Tech Support Forum - View Single Post - Ried (or anyone who can help). I believe I have the malware mljgd.dll???

TKoester39 · 12-02-2007, 02:11 PM

OK Ried, here is my combofix Log

ComboFix 07-12-02.5 - Todd K 2007-12-02 14:56:06.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.237 [GMT -6:00]
Running from: C:\Documents and Settings\Todd K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Todd K\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\aycdd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\aycdd.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\WINDOWS\SDFIX
2007-12-01 15:42 . 2007-12-01 15:42 <DIR> d-------- C:\Deckard
2007-12-01 12:19 . 2007-12-01 12:24 <DIR> d-------- C:\Program Files\Spruce
2007-11-18 17:10 . 2007-11-18 17:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-18 17:10 . 2007-11-18 17:10 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-11 19:12 . 2001-08-17 13:53 7,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\changer.sys
2007-11-11 19:12 . 2001-08-17 13:53 7,296 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-02 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-02 03:12 81,712 ----a-w C:\Documents and Settings\Todd K\Application Data\GDIPFONTCACHEV1.DAT
2007-12-01 20:35 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-28 02:39 --------- d-----w C:\Documents and Settings\Todd K\Application Data\SiteAdvisor
2007-11-22 00:40 --------- d-----w C:\Program Files\McAfee
2007-11-08 05:52 --------- d-----w C:\Program Files\Common Files\McAfee
2007-10-28 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-28 04:21 --------- d-----w C:\Program Files\Trend Micro
2007-10-27 21:56 --------- d-----w C:\Program Files\QuickTime
2007-10-27 20:53 --------- d-----w C:\Program Files\Google
2007-10-27 20:36 --------- d-----w C:\Program Files\DellSupport
2007-10-27 03:53 --------- d-----w C:\Documents and Settings\Todd K\Application Data\SUPERAntiSpyware.com
2007-10-27 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-27 03:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 21:57 --------- d-----w C:\Documents and Settings\Amy Rauls\Application Data\SiteAdvisor
2007-10-26 21:09 --------- d--h--w C:\Documents and Settings\Todd K\Application Data\Gtek
2007-10-26 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-26 04:26 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2007-10-16 15:56 --------- d-----w C:\Program Files\Dell
2003-07-09 00:36 811 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2007-12-01_21.52.47.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-01 00:37:48 163,328 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-02 06:21:13 4,534,272 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-02 06:21:13 12,288 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-01 00:37:48 163,328 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-02 06:21:02 4,534,272 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-02 06:21:03 12,288 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2002-08-29 10:00:00 50,620 ----a-w C:\WINDOWS\SYSTEM32\COMMAND.COM
+ 2001-08-18 19:00:00 50,620 ----a-w C:\WINDOWS\SYSTEM32\COMMAND.COM
- 2007-12-02 00:11:37 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-12-02 17:09:36 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-12-02 00:11:37 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-12-02 17:09:36 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2007-12-02 00:11:37 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2007-12-02 17:09:36 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 21:55]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 23:03]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-17 16:14]
"SBC Yahoo! Connection Manager"="C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" [2003-07-14 13:55]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-08 20:39]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:27]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34]

C:\Documents and Settings\Todd K\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-01 12:19:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-03 16:30:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 11:28 684032 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-08-14 17:22 28672 -ra------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-03 13:56 188416 --a------ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe -l

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]
2003-06-11 00:52 122880 --a------ C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
1996-11-11 11:42 51216 --a------ C:\OPLIMIT\ocraware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2007-08-18 03:12 394576 --a------ C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-07-01 12:15 53248 --a------ C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-07-01 12:15 131072 --a------ C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2003-12-10 03:52 380928 --a------ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-09-28 20:26 32881 --a------ C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 00:00 90112 --------- C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-10 22:15 111816 --a------ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2002-07-23 10:58 12288 --a------ C:\Program Files\Winamp3\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2003-12-09 14:02 57344 --a------ C:\Program Files\Yahoo!\browser\ybrwicon.exe

R2 PPCLASS;PPCLASS;C:\WINDOWS\System32\drivers\PPCLASS.sys
S2 PPSCAN;PPSCAN;C:\WINDOWS\System32\drivers\PPSCAN.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 07:30:04 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-01 07:00:31 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 15:05:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-02 15:08:43 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-02 12:35
C:\ComboFix3.txt ... 2007-12-01 23:50
.
--- E O F ---

I have noticed that when I open a new site, I still get notice the site is opened through (at bottom of page) http://servedby.advertising or adyield.mgr.

Is that ok???

