "Last Good"? Should I copy the explorers executables from backups and paste them over their current directory?
Why would you do that? That doesn't make sense. That won't resolve anything, on the contrary, you may rather corrupt your system.

 

Some new files have appeared:

 

vfind.exe <--- no version data created 7/28/07

swxcacls.exe <--- SteelwerX Freeware created 7/28/07

swsc.exe <--- SteelwerX Freeware created 7/28/07

swreg.exe <--- SteelwerX Freeware created 7/28/07

mcrh.tmp <--- no version data created 7/28/07

 

I don't find any files or folders named, explicitly, "SteelwerX".

 

Could these files have been left behind by VundoFix or Combofix?

Yes, being dropped by Combofix. Don't worry about them, they are just command line tools.

 

For your Hosts file, do next:

 

* Download: HostsXpert

Unzip hoster to an own folder, eg C:\HostsXpert

Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

This will restore the orginal MS Hosts file. Please make sure NO scanner is interfering here, because it could be possible, if you modify your hosts file, restoring it to default again, that a scanner may see this as a "Hijack" attempt as well and delete/restore it again as how it was before.

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites

Reopened.

 

Please let me know with what malware related issues you are still dealing with :D

Share this post


Link to post
Share on other sites

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0