Jump to content


Photo

System Integrity Threats, Winantivirus Pop-ups


  • This topic is locked This topic is locked
10 replies to this topic

#1 lechau

lechau

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 26 July 2007 - 09:00 PM

Hello, well since last Saturday my computer has been acting up, and I've been trying to remove the viruses through ad-aware, Windows Defender, and McAfee Anti-Virus. A lot of Trojans have been removed, but my computer's still getting pop-ups stating my computer is corrupted and to download certain files. On my taskbar there's an icon that's constantly appearing saying that there are system integrity threats. Another problem I seem to be having is that every time I start up my computer, I get messages saying that certain dll could not be found. I'm a little new to all of this, so I'm sorry if I couldn't be more helpful. My hijackthis log is underneath.

Thank you,
Sidney

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:25:34 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\SYSTEM32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\rundll32.exe
C:\Program Files\USoft\usoft32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\windows\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll
O2 - BHO: (no name) - {5768FB7D-841C-494B-8FA5-75597FA1ACAB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8F69F76B-00D0-4ACE-A9DD-9329558AC184} - C:\windows\system32\jkkjh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\windows\system32\pbysmknq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\windows\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\windows\system32\drvkid.dll,startup
O4 - HKLM\..\Run: [lkdopwtu] rundll32.exe "C:\Program Files\lkdopwtu\tevkzyzo.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\USoft\usoft32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\windows\system32\aqinvwnd.dll",forkonce
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\windows\ICROSO~1.NET\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [gf1.0.0.2] C:\windows\fezydups.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: ddayy - C:\windows\system32\ddayy.dll (file missing)
O20 - Winlogon Notify: jkkjh - C:\windows\system32\jkkjh.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\system32\dlbtcoms.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

#2 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 26 July 2007 - 10:08 PM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#3 lechau

lechau

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 26 July 2007 - 11:05 PM

Ah ok, here's the log from Combofix and hijackthis. Um, when I ran Combofix and it rebooted, a blue screen appeared and said that windows was forced to shut down. Was that supposed to happened?

ComboFix 07-07-27 - "Sarah Tran" 2007-07-26 18:14:47.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\windows\system32\pbysmknq.dll
C:\windows\system32\ssqroom.dll
C:\windows\system32\pbysmknq.dll
C:\windows\system32\ssqroom.dll
C:\WINDOWS\SYSTEM32\hjkkj.bak1
C:\WINDOWS\SYSTEM32\hjkkj.bak2
C:\WINDOWS\SYSTEM32\hjkkj.ini
C:\WINDOWS\SYSTEM32\hjkkj.tmp
C:\windows\system32\jkkjh.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\M2DNA85Q\www.broadcaster.com
C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\M2DNA85Q\www.broadcaster.com\played_list.sol
C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\M2DNA85Q\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\SARAHT~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\CompWiz.xml
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\windows\icroso~1.net
C:\windows\system32\bszip.dll
C:\windows\system32\lhpmemff.exe
C:\windows\wr.txt


