Tech Support Forum - View Single Post

ronwin · 01-22-2008, 04:32 PM

SDFix completed and Google Hijack corrected.
ComboFix failed to complete after 1/2 hour and all stages but had total blue screen with only an arrow on it so rebooted.

svchost needed for system restore was replaced by sfc /scannow but restore service can not find it. It is in C:\Windows|System32 where it should be. Help Please.

Here are reports requested.
Please advise any additional action required.

SDFix: Version 1.129

Run by Roz on Tue 01/22/2008 at 01:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Driver
msupdate

Path:
\??\C:\WINDOWS\system32\kernelw.sys
c:\windows\system32\..\svchost.exe

Driver - Deleted
msupdate - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ACROIE~1.XML - Deleted
C:\WINDOWS\SYSTEM32\G1464.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G2AF8.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G5138.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G52DE.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G5A8E.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G79AA.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G910F.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\G963D.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\GBD5.tmp.exe - Deleted
C:\WINDOWS\SYSTEM32\GEBD8.tmp.exe - Deleted
C:\WINDOWS\Free Online Dating.ico - Deleted
C:\WINDOWS\monhop.exe - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\svchost.exe - Deleted

Folder C:\WINDOWS\system32\msdrives - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 13:37:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 16 Nov 2004 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Mon 19 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 10 Jan 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 10 Jan 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 11 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 14 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 22 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT7.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch10\lock.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch11\lock.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch8\lock.tmp"
Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch9\lock.tmp"

Finished!

ComboFix 08-01-23.1 - Roz 2008-01-22 15:21:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\Roz\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\SYSTEM32\AcroIEHelper.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\62OUHEVV\186_1_~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\FF2DE2IB\218097~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\K0WM2K4L\62854_~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\Y9BCCSI1\PIC002~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\Y9BCCSI1\PIC017~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\BDTWBVVZ\SEE_MO~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\K0WM2K4L\THUMB2~3.SH!
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O21 - SSODL: gaonic - {f31aee4a-1530-4fef-8537-79c6973bff9a} - (no file)
O21 - SSODL: detachments - {01d8d081-0f76-4ab5-b5e4-9b23a709670e} - (no file)
O22 - SharedTaskScheduler: gaonic - {f31aee4a-1530-4fef-8537-79c6973bff9a} - (no file)
O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - (no file)
O22 - SharedTaskScheduler: carolus - {} - (no file)
O22 - SharedTaskScheduler: curing - {3aea41ad-3ce4-48d9-acab-be40ad329e40} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0095091200654302) (0095091200654302mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\009509~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7270 bytes

.

Thanks for all your assistance.

01-22-2008, 04:32 PM	#3 (permalink)
ronwin Registered User Join Date: Jan 2008 Posts: 8 OS: XP SP2	Re: Google hijack fix did not work SDFix completed and Google Hijack corrected. ComboFix failed to complete after 1/2 hour and all stages but had total blue screen with only an arrow on it so rebooted. svchost needed for system restore was replaced by sfc /scannow but restore service can not find it. It is in C:\Windows\|System32 where it should be. Help Please. Here are reports requested. Please advise any additional action required. SDFix: Version 1.129 Run by Roz on Tue 01/22/2008 at 01:28 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: Driver msupdate Path: \??\C:\WINDOWS\system32\kernelw.sys c:\windows\system32\..\svchost.exe Driver - Deleted msupdate - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default HomePage Value Restoring Default Desktop Components Value Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\ACROIE~1.XML - Deleted C:\WINDOWS\SYSTEM32\G1464.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G2AF8.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G5138.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G52DE.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G5A8E.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G79AA.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G910F.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\G963D.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\GBD5.tmp.exe - Deleted C:\WINDOWS\SYSTEM32\GEBD8.tmp.exe - Deleted C:\WINDOWS\Free Online Dating.ico - Deleted C:\WINDOWS\monhop.exe - Deleted C:\WINDOWS\search_res.txt - Deleted C:\WINDOWS\svchost.exe - Deleted Folder C:\WINDOWS\system32\msdrives - Removed Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-22 13:37:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe::Enabled:Kodak Software Updater" "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe::Disabled:backWeb-7288971" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:America Online 9.0" "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe::Enabled:EasyShare" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe::Enabled:RealPlayer" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE::Disabled:Internet Explorer" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe::Enabled:McAfee Network Agent" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:America Online 9.0" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 16 Nov 2004 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys" Mon 19 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Thu 10 Jan 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak" Thu 10 Jan 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak" Mon 11 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Tue 14 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Tue 22 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT7.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch10\lock.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch11\lock.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch8\lock.tmp" Tue 6 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch9\lock.tmp" Finished! ComboFix 08-01-23.1 - Roz 2008-01-22 15:21:25.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -5:00] Running from: C:\Documents and Settings\Roz\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!* . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:27, on 2008-01-23 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\SYSTEM32\AcroIEHelper.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe" O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\62OUHEVV\186_1_~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\FF2DE2IB\218097~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\K0WM2K4L\62854_~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\Y9BCCSI1\PIC002~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\Y9BCCSI1\PIC017~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\BDTWBVVZ\SEE_MO~1.SH! C:\DOCUME~1\Roz\LOCALS~1\TEMPOR~1\Content.IE5\K0WM2K4L\THUMB2~3.SH! O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O21 - SSODL: gaonic - {f31aee4a-1530-4fef-8537-79c6973bff9a} - (no file) O21 - SSODL: detachments - {01d8d081-0f76-4ab5-b5e4-9b23a709670e} - (no file) O22 - SharedTaskScheduler: gaonic - {f31aee4a-1530-4fef-8537-79c6973bff9a} - (no file) O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - (no file) O22 - SharedTaskScheduler: carolus - {} - (no file) O22 - SharedTaskScheduler: curing - {3aea41ad-3ce4-48d9-acab-be40ad329e40} - (no file) O23 - Service: McAfee Application Installer Cleanup (0095091200654302) (0095091200654302mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\009509~1.EXE (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 7270 bytes . Thanks for all your assistance.