Malware Protector 2008 - HJT Log

Author	All Replies
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	Malware Protector 2008 - HJT Log Please help... my nephew wound up with Malware Protector 2008 on his system and it's well and truly hosed now. When he tries to boot into normal mode, it sits for over an hour and barely gets anywhere. He can boot into Safe Mode, but then his keyboard doesn't work. We found a website that recommended SmitFraudFix for this problem, but it didn't work. Using the Windows on-screen keyboard he was able to download and run Spybot S&D, but it didn't fix the problem either. Ad-Aware wouldn't run, saying "this program has been blocked by the administrator". That was while he was logged into safe mode AS administrator... Windows malicious software removal tool reports no problems. So.... here's the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:39:50, on 6/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\My Downloads\windows-kb890830-v1.42.exe c:\feaaee2d5ab2f21dca42aee1305aa7\mrtstub.exe C:\WINDOWS\system32\MRT.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »bfc.myway.com/search/de_srchlft.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [lphcl2uj0egbl] C:\WINDOWS\system32\lphcl2uj0egbl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [] OSK.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: VTAgentReboot.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - »www.fileplanet.com/fpdlmgr/cabs/···.108.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - »https://fastsend.com/products/Fsplugin.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »download.games.yahoo.com/games/p···r_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A150BA3B-2BAD-4082-A17D-55E52EDC29B4}: NameServer = 167.206.254.1,167.206.254.2 O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-14 16:06:45 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	You skipped an important step! Using Safe mode with networking, go here and follow step 2 for a full system scan with the Eset online AV scan: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance Post the the scan log when done back here. Then download and run this free tool called ComboFix to produce a log please: Please visit this webpage for download links, and instructions for running the tool: »www.bleepingcomputer.com/combofi···combofix If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it. When, the tool is finished, it will produce a report for you. Please post that report located at: C:\ComboFix.txt along with a new HijackThis log. -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2008 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2008-06-15 09:42:54 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher I can't get hold of my nephew this evening - he must be working. Thanks for your suggestions - I'll get him to do those things and report back. -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-15 22:22:25 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher Here's the online vscan log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3188 (20080615) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=ab201c828c608f439c28f5f7476ff0ba # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-06-16 06:59:50 # local_time=2008-06-16 02:59:50 (-0500, Eastern Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=485077 # found=11 # scan_time=4270 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip multiple infiltrations (deleted) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »BnnnnBaa.class Java/ClassLoader trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »VaannnaaBaa.class Java/ClassLoader trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Dnnny.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Bnnnnn.class Java/ClassLoader.AS trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Den.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Din.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Dun.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Downloads\LSLMCLTSetup-dm[1].exe a variant of Win32/Adware.Trymedia application (unable to clean - deleted) 00000000000000000000000000000000 C:\WINDOWS\SYSTEM32\lphcl2uj0egbl.exe Win32/TrojanDownloader.FakeAlert.DK trojan (unable to clean - deleted) 00000000000000000000000000000000 C:\WINDOWS\SYSTEM32\phcl2uj0egbl.bmp Win32/TrojanDownloader.FakeAlert.DJ trojan (unable to clean - deleted) 00000000000000000000000000000000 -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-16 07:48:47 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher Here's the HJT log after the vscan: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 03:14:05, on 6/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SYSTEM32\OSK.EXE C:\WINDOWS\SYSTEM32\MSSWCHX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »bfc.myway.com/search/de_srchlft.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [] OSK.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: VTAgentReboot.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - »www.fileplanet.com/fpdlmgr/cabs/···.108.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - »https://fastsend.com/products/Fsplugin.