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 18:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 15:41 126,016 --a------ C:\WINDOWS\SYSTEM32\aqinvwnd.dll
2007-07-24 02:50 6,471 --ahs---- C:\WINDOWS\SYSTEM32\jlnmp.bak1
2007-07-24 00:39 6,471 --ahs---- C:\WINDOWS\SYSTEM32\jjllm.bak1
2007-07-22 20:20 6,489 --ahs---- C:\WINDOWS\SYSTEM32\dgjlm.bak1
2007-07-22 20:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 19:48 <DIR> d-------- C:\QUARANTINE
2007-07-22 19:43 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-07-22 19:43 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys
2007-07-22 19:43 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys
2007-07-22 19:43 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-07-22 19:43 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-07-22 19:43 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll
2007-07-22 19:43 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-07-22 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-22 19:42 <DIR> d-------- C:\Program Files\McAfee
2007-07-22 19:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-07-22 19:41 <DIR> d-------- C:\VirusScan85_Installer
2007-07-22 19:24 <DIR> d-------- C:\DOCUME~1\SARAHT~1\WINDOWS
2007-07-22 16:57 68,608 --a------ C:\WINDOWS\ktqbebyf.dll
2007-07-22 16:56 1,803,710 ---hs---- C:\WINDOWS\SYSTEM32\yyadd.bak2
2007-07-22 00:24 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-07-21 23:55 6,489 ---hs---- C:\WINDOWS\SYSTEM32\yyadd.bak1
2007-07-21 23:51 68,608 --a------ C:\WINDOWS\vuzgjkrg.dll
2007-07-21 23:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\mfwsikcn
2007-07-21 23:51 <DIR> d-------- C:\Program Files\USoft
2007-07-21 23:51 <DIR> d-------- C:\Program Files\lkdopwtu
2007-07-18 18:28 <DIR> d-------- C:\Program Files\iTunes
2007-07-10 23:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-10 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-10 23:50 <DIR> d--hs---- C:\WINDOWS\Installer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 18:21 17277 --a------ C:\windows\system32\tablet.dat
2007-07-24 00:36 --------- d-------- C:\DOCUME~1\SARAHT~1\APPLIC~1\WeatherBug
2007-07-22 18:32 4 --a------ C:\windows\RM_RESULT.DAT
2007-07-22 01:45 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-22 01:45 --------- d-------- C:\Program Files\Dell Photo AIO Printer 922
2007-07-22 01:42 --------- d-------- C:\Program Files\BitComet
2007-07-22 00:45 69689 --a------ C:\windows\UNZIP.DLL
2007-07-22 00:45 208896 --a------ C:\windows\PATCH.EXE
2007-07-22 00:45 1142784 --a------ C:\windows\TMUPDATE.DLL
2007-07-22 00:24 0 --a------ C:\windows\system32\drivers\is-MLJT7.tmp
2007-07-18 19:19 --------- d-------- C:\Program Files\Windows Journal Viewer
2007-07-18 19:17 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 19:14 --------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2007-07-18 18:28 --------- d-------- C:\Program Files\iPod
2007-07-18 18:27 --------- d-------- C:\Program Files\QuickTime
2007-07-18 18:25 --------- d-------- C:\Program Files\Apple Software Update
2007-06-12 18:49 1163344 --a------ C:\windows\vsapi32.dll
2007-06-10 00:25 58880 --a------ C:\windows\system32\ATL.DLL
2007-06-09 23:53 --------- d-------- C:\Program Files\Your Company Name
2007-06-09 23:53 --------- d-------- C:\Program Files\Yahoo!
2007-06-09 23:52 --------- d-------- C:\Program Files\WordPerfect Office 12
2007-06-09 23:50 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-09 23:50 --------- d-------- C:\Program Files\Windows NT
2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital Technologies
2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital
2007-06-09 23:50 --------- d-------- C:\Program Files\Viewpoint
2007-06-09 23:50 --------- d-------- C:\Program Files\Tablet
2007-06-09 23:50 --------- d-------- C:\Program Files\Sonic
2007-06-09 23:48 --------- d-------- C:\Program Files\Real
2007-06-09 23:47 --------- d-------- C:\Program Files\portalgraphics
2007-06-09 23:47 --------- d-------- C:\Program Files\Photo Watermark Professional
2007-06-09 23:47 --------- d-------- C:\Program Files\Online Services
2007-06-09 23:46 --------- d-------- C:\Program Files\Nikon
2007-06-09 23:46 --------- d-------- C:\Program Files\NetZeroInstallers
2007-06-09 23:46 --------- d-------- C:\Program Files\Network Associates
2007-06-09 23:46 --------- d-------- C:\Program Files\NetWaiting
2007-06-09 23:46 --------- d-------- C:\Program Files\MyWebSearchWB
