Malware Protector 2008 - HJT Log in Security Cleanup http://www.dslreports.com/forum/r20643341 en Wed, 09 Dec 2009 11:49:48 EDT Wed, 09 Dec 2009 11:49:48 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20663674 lilhurricane : Veddy nice, Matt, Bruce, CJ & Bill :)

"Y'all" done good ;)]]> http://www.dslreports.com/forum/remark,20663674 Wed, 18 Jun 2008 18:22:41 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20663509 bcastner : Thank you for your kind comments.

Your were very fortunate to have CalamityJane, one of the very best in the world at end user support for malware removal to be your guide.

And it goes without saying that choosing to visit BroadBandReports for issues such as yours shows some brilliance on our part as well.

Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20663509 Wed, 18 Jun 2008 17:51:58 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20662464 anon : hi, this is the nephew. i just wanted to express my appreciation for all the help. i find it incredibly amazing that y'all would take the time to help me on this and give such clear and concise instructions on the fix.

its working great and now i'm doing the follow up steps.

thanks so much]]> http://www.dslreports.com/forum/remark,20662464 Wed, 18 Jun 2008 14:10:10 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20662435 babacher : It worked! Thank you SO much.

I think he's gonna come back here and post the final logs as you requested, but for now Normal Mode is back and better than before the infection.
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20662435 Wed, 18 Jun 2008 14:06:39 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20661307 babacher : Good article!

I don't know whether he's tried the "last known good" thing. It doesn't actually FAIL to boot... it just tries and tries and tries forever. He let it go for an hour-and-a-half and it still wasn't finished booting - so he shut it down. Every time he looked it showed signs of being further along, but who knows how long it would have taken.

I warned him a few days ago that even if he could get it running again with you-all's (y'all's) help, it may never be the same again. That's one reason he thought about taking it to the fix-it shop for them to fix (probably the nuke and pave approach), but he doesn't want to spend that money if he doesn't have to.

Now that we have a distinct plan of action, we'll cross our fingers and hope for the best - while preparing for the worst.

He bought the machine from Dell with the OS installed (Win XP). He can't find the OS disk, assuming he ever had one. But, at least he has proof of ownership so maybe Dell would send him another disk?
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20661307 Wed, 18 Jun 2008 10:41:29 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20659300 bcastner : Yes, it would work in Safe Mode.
But I would prefer some attempts first to repair Normal boot.

Lets see how it goes after the above instructions.

I warn you that in my opinion a machine that can only boot to Safe Mode, and not Normal mode, after the standard "Last Known Good" and other efforts have been tried, should have a clean reformat of all drives and XP reinstalled.

A while ago CalamityJane wrote about this strong recommendation as to how to proceed. All I can tell you is that at the time I ageed with her, and did the following write-up about this approach and why: »aumha.net/viewtopic.php?f=26&t=28580
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20659300 Tue, 17 Jun 2008 22:24:24 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20659078 babacher : My nephew is at work right now, so I'll call him tomorrow to work through this.

One question before we start: this will all work in Safe Mode, right? His machine won't boot in normal mode. Presumably Safe Mode with Networking to allow downloading...
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20659078 Tue, 17 Jun 2008 21:49:22 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20658856 bcastner : ~~~ Likely unneeded Comment from Bill Castner ~~~

I have (due to Google) dealt with a ton of this infection in the last two weeks. So in that time I have developed some little scripts to catch things that might not have been causght by our standard weapons.
I offer this as a conclusion to what CalamityJane See Profile has done.

To save some time, download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here:


• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.

Please delete this File:
C:\WINDOWS\SYSTEM32\blphcl2uj0egbl.scr

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Similarly, disable Spyware Doctor

You can re-enable it after you're clean.
From within Spyware Doctor, click the "OnGuard[" button on the left side.
Uncheck "Activate OnGuard".

1. With all other applications closed (Taskbar empty, open HijackThis again, System Scan only. Checkmark these items (if found):

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"

:!: Click "Fix checked" and when the log panel clears exit HijackThis.

2. Please download to your Desktop OT_MOVEIT:

Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.