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »download.games.yahoo.com/games/p···r_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A150BA3B-2BAD-4082-A17D-55E52EDC29B4}: NameServer = 167.206.254.1,167.206.254.2 O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-16 07:49:47 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	reply to babacher Ok, so I'll be looking next for the second part (is he working on getting this step completed?): Then download and run this free tool called ComboFix to produce a log please: Please visit this webpage for download links, and instructions for running the tool: »www.bleepingcomputer.com/combofi···combofix If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it. When, the tool is finished, it will produce a report for you. Please post that report located at: C:\ComboFix.txt along with a new HijackThis log. -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2008 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2008-06-16 09:34:53 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher OK!! Here we go - here's the combofix log: ComboFix 08-06-15.4 - Administrator 2008-06-16 4:47:32.1 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2076 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\mattito\Application Data\macromedia\Flash Player\#SharedObjects\3WDMCC6G\www.broadcaster.com C:\Documents and Settings\mattito\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\mattito\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\Fonts\acrsec.fon C:\WINDOWS\Fonts\acrsecB.fon C:\WINDOWS\Fonts\acrsecI.fon C:\WINDOWS\smdat32m.sys C:\WINDOWS\system32\bszip.dll . ((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 ))))))))))))))))))))))))))))))) . 2008-06-16 01:47 . 2008-06-16 02:59 d-------- C:\Program Files\EsetOnlineScanner 2008-06-14 15:39 . 2008-06-14 15:39 d-------- C:\Program Files\Trend Micro 2008-06-14 11:59 . 2008-06-14 11:59 d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-14 11:59 . 2008-06-14 12:01 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-13 14:43 . 2005-03-31 03:49 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2008-06-13 14:43 . 2005-03-31 03:43 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc 2008-06-13 14:43 . 2008-06-13 14:43 d-------- C:\Documents and Settings\Administrator 2008-06-12 14:33 . 2008-06-16 01:49 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-12 14:33 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-06-12 14:33 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-06-12 14:33 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-06-12 14:33 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-06-12 14:32 . 2008-06-16 01:49 d-------- C:\Program Files\Spyware Doctor 2008-06-12 14:32 . 2008-06-12 14:32 d-------- C:\Documents and Settings\mattito\Application Data\PC Tools 2008-06-12 13:17 . 2008-06-12 13:17 d-------- C:\Program Files\Enigma Software Group 2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI 2008-06-11 04:30 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys 2008-06-11 04:30 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2008-06-10 13:05 . 2008-06-10 13:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-10 13:05 . 2008-06-10 13:05 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-10 00:51 . 2008-06-14 20:14 3,058 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-06-09 21:43 . 2008-06-09 21:43 d-------- C:\Documents and Settings\mattito\Application Data\shcj2uj0egbl 2008-06-09 21:43 . 2008-06-14 20:29 52,736 --a------ C:\WINDOWS\SYSTEM32\blphcl2uj0egbl.scr 2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx 2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts 2008-05-21 18:53 . 2008-05-28 20:35 512 --a------ C:\drmHeader.bin . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-12 01:32 --------- d-----w C:\Program Files\QuickTime 2008-06-12 01:29 --------- d-----w C:\Program Files\Apple Software Update 2008-06-10 04:39 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll 2008-04-29 05:42 --------- d-----w C:\Program Files\eMule 2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0a.dll 2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll 2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll 2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll 2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll 2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll 2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe 2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll 2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll 2008-03-21 20:30 129,784 ------w C:\WINDOWS\SYSTEM32\pxafs.dll 2008-03-21 20:30 120,056 ------w C:\WINDOWS\SYSTEM32\pxcpyi64.exe 2008-03-21 20:30 118,520 ------w C:\WINDOWS\SYSTEM32\pxinsi64.exe 2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll 2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll 2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll 2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll 2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll 2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll 2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll 2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll 2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll 2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "@"="OSK.exe" [2004-08-04 07:00 215552 C:\WINDOWS\SYSTEM32\OSK.EXE] "SpybotDeletingB6606"="command /c del c:\Program Files\Altnet\Download Manager\asmps.dll" [ ] "SpybotDeletingD3125"="cmd /c del c:\Program Files\Altnet\Download Manager\asmps.dll" [ ] "SpybotDeletingB2138"="command /c del c:\Program Files\Altnet\Download Manager\asm.exe" [ ] "SpybotDeletingD1979"="cmd /c del c:\Program Files\Altnet\Download Manager\asm.exe" [ ] "SpybotDeletingB6627"="command /c del c:\Program Files\Altnet\Download Manager\asmend.exe" [ ] "SpybotDeletingD6580"="cmd /c del c:\Program Files\Altnet\Download Manager\asmend.