2007-06-09 23:45 --------- d-------- C:\Program Files\MUSICMATCH
2007-06-09 23:45 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-09 23:45 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-09 23:45 --------- d-------- C:\Program Files\Movie Maker
2007-06-09 23:45 --------- d-------- C:\Program Files\Modem Helper
2007-06-09 23:44 --------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2007-06-09 23:43 --------- d-------- C:\Program Files\Microsoft Money 2006
2007-06-09 23:42 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-09 23:42 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-06-09 23:42 --------- d-------- C:\Program Files\Messenger
2007-06-09 23:40 --------- d-------- C:\Program Files\LimeWire
2007-06-09 23:39 --------- d-------- C:\Program Files\Learn2.com
2007-06-09 23:39 --------- d-------- C:\Program Files\Lavasoft
2007-06-09 23:39 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-06-09 23:39 --------- d-------- C:\Program Files\JSLMC
2007-06-09 23:29 --------- d-------- C:\Program Files\Jasc Software Inc
2007-06-09 23:20 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-09 23:20 --------- d-------- C:\Program Files\Intuit
2007-06-09 23:20 --------- d-------- C:\Program Files\Intel
2007-06-09 23:19 --------- d-------- C:\Program Files\Incomplete
2007-06-09 23:18 --------- d-------- C:\Program Files\ImTOO
2007-06-09 23:18 --------- d-------- C:\Program Files\H&R Block Tax Offer
2007-06-09 23:18 --------- d-------- C:\Program Files\Google
2007-06-09 23:07 --------- d-------- C:\Program Files\GalaNet
2007-06-09 23:07 --------- d-------- C:\Program Files\Filzip
2007-06-09 23:07 --------- d-------- C:\Program Files\EphPod
2007-06-09 23:07 --------- d-------- C:\Program Files\EclipseCrossword
2007-06-09 23:06 --------- d-------- C:\Program Files\EarthLink Setup
2007-06-09 22:57 --------- d-------- C:\Program Files\EA GAMES
2007-06-09 21:47 --------- d-------- C:\Program Files\e frontier
2007-06-09 21:47 --------- d-------- C:\Program Files\DVD Shrink
2007-06-09 21:47 --------- d-------- C:\Program Files\DiscWizard for Windows
2007-06-09 21:47 --------- d-------- C:\Program Files\directx
2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Support
2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Inc
2007-06-09 21:47 --------- d-------- C:\Program Files\Dell
2007-06-09 21:45 --------- d-------- C:\Program Files\D-Link
2007-06-09 21:45 --------- d-------- C:\Program Files\CyberLink
2007-06-09 21:42 --------- d-------- C:\Program Files\Corel
2007-06-09 21:42 --------- d-------- C:\Program Files\CONEXANT
2007-06-09 21:42 --------- d-------- C:\Program Files\Common Files\Viewpoint
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Scanner
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Real
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Panda Software
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\ODBC
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nullsoft
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nikon
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Network Associates
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Macromedia Shared
2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Jasc Software Inc
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Intuit
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\cuatoabu
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Corel
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Canon
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Borland Shared
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\aolshare
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\AOL
2006-11-02 20:25:09 952 --sha-w C:\windows\SYSTEM32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-07-22 16:57 68608 --a------ C:\windows\ktqbebyf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5768FB7D-841C-494B-8FA5-75597FA1ACAB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 20:36]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2005-04-26 13:27]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-09-22 13:08]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-08-16 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"lkdopwtu"="C:\Program Files\lkdopwtu\tevkzyzo.dll" [2007-07-21 23:51]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 06:00]
"Sen"="C:\windows\ICROSO~1.NET\javaw.exe" []
"gf1.0.0.2"="C:\windows\fezydups.exe" []

C:\Documents and Settings\Sarah Tran\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]
DESKTOP.INI [2004-08-10 14:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DESKTOP.INI [2004-08-10 14:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-04 13:00:33]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkVwMon.exe.lnk - C:\Program Files\Nikon\NkView4\NkVwMon.exe [2006-04-24 22:42:48]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-07-06 18:00:17]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-04-09 18:58:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"= C:\windows\ktqbebyf.dll [2007-07-22 16:57 68608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy]
C:\windows\system32\ddayy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

R0 agpCPQ;Compaq AGP Bus Filter;C:\windows\system32\DRIVERS\agpCPQ.sys
R0 PenClass;Pen Class;C:\windows\system32\drivers\PenClass.sys
R0 Vax347b;Vax347b;C:\windows\system32\DRIVERS\Vax347b.sys
R0 Vax347s;Vax347s;C:\windows\system32\Drivers\Vax347s.sys
R1 mfetdik;McAfee Inc.;C:\windows\system32\drivers\mfetdik.sys
R1 sscdbhk5;sscdbhk5;C:\windows\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\windows\system32\drivers\ssrtln.sys
R2 ANIO;ANIO Service;\??\C:\WINDOWS\system32\ANIO.SYS
R2 drvnddm;drvnddm;C:\windows\system32\drivers\drvnddm.sys
R2 ithsgt;ithsgt;C:\windows\system32\DRIVERS\ithsgt.sys
R2 lilsgt;lilsgt;C:\windows\system32\DRIVERS\lilsgt.sys
R2 tfsnboio;tfsnboio;C:\windows\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\windows\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\windows\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\windows\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\windows\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\windows\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\windows\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\windows\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\windows\system32\dla\tfsnudfa.sys
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys
R3 E100B;Intel® PRO Adapter Driver;C:\windows\system32\DRIVERS\e100b325.sys
R3 mfeapfk;McAfee Inc.;C:\windows\system32\drivers\mfeapfk.sys
R3 senfilt;senfilt;C:\windows\system32\drivers\senfilt.sys
R3 Tetris;Tetris driver;C:\windows\system32\Drivers\Tetris.sys
S3 AvFlt;Antivirus Filter Driver;C:\windows\system32\drivers\av5flt.sys
S3 Tearock;Tearock;C:\WINDOWS\system32\drivers\P3.SYS
S3 wanatw;WAN Miniport (ATW);C:\windows\system32\DRIVERS\wanatw4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{664e760c-f02f-11d9-abb2-001320014ca3}]
AutoRun\command- E:\Intro.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15444a9-fd3d-11d9-abd2-001320014ca3}]
AutoRun\command- E:\Setup.exe -auto


Contents of the 'Scheduled Tasks' folder
2007-07-18 22:25:20 C:\windows\tasks\AppleSoftwareUpdate.job
2007-07-20 22:30:00 C:\windows\tasks\McAfee.com Scan for Viruses - My Computer (SARAH-Bach Tran).job
2007-07-26 19:40:53 C:\windows\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 18:22:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000169

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 18:25:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 18:24

--- E O F ---



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:31:04 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\SYSTEM32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\Explorer.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\windows\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll
O2 - BHO: (no name) - {5768FB7D-841C-494B-8FA5-75597FA1ACAB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lkdopwtu] rundll32.exe "C:\Program Files\lkdopwtu\tevkzyzo.dll",Init
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\windows\ICROSO~1.NET\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [gf1.0.0.2] C:\windows\fezydups.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: ddayy - C:\windows\system32\ddayy.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\windows\ktqbebyf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\system32\dlbtcoms.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 27 July 2007 - 07:54 AM

Hi,

Um, when I ran Combofix and it rebooted, a blue screen appeared and said that windows was forced to shut down. Was that supposed to happened?

This depends. On terrible infected systems as in your case, it is normal that this happens, because, after all, malware causes a system very instable.

Do next please..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\windows\ktqbebyf.dll
C:\WINDOWS\SYSTEM32\aqinvwnd.dll
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\SYSTEM32\jjllm.bak1
C:\WINDOWS\SYSTEM32\dgjlm.bak1
C:\WINDOWS\ktqbebyf.dll
C:\WINDOWS\SYSTEM32\yyadd.bak2
C:\WINDOWS\SYSTEM32\yyadd.bak1
C:\WINDOWS\vuzgjkrg.dll

Folder::
C:\Program Files\lkdopwtu
C:\Program Files\MyWebSearchWB
C:\WINDOWS\SYSTEM32\mfwsikcn

DirLook::
C:\DOCUME~1\SARAHT~1\WINDOWS

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5768FB7D-841C-494B-8FA5-75597FA1ACAB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lkdopwtu"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"=-
"gf1.0.0.2"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also do next.. Because the fact that all your folders in your Program files are modified recently makes it suspicious and you may be dealing with a file infector as well...

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#5 lechau

lechau

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 July 2007 - 06:14 AM

Combofix text:

ComboFix 07-07-27 - "Sarah Tran" 2007-07-27 18:06:45.2 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Sarah Tran\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\lkdopwtu
C:\Program Files\lkdopwtu\tevkzyzo.dll
C:\Program Files\MyWebSearchWB
C:\Program Files\MyWebSearchWB\bar\History\search
C:\windows\ktqbebyf.dll
C:\WINDOWS\SYSTEM32\aqinvwnd.dll
C:\WINDOWS\SYSTEM32\dgjlm.bak1
C:\WINDOWS\SYSTEM32\jjllm.bak1
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\SYSTEM32\mfwsikcn
C:\WINDOWS\SYSTEM32\mfwsikcn\bg1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\bgtop.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\bottom1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\essentials.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\icon1.ico
C:\WINDOWS\SYSTEM32\mfwsikcn\install1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\left1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\li.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\logo.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\main.htm
C:\WINDOWS\SYSTEM32\mfwsikcn\mainframe.htm
C:\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn1.exe
C:\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn2.exe
C:\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn3.exe
C:\WINDOWS\SYSTEM32\mfwsikcn\reinstall1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\right1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\s1.htm
C:\WINDOWS\SYSTEM32\mfwsikcn\s2.htm
C:\WINDOWS\SYSTEM32\mfwsikcn\s3.htm
C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop2.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop3.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\SMTop4.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_off.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_off_ext.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_on.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft1_on_ext.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_off.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_off_ext.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_on.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft2_on_ext.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_off.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_off_ext.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_on.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\soft3_on_ext.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\softbottom_off.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\softbottom_on.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\softleft_off.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\softleft_on.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\top1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\top2.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\turnoff1.gif
C:\WINDOWS\SYSTEM32\mfwsikcn\turnon1.gif
C:\WINDOWS\SYSTEM32\yyadd.bak1
C:\WINDOWS\SYSTEM32\yyadd.bak2
C:\WINDOWS\vuzgjkrg.dll


((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))


2007-07-26 18:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 20:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-22 19:48 <DIR> d-------- C:\QUARANTINE
2007-07-22 19:43 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-07-22 19:43 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys
2007-07-22 19:43 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys
2007-07-22 19:43 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-07-22 19:43 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-07-22 19:43 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll
2007-07-22 19:43 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-07-22 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-22 19:42 <DIR> d-------- C:\Program Files\McAfee
2007-07-22 19:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-07-22 19:41 <DIR> d-------- C:\VirusScan85_Installer
2007-07-22 19:24 <DIR> d-------- C:\DOCUME~1\SARAHT~1\WINDOWS
2007-07-22 00:24 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-07-21 23:51 <DIR> d-------- C:\Program Files\USoft
2007-07-18 18:28 <DIR> d-------- C:\Program Files\iTunes
2007-07-10 23:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-10 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-10 23:50 <DIR> d--hs---- C:\WINDOWS\Installer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 17:56 17277 --a------ C:\windows\system32\tablet.dat
2007-07-24 00:36 --------- d-------- C:\DOCUME~1\SARAHT~1\APPLIC~1\WeatherBug
2007-07-22 18:32 4 --a------ C:\windows\RM_RESULT.DAT
2007-07-22 01:45 --------- d-------- C:\Program Files\Digital Line Detect
2007-07-22 01:45 --------- d-------- C:\Program Files\Dell Photo AIO Printer 922
2007-07-22 01:42 --------- d-------- C:\Program Files\BitComet
2007-07-22 00:45 69689 --a------ C:\windows\UNZIP.DLL
2007-07-22 00:45 208896 --a------ C:\windows\PATCH.EXE
2007-07-22 00:45 1142784 --a------ C:\windows\TMUPDATE.DLL
2007-07-22 00:24 0 --a------ C:\windows\system32\drivers\is-MLJT7.tmp
2007-07-18 19:19 --------- d-------- C:\Program Files\Windows Journal Viewer
2007-07-18 19:17 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 19:14 --------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2007-07-18 18:28 --------- d-------- C:\Program Files\iPod
2007-07-18 18:27 --------- d-------- C:\Program Files\QuickTime
2007-07-18 18:25 --------- d-------- C:\Program Files\Apple Software Update
2007-06-12 18:49 1163344 --a------ C:\windows\vsapi32.dll
2007-06-10 00:25 58880 --a------ C:\windows\system32\ATL.DLL
2007-06-09 23:53 --------- d-------- C:\Program Files\Your Company Name
2007-06-09 23:53 --------- d-------- C:\Program Files\Yahoo!
2007-06-09 23:52 --------- d-------- C:\Program Files\WordPerfect Office 12
2007-06-09 23:50 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-09 23:50 --------- d-------- C:\Program Files\Windows NT
2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital Technologies
2007-06-09 23:50 --------- d-------- C:\Program Files\Western Digital
2007-06-09 23:50 --------- d-------- C:\Program Files\Viewpoint
2007-06-09 23:50 --------- d-------- C:\Program Files\Tablet
2007-06-09 23:50 --------- d-------- C:\Program Files\Sonic
2007-06-09 23:48 --------- d-------- C:\Program Files\Real
2007-06-09 23:47 --------- d-------- C:\Program Files\portalgraphics
2007-06-09 23:47 --------- d-------- C:\Program Files\Photo Watermark Professional
2007-06-09 23:47 --------- d-------- C:\Program Files\Online Services
2007-06-09 23:46 --------- d-------- C:\Program Files\Nikon
2007-06-09 23:46 --------- d-------- C:\Program Files\NetZeroInstallers
2007-06-09 23:46 --------- d-------- C:\Program Files\Network Associates
2007-06-09 23:46 --------- d-------- C:\Program Files\NetWaiting
2007-06-09 23:45 --------- d-------- C:\Program Files\MUSICMATCH
2007-06-09 23:45 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-09 23:45 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-09 23:45 --------- d-------- C:\Program Files\Movie Maker
2007-06-09 23:45 --------- d-------- C:\Program Files\Modem Helper
2007-06-09 23:44 --------- d-------- C:\Program Files\Microsoft Plus! Digital Media Edition
2007-06-09 23:43 --------- d-------- C:\Program Files\Microsoft Money 2006
2007-06-09 23:42 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-09 23:42 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-06-09 23:42 --------- d-------- C:\Program Files\Messenger
2007-06-09 23:40 --------- d-------- C:\Program Files\LimeWire
2007-06-09 23:39 --------- d-------- C:\Program Files\Learn2.com
2007-06-09 23:39 --------- d-------- C:\Program Files\Lavasoft
2007-06-09 23:39 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-06-09 23:39 --------- d-------- C:\Program Files\JSLMC
2007-06-09 23:29 --------- d-------- C:\Program Files\Jasc Software Inc
2007-06-09 23:20 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-09 23:20 --------- d-------- C:\Program Files\Intuit
2007-06-09 23:20 --------- d-------- C:\Program Files\Intel
2007-06-09 23:19 --------- d-------- C:\Program Files\Incomplete
2007-06-09 23:18 --------- d-------- C:\Program Files\ImTOO
2007-06-09 23:18 --------- d-------- C:\Program Files\H&R Block Tax Offer
2007-06-09 23:18 --------- d-------- C:\Program Files\Google
2007-06-09 23:07 --------- d-------- C:\Program Files\GalaNet
2007-06-09 23:07 --------- d-------- C:\Program Files\Filzip
2007-06-09 23:07 --------- d-------- C:\Program Files\EphPod
2007-06-09 23:07 --------- d-------- C:\Program Files\EclipseCrossword
2007-06-09 23:06 --------- d-------- C:\Program Files\EarthLink Setup
2007-06-09 22:57 --------- d-------- C:\Program Files\EA GAMES
2007-06-09 21:47 --------- d-------- C:\Program Files\e frontier
2007-06-09 21:47 --------- d-------- C:\Program Files\DVD Shrink
2007-06-09 21:47 --------- d-------- C:\Program Files\DiscWizard for Windows
2007-06-09 21:47 --------- d-------- C:\Program Files\directx
2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Support
2007-06-09 21:47 --------- d-------- C:\Program Files\Dell Inc
2007-06-09 21:47 --------- d-------- C:\Program Files\Dell
2007-06-09 21:45 --------- d-------- C:\Program Files\D-Link
2007-06-09 21:45 --------- d-------- C:\Program Files\CyberLink
2007-06-09 21:42 --------- d-------- C:\Program Files\Corel
2007-06-09 21:42 --------- d-------- C:\Program Files\CONEXANT
2007-06-09 21:42 --------- d-------- C:\Program Files\Common Files\Viewpoint
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic Shared
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Sonic
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Scanner
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Real
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Panda Software
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\ODBC
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nullsoft
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Nikon
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\Network Associates
2007-06-09 21:41 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Macromedia Shared
2007-06-09 21:40 --------- d-------- C:\Program Files\Common Files\Jasc Software Inc
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Intuit
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\cuatoabu
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Corel
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Canon
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\Borland Shared
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\aolshare
2007-06-09 21:39 --------- d-------- C:\Program Files\Common Files\AOL
2007-06-09 21:38 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-11-02 20:25:09 952 --sha-w C:\windows\SYSTEM32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\DOCUME~1\SARAHT~1\WINDOWS ----

2007-07-22 19:24 587 --a------ C:\DOCUME~1\SARAHT~1\WINDOWS\win.ini


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 20:36]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2005-04-26 13:27]
"D-Link AirPlus XtremeG"="C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2004-09-22 13:08]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-08-16 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe" [2006-05-09 20:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 06:00]

C:\Documents and Settings\Sarah Tran\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]
DESKTOP.INI [2004-08-10 14:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-06 23:45:14]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DESKTOP.INI [2004-08-10 14:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-04 13:00:33]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkVwMon.exe.lnk - C:\Program Files\Nikon\NkView4\NkVwMon.exe [2006-04-24 22:42:48]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36]
TabUserW.exe.lnk - C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe [2005-07-06 18:00:17]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-04-09 18:58:35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

R0 agpCPQ;Compaq AGP Bus Filter;C:\windows\system32\DRIVERS\agpCPQ.sys
R0 PenClass;Pen Class;C:\windows\system32\drivers\PenClass.sys
R0 Vax347b;Vax347b;C:\windows\system32\DRIVERS\Vax347b.sys
R0 Vax347s;Vax347s;C:\windows\system32\Drivers\Vax347s.sys
R1 mfetdik;McAfee Inc.;C:\windows\system32\drivers\mfetdik.sys
R1 sscdbhk5;sscdbhk5;C:\windows\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\windows\system32\drivers\ssrtln.sys
R2 ANIO;ANIO Service;\??\C:\WINDOWS\system32\ANIO.SYS
R2 drvnddm;drvnddm;C:\windows\system32\drivers\drvnddm.sys
R2 ithsgt;ithsgt;C:\windows\system32\DRIVERS\ithsgt.sys
R2 lilsgt;lilsgt;C:\windows\system32\DRIVERS\lilsgt.sys
R2 tfsnboio;tfsnboio;C:\windows\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\windows\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\windows\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\windows\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\windows\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\windows\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\windows\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\windows\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\windows\system32\dla\tfsnudfa.sys
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\windows\system32\DRIVERS\A3AB.sys
R3 E100B;Intel® PRO Adapter Driver;C:\windows\system32\DRIVERS\e100b325.sys
R3 mfeapfk;McAfee Inc.;C:\windows\system32\drivers\mfeapfk.sys
R3 senfilt;senfilt;C:\windows\system32\drivers\senfilt.sys
R3 Tetris;Tetris driver;C:\windows\system32\Drivers\Tetris.sys
S3 AvFlt;Antivirus Filter Driver;C:\windows\system32\drivers\av5flt.sys
S3 Tearock;Tearock;C:\WINDOWS\system32\drivers\P3.SYS
S3 wanatw;WAN Miniport (ATW);C:\windows\system32\DRIVERS\wanatw4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{664e760c-f02f-11d9-abb2-001320014ca3}]
AutoRun\command- E:\Intro.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15444a9-fd3d-11d9-abd2-001320014ca3}]
AutoRun\command- E:\Setup.exe -auto


Contents of the 'Scheduled Tasks' folder
2007-07-18 22:25:20 C:\windows\tasks\AppleSoftwareUpdate.job
2007-07-20 22:30:00 C:\windows\tasks\McAfee.com Scan for Viruses - My Computer (SARAH-Bach Tran).job
2007-07-27 21:59:43 C:\windows\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 18:10:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 18:11:39
C:\ComboFix-quarantined-files.txt ... 2007-07-27 18:11
C:\ComboFix2.txt ... 2007-07-26 18:25

--- E O F ---


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:18:04 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\SYSTEM32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\windows\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wuauclt.exe
C:\windows\EXPLORER.EXE
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deviantart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135718319\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\system32\dlbtcoms.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Kaspersky Scan Log:

KASPERSKY ONLINE SCANNER REPORT
Sunday, July 29, 2007 1:27:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/07/2007
Kaspersky Anti-Virus database records: 369040
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 343275
Number of viruses found: 8
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 07:23:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_SARAH.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_SARAH.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-07222007-200825.log Object is locked skipped
C:\Documents and Settings\Bach Tran\Local Settings\Temporary Internet Files\Content.IE5\DM2609Z3\adfcook[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Bach Tran\Local Settings\Temporary Internet Files\Content.IE5\H3QOUPRC\kcehc_eicooc20070702[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\Bach Tran\Local Settings\Temporary Internet Files\Content.IE5\H3QOUPRC\masiyxanidi[1] Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Tran\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0B01DC60-F17D-4C7C-9DDC-EC7F7EA1C934} Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\History\History.IE5\MSHist012007072820070729\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Temp\NAILogs\UpdaterUI_SARAH.log Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Temp\~DFAD62.tmp Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Temp\~DFAD74.tmp Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Temp\~DFCEA5.tmp Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Sarah Tran\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Tran\ntuser.dat Object is locked skipped
C:\Documents and Settings\Sarah Tran\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-07-28.17-54-05.log Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\QooBox\Quarantine\C\Program Files\lkdopwtu\tevkzyzo.dll.vir Infected: Trojan.Win32.Agent.atq skipped
C:\QooBox\Quarantine\C\WINDOWS\ktqbebyf.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lhpmemff.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn1.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn2.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mfwsikcn\mfwsikcn3.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ssqroom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\vuzgjkrg.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP854\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6C8B2B7A-4C4E-4D9F-8D0F-21CBCE773736}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
F:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

#6 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 29 July 2007 - 08:15 AM

Hi,

Delete next file and folder:

C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll <== file
C:\Qoobox <== folder

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#7 lechau

lechau

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 July 2007 - 11:53 PM

Everything is running smoothly now. My only question is that at start-up I've been getting a notice saying that qbupdate.exe failed to start because MFC71.DLL was not found, but I don't know what was this for.

#8 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 30 July 2007 - 09:51 AM

Hi,

The error you receive is related with this:

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

Or, you check and fix that entry in HijackThis, or you reinstall Quickbooks.

Glad I could help. ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#9 lechau

lechau

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 30 July 2007 - 07:24 PM

Ah, thank you very much! You've been such a great help; you're the best.

#10 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 31 July 2007 - 12:11 AM

You're most welcome :angry:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#11 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 04 August 2007 - 09:54 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users