Click the red Moveit button.
This will not be quick. I am asking it to scan your entire Drive C twice.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

4. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard" (or use your moue to Copy/Paste the contents):

Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

5. Download this INF repair file by MS-MVP Miekiemoes:


Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies and choose Install.
Delete the download, the unzipped folder and all contents.

6. Right click a blank area of your Desktop, and choose Properties.
Click Desktop, Customize Desktop, Web (tab).
Clear any entry in the top panel that might exits.
Be sure the checkbox near the bottom is unchhecked for "Lock desktop items".
Click Apply.
If you wish a custom Desktop color or theme or background, please set these now to your choices.
OK your way back to to the Desktop when done.

And, we shoud be finished.
I am sure CalmityJane will have some thoughts.
Here are mine as concluding comments:

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Clean-up & Prevention:

• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Please download OTMoveIt2 by OldTimer to your Desktop (only):


• Please double-click OTMoveIt.exe to run it.
• Click on the green CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
• After the list has been download you'll be asked if you want to Begin cleanup process? Select "Yes".
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

Download and Install Windows Defender by Microsoft (free):

Suggestion: Download and install Comodo BOClean (free):

Suggestion: Download, install, and keep updated Spyware Blaster (free):

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes -- and, please wait for CalamityJane's final thoughts,
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20658856 Tue, 17 Jun 2008 21:05:25 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20655219 babacher : edit:

Never mind, he's ready to move forward with fixes here.]]> http://www.dslreports.com/forum/remark,20655219 Tue, 17 Jun 2008 10:19:23 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20651039 babacher : And here's the HJT log AFTER the combofix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:06, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\SYSTEM32\OSK.EXE
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] OSK.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VTAgentReboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - »www.fileplanet.com/fpdlmgr/cabs/···.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - »https://fastsend.com/products/Fsplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »download.games.yahoo.com/games/p···r_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A150BA3B-2BAD-4082-A17D-55E52EDC29B4}: NameServer = 167.206.254.1,167.206.254.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9798 bytes
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20651039 Mon, 16 Jun 2008 13:31:54 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20651025 babacher : OK!! Here we go - here's the combofix log:

ComboFix 08-06-15.4 - Administrator 2008-06-16 4:47:32.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2076 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mattito\Application Data\macromedia\Flash Player\#SharedObjects\3WDMCC6G\www.broadcaster.com
C:\Documents and Settings\mattito\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\mattito\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-16 01:47 . 2008-06-16 02:59 d-------- C:\Program Files\EsetOnlineScanner
2008-06-14 15:39 . 2008-06-14 15:39 d-------- C:\Program Files\Trend Micro
2008-06-14 11:59 . 2008-06-14 11:59 d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-14 11:59 . 2008-06-14 12:01 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 14:43 . 2005-03-31 03:49 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-13 14:43 . 2005-03-31 03:43 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-06-13 14:43 . 2008-06-13 14:43 d-------- C:\Documents and Settings\Administrator
2008-06-12 14:33 . 2008-06-16 01:49 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 14:33 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-06-12 14:33 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-06-12 14:33 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-06-12 14:33 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-06-12 14:32 . 2008-06-16 01:49 d-------- C:\Program Files\Spyware Doctor
2008-06-12 14:32 . 2008-06-12 14:32 d-------- C:\Documents and Settings\mattito\Application Data\PC Tools
2008-06-12 13:17 . 2008-06-12 13:17 d-------- C:\Program Files\Enigma Software Group
2008-06-12 03:02 . 2008-06-12 03:02 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-06-11 04:30 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 04:30 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-10 13:05 . 2008-06-10 13:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-10 13:05 . 2008-06-10 13:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 00:51 . 2008-06-14 20:14 3,058 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-09 21:43 . 2008-06-09 21:43 d-------- C:\Documents and Settings\mattito\Application Data\shcj2uj0egbl
2008-06-09 21:43 . 2008-06-14 20:29 52,736 --a------ C:\WINDOWS\SYSTEM32\blphcl2uj0egbl.scr
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-05-21 18:53 . 2008-05-28 20:35 512 --a------ C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 01:32 --------- d-----w C:\Program Files\QuickTime
2008-06-12 01:29 --------- d-----w C:\Program Files\Apple Software Update
2008-06-10 04:39 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-04-29 05:42 --------- d-----w C:\Program Files\eMule
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-03-21 20:30 129,784 ------w C:\WINDOWS\SYSTEM32\pxafs.dll
2008-03-21 20:30 120,056 ------w C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-03-21 20:30 118,520 ------w C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="OSK.exe" [2004-08-04 07:00 215552 C:\WINDOWS\SYSTEM32\OSK.EXE]
"SpybotDeletingB6606"="command /c del c:\Program Files\Altnet\Download Manager\asmps.dll" [ ]
"SpybotDeletingD3125"="cmd /c del c:\Program Files\Altnet\Download Manager\asmps.dll" [ ]
"SpybotDeletingB2138"="command /c del c:\Program Files\Altnet\Download Manager\asm.exe" [ ]
"SpybotDeletingD1979"="cmd /c del c:\Program Files\Altnet\Download Manager\asm.exe" [ ]
"SpybotDeletingB6627"="command /c del c:\Program Files\Altnet\Download Manager\asmend.exe" [ ]
"SpybotDeletingD6580"="cmd /c del c:\Program Files\Altnet\Download Manager\asmend.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-03 21:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-02 19:19 143360]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-03-07 15:05 278528]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-03-07 15:07 180224]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 20:28 196608]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 14:41 950272]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-06-28 14:23 180269]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-31 00:40 57344]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57 133016]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

C:\Documents and Settings\mattito\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-07 02:45:44 113664]
MEMonitor.lnk.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2007-12-10 15:57:58 929792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-31 00:40:36 57344]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 13:59:36 806912]
VTAgentReboot.exe [2001-10-08 08:11:30 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.hdyc"= C:\PROGRA~1\BLACKM~1\BLACKM~2\BMDCOD~1.DLL
"vidc.v210"= C:\PROGRA~1\BLACKM~1\BLACKM~2\BMDCOD~1.DLL
"vidc.r210"= C:\PROGRA~1\BLACKM~1\BLACKM~2\BMDCOD~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\mharvill\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\mharvill\\counter-strike source\\hl2.exe"=
"C:\\Softimage\\XSI_5.0\\Application\\bin\\XSI.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\mharvill\\lostcoast\\hl2.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S2 EarthLinkMonitor;EarthLink Monitor Service;"C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe" [2005-01-26 11:47]
S2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\BCM42U.SYS [2001-08-17 13:11]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 14:16]
S3 cem56;Xircom CreditCard 10/100 + Modem 56 Network;C:\WINDOWS\system32\DRIVERS\CEM56n5.sys [2001-08-17 12:13]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pc22nd5.sys [2001-11-08 15:58]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pc22unic.sys [2001-11-08 18:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\baldur.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 01:29:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ELISSA2-mattito).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-06-14 17:28:27 C:\WINDOWS\Tasks\McAfee.com Update Check (D64V0671-Owner).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- c:\PROGRA~1\mcafee.com\agent
"2008-06-15 00:29:52 C:\WINDOWS\Tasks\McAfee.com Update Check (ELISSA-mattito).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
"2008-06-14 17:28:27 C:\WINDOWS\Tasks\McAfee.com Update Check (ELISSA2-christine).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agen
"2008-06-15 00:33:17 C:\WINDOWS\Tasks\McAfee.com Update Check (ELISSA2-mattito).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-06-16 04:56:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-16 4:59:25
ComboFix-quarantined-files.txt 2008-06-16 08:59:23

Pre-Run: 49,191,612,416 bytes free
Post-Run: 49,354,342,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

209 --- E O F --- 2008-06-12 07:03:33
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20651025 Mon, 16 Jun 2008 13:29:15 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20649910 CalamityJane : Ok, so I'll be looking next for the second part (is he working on getting this step completed?):

Then download and run this free tool called ComboFix to produce a log please:
Please visit this webpage for download links, and instructions for running the tool: »www.bleepingcomputer.com/combofi···combofix

If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it.