Todd

12-02-2007, 02:11 PM	#10 (permalink)
TKoester39 Registered User Join Date: Oct 2007 Location: MO Posts: 22 OS: XP	Re: Ried (or anyone who can help). I believe I have the malware mljgd.dll??? OK Ried, here is my combofix Log ComboFix 07-12-02.5 - Todd K 2007-12-02 14:56:06.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.237 [GMT -6:00] Running from: C:\Documents and Settings\Todd K\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Todd K\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\SYSTEM32\aycdd.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\aycdd.ini . ((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 ))))))))))))))))))))))))))))))) . 2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\WINDOWS\SDFIX 2007-12-01 15:42 . 2007-12-01 15:42 <DIR> d-------- C:\Deckard 2007-12-01 12:19 . 2007-12-01 12:24 <DIR> d-------- C:\Program Files\Spruce 2007-11-18 17:10 . 2007-11-18 17:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-11-18 17:10 . 2007-11-18 17:10 1,409 --a------ C:\WINDOWS\QTFont.for 2007-11-11 19:12 . 2001-08-17 13:53 7,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\changer.sys 2007-11-11 19:12 . 2001-08-17 13:53 7,296 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\changer.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-02 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2007-12-02 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2007-12-02 03:12 81,712 ----a-w C:\Documents and Settings\Todd K\Application Data\GDIPFONTCACHEV1.DAT 2007-12-01 20:35 --------- d-----w C:\Program Files\SUPERAntiSpyware 2007-11-28 02:39 --------- d-----w C:\Documents and Settings\Todd K\Application Data\SiteAdvisor 2007-11-22 00:40 --------- d-----w C:\Program Files\McAfee 2007-11-08 05:52 --------- d-----w C:\Program Files\Common Files\McAfee 2007-10-28 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-28 04:21 --------- d-----w C:\Program Files\Trend Micro 2007-10-27 21:56 --------- d-----w C:\Program Files\QuickTime 2007-10-27 20:53 --------- d-----w C:\Program Files\Google 2007-10-27 20:36 --------- d-----w C:\Program Files\DellSupport 2007-10-27 03:53 --------- d-----w C:\Documents and Settings\Todd K\Application Data\SUPERAntiSpyware.com 2007-10-27 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-10-27 03:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-26 21:57 --------- d-----w C:\Documents and Settings\Amy Rauls\Application Data\SiteAdvisor 2007-10-26 21:09 --------- d--h--w C:\Documents and Settings\Todd K\Application Data\Gtek 2007-10-26 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2007-10-26 04:26 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot 2007-10-16 15:56 --------- d-----w C:\Program Files\Dell 2003-07-09 00:36 811 -c--a-w C:\Program Files\INSTALL.LOG . ((((((((((((((((((((((((((((( snapshot@2007-12-01_21.52.47.67 ))))))))))))))))))))))))))))))))))))))))) . + 2007-12-01 00:37:48 163,328 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\ERDNT.EXE + 2007-12-02 06:21:13 4,534,272 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2007-12-02 06:21:13 12,288 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-12-01 00:37:48 163,328 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2007-12-02 06:21:02 4,534,272 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat + 2007-12-02 06:21:03 12,288 ----a-w C:\WINDOWS\SDFIX\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat - 2002-08-29 10:00:00 50,620 ----a-w C:\WINDOWS\SYSTEM32\COMMAND.COM + 2001-08-18 19:00:00 50,620 ----a-w C:\WINDOWS\SYSTEM32\COMMAND.COM - 2007-12-02 00:11:37 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT + 2007-12-02 17:09:36 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT - 2007-12-02 00:11:37 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT + 2007-12-02 17:09:36 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT - 2007-12-02 00:11:37 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT + 2007-12-02 17:09:36 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 21:55] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 23:03] "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-17 16:14] "SBC Yahoo! Connection Manager"="C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" [2003-07-14 13:55] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-08 20:39] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:27] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34] C:\Documents and Settings\Todd K\Start Menu\Programs\Startup\ Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-01 12:19:27] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-03 16:30:52] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] 2002-12-17 11:28 684032 --a------ C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] C:\Program Files\Dell Support\DSAgnt.exe /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry] 2002-08-14 17:22 28672 -ra------ C:\WINDOWS\System32\DSentry.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2002-11-03 13:56 188416 --a------ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe -l [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02] 2003-06-11 00:52 122880 --a------ C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] 1996-11-11 11:42 51216 --a------ C:\OPLIMIT\ocraware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] 2007-08-18 03:12 394576 --a------ C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] 2004-07-01 12:15 53248 --a------ C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] 2004-07-01 12:15 131072 --a------ C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] 2003-12-10 03:52 380928 --a------ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /startintray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2004-09-28 20:26 32881 --a------ C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 00:00 90112 --------- C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] 2004-11-10 22:15 111816 --a------ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe /checktask [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2002-07-23 10:58 12288 --a------ C:\Program Files\Winamp3\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] 2003-12-09 14:02 57344 --a------ C:\Program Files\Yahoo!\browser\ybrwicon.exe R2 PPCLASS;PPCLASS;C:\WINDOWS\System32\drivers\PPCLASS.sys S2 PPSCAN;PPSCAN;C:\WINDOWS\System32\drivers\PPSCAN.sys . Contents of the 'Scheduled Tasks' folder "2007-11-15 07:30:04 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2007-12-01 07:00:31 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-02 15:05:27 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2007-12-02 15:08:43 - machine was rebooted C:\ComboFix2.txt ... 2007-12-02 12:35 C:\ComboFix3.txt ... 2007-12-01 23:50 . --- E O F --- I have noticed that when I open a new site, I still get notice the site is opened through (at bottom of page) http://servedby.advertising or adyield.mgr. Is that ok??? Todd