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 21:05 344064] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54 57344] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 19:19 143360] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-03-07 15:05 278528] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-03-07 15:07 180224] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 20:28 196608] "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 14:41 950272] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-28 14:23 180269] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-31 00:40 57344] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57 133016] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848] C:\Documents and Settings\mattito\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-07 02:45:44 113664] MEMonitor.lnk.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2007-12-10 15:57:58 929792] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912] VTAgentReboot.exe [2001-10-08 08:11:30 143360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.hdyc"= C:\PROGRA~1\BLACKM~1\BLACKM~2\BMDCOD~1.DLL "vidc.v210"= C:\PROGRA~1\BLACKM~1\BLACKM~2\BMDCOD~1.DLL "vidc.r210"= C:\PROGRA~1\BLACKM~1\BLACKM~2\BMDCOD~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\eMule\\emule.exe"= "C:\\Program Files\\Valve\\Steam\\Steam.exe"= "C:\\Program Files\\Valve\\Steam\\SteamApps\\mharvill\\day of defeat source\\hl2.exe"= "C:\\Program Files\\Valve\\Steam\\SteamApps\\mharvill\\counter-strike source\\hl2.exe"= "C:\\Softimage\\XSI_5.0\\Application\\bin\\XSI.exe"= "C:\\Program Files\\Valve\\Steam\\SteamApps\\mharvill\\lostcoast\\hl2.exe"= "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"= "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"= "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"= "C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support S2 EarthLinkMonitor;EarthLink Monitor Service;"C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe" [2005-01-26 11:47] S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23] S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM42U.SYS [2001-08-17 13:11] S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 14:16] S3 cem56;Xircom CreditCard 10/100 + Modem 56 Network;C:\WINDOWS\system32\DRIVERS\CEM56n5.sys [2001-08-17 12:13] S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pc22nd5.sys [2001-11-08 15:58] S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pc22unic.sys [2001-11-08 18:14] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\baldur.exe Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-06-12 01:29:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-06 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ELISSA2-mattito).job" - c:\program files\mcafee.com\vso\mcmnhdlr.exe "2008-06-14 17:28:27 C:\WINDOWS\Tasks\McAfee.com Update Check (D64V0671-Owner).job" - c:\PROGRA~1\mcafee.com\agent\mcupdate.ex - c:\PROGRA~1\mcafee.com\agent "2008-06-15 00:29:52 C:\WINDOWS\Tasks\McAfee.com Update Check (ELISSA-mattito).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agent "2008-06-14 17:28:27 C:\WINDOWS\Tasks\McAfee.com Update Check (ELISSA2-christine).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agen "2008-06-15 00:33:17 C:\WINDOWS\Tasks\McAfee.com Update Check (ELISSA2-mattito).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agent . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2008-06-16 04:56:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-06-16 4:59:25 ComboFix-quarantined-files.txt 2008-06-16 08:59:23 Pre-Run: 49,191,612,416 bytes free Post-Run: 49,354,342,400 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 209 --- E O F --- 2008-06-12 07:03:33 -- Help us cure TSC and cancer: Team Discovery**
	to forum · permalink · · 2008-06-16 13:29:15 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher And here's the HJT log AFTER the combofix: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:29:06, on 6/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\SYSTEM32\OSK.EXE C:\WINDOWS\SYSTEM32\MSSWCHX.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [] OSK.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: VTAgentReboot.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - »www.fileplanet.com/fpdlmgr/cabs/···.108.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - »https://fastsend.com/products/Fsplugin.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »download.games.yahoo.com/games/p···r_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A150BA3B-2BAD-4082-A17D-55E52EDC29B4}: NameServer = 167.206.254.1,167.206.254.2 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 9798 bytes -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-16 13:31:54 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs: 1 edit	reply to babacher edit: Never mind, he's ready to move forward with fixes here.