When, the tool is finished, it will produce a report for you.
Please post that report located at: C:\ComboFix.txt along with a new HijackThis log.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,20649910 Mon, 16 Jun 2008 09:34:53 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20649603 babacher : Here's the HJT log after the vscan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:14:05, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\OSK.EXE
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] OSK.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VTAgentReboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - »www.fileplanet.com/fpdlmgr/cabs/···.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - »https://fastsend.com/products/Fsplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »download.games.yahoo.com/games/p···r_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A150BA3B-2BAD-4082-A17D-55E52EDC29B4}: NameServer = 167.206.254.1,167.206.254.2
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20649603 Mon, 16 Jun 2008 07:49:47 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20649602 babacher : Here's the online vscan log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3188 (20080615)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ab201c828c608f439c28f5f7476ff0ba
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-06-16 06:59:50
# local_time=2008-06-16 02:59:50 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=485077
# found=11
# scan_time=4270
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »BnnnnBaa.class Java/ClassLoader trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »VaannnaaBaa.class Java/ClassLoader trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Dnnny.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Bnnnnn.class Java/ClassLoader.AS trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Den.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Din.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\mattito\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-4b17516f-655e746f.zip »ZIP »Dun.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Downloads\LSLMCLTSetup-dm[1].exe a variant of Win32/Adware.Trymedia application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\lphcl2uj0egbl.exe Win32/TrojanDownloader.FakeAlert.DK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\phcl2uj0egbl.bmp Win32/TrojanDownloader.FakeAlert.DJ trojan (unable to clean - deleted) 00000000000000000000000000000000
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20649602 Mon, 16 Jun 2008 07:48:47 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20648490 babacher : I can't get hold of my nephew this evening - he must be working.

Thanks for your suggestions - I'll get him to do those things and report back.
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20648490 Sun, 15 Jun 2008 22:22:25 EDT Re: Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20645719 CalamityJane : You skipped an important step!

Using Safe mode with networking, go here and follow step 2 for a full system scan with the Eset online AV scan:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

Post the the scan log when done back here.

Then download and run this free tool called ComboFix to produce a log please:
Please visit this webpage for download links, and instructions for running the tool: »www.bleepingcomputer.com/combofi···combofix

If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it.

When, the tool is finished, it will produce a report for you.
Please post that report located at: C:\ComboFix.txt along with a new HijackThis log.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,20645719 Sun, 15 Jun 2008 09:42:54 EDT Malware Protector 2008 - HJT Log http://www.dslreports.com/forum/remark,20643341 babacher : Please help... my nephew wound up with Malware Protector 2008 on his system and it's well and truly hosed now. When he tries to boot into normal mode, it sits for over an hour and barely gets anywhere. He can boot into Safe Mode, but then his keyboard doesn't work.

We found a website that recommended SmitFraudFix for this problem, but it didn't work.

Using the Windows on-screen keyboard he was able to download and run Spybot S&D, but it didn't fix the problem either.

Ad-Aware wouldn't run, saying "this program has been blocked by the administrator". That was while he was logged into safe mode AS administrator...

Windows malicious software removal tool reports no problems.

So.... here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39:50, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\My Downloads\windows-kb890830-v1.42.exe
c:\feaaee2d5ab2f21dca42aee1305aa7\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = »www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [lphcl2uj0egbl] C:\WINDOWS\system32\lphcl2uj0egbl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] OSK.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6606] command /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3125] cmd /c del "c:\Program Files\Altnet\Download Manager\asmps.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2138] command /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1979] cmd /c del "c:\Program Files\Altnet\Download Manager\asm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6627] command /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6580] cmd /c del "c:\Program Files\Altnet\Download Manager\asmend.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VTAgentReboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - »www.fileplanet.com/fpdlmgr/cabs/···.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - »https://fastsend.com/products/Fsplugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »download.games.yahoo.com/games/p···r_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A150BA3B-2BAD-4082-A17D-55E52EDC29B4}: NameServer = 167.206.254.1,167.206.254.2
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
Help us cure TSC and cancer: Team Discovery]]> http://www.dslreports.com/forum/remark,20643341 Sat, 14 Jun 2008 16:06:45 EDT