	to forum · permalink · · 2008-06-17 10:19:23 ·
bcastner Premium,VIP,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL 2 edits	~~~ Likely unneeded Comment from Bill Castner ~~~ I have (due to Google) dealt with a ton of this infection in the last two weeks. So in that time I have developed some little scripts to catch things that might not have been causght by our standard weapons. I offer this as a conclusion to what CalamityJane has done. To save some time, download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe • Double-click FixPolicies.exe • Click the "Install" button on the bottom toolbar of the box that will open. • The program will create a new Folder called FixPolicies, • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. • A black box will briefly appear and then close. Please delete this File: C:\WINDOWS\SYSTEM32\blphcl2uj0egbl.scr TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. • Open Spybot Search & Destroy. • In the Mode menu click "Advanced mode" if not already selected. • Choose Yes at the Warning prompt. • Expand the Tools menu. • Click Resident. • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box. • In the File menu click Exit to exit Spybot Search & Destroy. • Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip • Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. Similarly, disable Spyware Doctor You can re-enable it after you're clean. From within Spyware Doctor, click the "OnGuard[" button on the left side. Uncheck "Activate OnGuard". 1. With all other applications closed (Taskbar empty, open HijackThis again, System Scan only. Checkmark these items (if found): O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll" O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe" :!: Click "Fix checked" and when the log panel clears exit HijackThis. 2. Please download to your Desktop OT_MOVEIT: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe Please double-click OTMoveIt2.exe to run the utility. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): %Temp%\.tt.tmp c:\Program Files\shclkrj0etfg C:\Program Files\shcl25j0enft C:\Program Files\shcau0j0ejna C:\Program Files\shccq9j0etde C:\Program Files\shcrq0j0el6t C:\Program Files\shcev9j0e1b1 %UserProfile%\Application Data\shclkrj0etfg %UserProfile%\Application Data\shcl25j0enft %UserProfile%\Application Data\shcau0j0ejna %UserProfile%\Application Data\shccq9j0etde %UserProfile%\Application Data\shcrq0j0el6t %UserProfile%\Application Data\shcev9j0e1b1 c:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk c:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008 c:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shclkrj0etfg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SMshclkrj0etfg C:\WINDOWS\system32\.scr HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispBackgroundPage HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\NoDispScrSavPage C:\WINDOWS\system32\lphccu0j0ejna.* C:\WINDOWS\system32\blp. C:\WINDOWS\system32\lph. C:\WINDOWS\System32\blphcl2uj0egbl.scr C:\WINDOWS\System32\blph. Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window. *IMPORTANT --* Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you. Right-click and choose Paste. Click the red Moveit button. This will not be quick. I am asking it to scan your entire Drive C twice. When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results. Save your Clipboard contents in a new Notepad file, as we will want to review these results later. Close OTMoveIt2 when it has finished. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. 3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html http://www.besttechie.net/tools/mbam-setup.exe Once downloaded, close all programs and Windows on your computer (including this one.) Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later. 4. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" (or use your moue to Copy/Paste the contents): Driver:: sysrest Registry:: [HKEY_CURRENT_USER\Control Panel\Colors] "Background"="0 78 152" [HKEY_CURRENT_USER\Control Panel\Desktop] "WallpaperStyle"="0" [HKEY_CURRENT_USER\Control Panel\Desktop] "TileWallpaper"="0" [HKEY_CURRENT_USER\Control Panel\Desktop] "Wallpaper"=" " [HKEY_CURRENT_USER\Control Panel\Desktop] "OriginalWallpaper"="" [HKEY_CURRENT_USER\Control Panel\Desktop] "ConvertedWallpaper"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmona"=- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr] "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr] "ImagePath"="system32\DRIVERS\sr.sys" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=dword:00000000 [HKEY_CURRENT_USER\Control Panel\Desktop] "SCRNSAVE.EXE"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop] "NoChangingWallPaper"=dword:00000000 "{450D8FBA-AD25-11D0-98A8-0800361B1103}"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop] "NoChangingWallPaper"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoDispBackgroundPage"=dword:00000000 "NoDispAppearancePage"=dword:00000000 "Wallpaper"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "ClassicShell"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoDispBackgroundPage"=dword:00000000 "NoDispAppearancePage"=dword:00000000 "Wallpaper"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "ClassicShell"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000000 "NoDispAppearancePage"=dword:00000000 "NoColorChoice"=dword:00000000 "NoSizeChoice"=dword:00000000 "NoDispScrSavPage"=dword:00000000 "NoDispCPL"=dword:00000000 "NoVisualStyleChoice"=dword:00000000 "NoDispSettingsPage"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=dword:00000000 "NoSaveSettings"=dword:00000000 "NoThemesTab"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 Open a new Notepad session - (Do *not* use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click \| Paste the Code box contents from above into Notepad. Click File, *Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt"* . • Disconnect from the Internet. • Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well. Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. • A window will open with a warning. Accept any Disclaimers to start the fix. Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture: When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes. •!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. 5. Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies and choose Install. Delete the download, the unzipped folder and all contents. 6. Right click a blank area of your Desktop, and choose Properties. Click Desktop, Customize Desktop, Web (tab). Clear any entry in the top panel that might exits. Be sure the checkbox near the bottom is unchhecked for "Lock desktop items". Click Apply. If you wish a custom Desktop color or theme or background, please set these now to your choices. OK your way back to to the Desktop when done. And, we shoud be finished. I am sure CalmityJane will have some thoughts. Here are mine as concluding comments: Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat. Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html Clean-up & Prevention: • Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state. • Click Start, then click Run. Enter into the command box that opens: combofix /u and then click OK. (If we have renamed this file, please use the current name for the program in this instruction.) • Please download OTMoveIt2 by OldTimer to your Desktop (only): http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe • Please double-click OTMoveIt.exe to run it. • Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. • After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes". • This step removes the files, folders, and shortcuts created by the tools I had you download and run. • Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish. • Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used. If you find any files or folders created during this cleanup operation remaining, please feel free to delete them. • Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on. • If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish. • Download and Install Windows Defender by Microsoft (free): http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D • Suggestion: Download and install Comodo BOClean (free): http://www.comodo.com/boclean/CBO_download.html • Suggestion: Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html • Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing. Best wishes -- and, please wait for CalamityJane's final thoughts, Bill Castner -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-06-17 21:05:25 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher My nephew is at work right now, so I'll call him tomorrow to work through this. One question before we start: this will all work in Safe Mode, right? His machine won't boot in normal mode. Presumably Safe Mode with Networking to allow downloading... -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-17 21:49:22 ·
bcastner Premium,VIP,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL	Yes, it would work in Safe Mode. But I would prefer some attempts first to repair Normal boot. Lets see how it goes after the above instructions. I warn you that in my opinion a machine that can only boot to Safe Mode, and not Normal mode, after the standard "Last Known Good" and other efforts have been tried, should have a clean reformat of all drives and XP reinstalled. A while ago CalamityJane wrote about this strong recommendation as to how to proceed. All I can tell you is that at the time I ageed with her, and did the following write-up about this approach and why: »aumha.net/viewtopic.php?f=26&t=28580 -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-06-17 22:24:24 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher Good article! I don't know whether he's tried the "last known good" thing. It doesn't actually FAIL to boot... it just tries and tries and tries forever. He let it go for an hour-and-a-half and it still wasn't finished booting - so he shut it down. Every time he looked it showed signs of being further along, but who knows how long it would have taken. I warned him a few days ago that even if he could get it running again with you-all's (y'all's) help, it may never be the same again. That's one reason he thought about taking it to the fix-it shop for them to fix (probably the nuke and pave approach), but he doesn't want to spend that money if he doesn't have to. Now that we have a distinct plan of action, we'll cross our fingers and hope for the best - while preparing for the worst. He bought the machine from Dell with the OS installed (Win XP). He can't find the OS disk, assuming he ever had one. But, at least he has proof of ownership so maybe Dell would send him another disk? -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-18 10:41:29 ·
babacher sleep apnea sucks Premium,MVM join:2001-02-28 Greenwood, IN clubs:	reply to babacher It worked! Thank you SO much. I think he's gonna come back here and post the final logs as you requested, but for now Normal Mode is back and better than before the infection. -- Help us cure TSC and cancer: Team Discovery
	to forum · permalink · · 2008-06-18 14:06:39 ·
mattito @optonline.net from: babacher	reply to babacher hi, this is the nephew. i just wanted to express my appreciation for all the help. i find it incredibly amazing that y'all would take the time to help me on this and give such clear and concise instructions on the fix. its working great and now i'm doing the follow up steps. thanks so much
	to forum · permalink · 2008-06-18 14:10:10 ·
bcastner Premium,VIP,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL 1 edit	Thank you for your kind comments. Your were very fortunate to have CalamityJane, one of the very best in the world at end user support for malware removal to be your guide. And it goes without saying that choosing to visit BroadBandReports for issues such as yours shows some brilliance on our part as well. Best wishes, Bill Castner -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-06-18 17:51:58 ·
lilhurricane Mallomars Premium,Mod join:2003-01-11 Purple Zone clubs:	Veddy nice, Matt, Bruce, CJ & Bill "Y'all" done good
	to forum · permalink · · 2008-06-18 18:22:41 ·


Sunday, 08-Nov 18:32:14	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF