Tech Support Forum - View Single Post - Possible Malware - Frequent Pop-Ups

clearwaterbeach · 08-05-2008, 03:28 PM

Here is the log. New HJT log will be posted momentarily. Thanks.

ComboFix 08-08-04.07 - Alex 2008-08-05 16:26:45.1 - NTFSx86
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\#SharedObjects\YBDG5BB4\interclick.com
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\#SharedObjects\YBDG5BB4\interclick.com\ud.sol
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\#SharedObjects\4AGVSDZ8\interclick.com
C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\#SharedObjects\4AGVSDZ8\interclick.com\ud.sol
C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Temp\gbRve12
C:\WINDOWS\BMa3b56f89.txt
C:\WINDOWS\BMa3b56f89.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\BacbdMoq.ini
C:\WINDOWS\SYSTEM32\BacbdMoq.ini2
C:\WINDOWS\SYSTEM32\cigcjtbm.ini
C:\WINDOWS\SYSTEM32\cwyijejm.ini
C:\WINDOWS\SYSTEM32\frefsmhc.ini
C:\WINDOWS\SYSTEM32\jmllm.ini
C:\WINDOWS\SYSTEM32\jmllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmcobgmf.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\pvaqtqmi.ini
C:\WINDOWS\system32\qoMdbcaB.dll
C:\WINDOWS\system32\yioojsmo.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 16:20 . 2008-08-05 16:20 91,648 --a------ C:\WINDOWS\SYSTEM32\efihcwoi.dll
2008-08-04 16:38 . 2008-08-04 16:38 105,472 --a------ C:\WINDOWS\SYSTEM32\ysyjfc.dll
2008-08-04 16:38 . 2008-08-04 16:38 105,472 --a------ C:\WINDOWS\SYSTEM32\nxteedks.dll
2008-08-04 16:36 . 2008-08-04 16:36 2,048 --a------ C:\WINDOWS\SYSTEM32\csxkvkhg.exe
2008-08-04 16:26 . 2008-08-04 16:26 2,048 --a------ C:\WINDOWS\SYSTEM32\dcsxkvkh.exe
2008-08-04 16:20 . 2008-08-04 16:20 105,472 --a------ C:\WINDOWS\SYSTEM32\zqotbb.dll
2008-08-04 16:20 . 2008-08-04 16:20 105,472 --a------ C:\WINDOWS\SYSTEM32\tsrxxeqw.dll
2008-08-04 16:20 . 2008-08-04 16:20 91,648 --a------ C:\WINDOWS\SYSTEM32\ceihtsrx.dll
2008-08-04 16:20 . 2008-08-04 16:20 83,456 --a------ C:\WINDOWS\SYSTEM32\fmgbocmm.dll
2008-08-04 16:18 . 2008-08-04 16:18 91,648 --a------ C:\WINDOWS\SYSTEM32\hbhqygce.dll
2008-08-03 16:20 . 2008-08-03 16:20 83,456 --a------ C:\WINDOWS\SYSTEM32\omsjooiy.dll
2008-08-03 16:18 . 2008-08-03 16:18 114,176 --a------ C:\WINDOWS\SYSTEM32\qnvsjaoe.dll
2008-08-03 16:17 . 2008-08-03 16:17 91,648 --a------ C:\WINDOWS\SYSTEM32\axsayfrq.dll
2008-08-02 21:13 . 2008-08-02 21:13 <DIR> d-------- C:\Deckard
2008-08-02 16:23 . 2008-08-02 16:23 114,176 --a------ C:\WINDOWS\SYSTEM32\jtkelgmj.dll
2008-08-02 16:17 . 2008-08-02 16:17 91,648 --a------ C:\WINDOWS\SYSTEM32\mrkfilju.dll
2008-08-02 10:13 . 2008-08-02 12:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-01 22:28 . 2008-08-01 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 16:18 . 2008-08-01 16:18 114,176 --a------ C:\WINDOWS\SYSTEM32\mtrfnt.dll
2008-08-01 16:18 . 2008-08-01 16:18 114,176 --a------ C:\WINDOWS\SYSTEM32\dgwdcycd.dll
2008-08-01 16:18 . 2008-08-01 16:18 83,456 --a------ C:\WINDOWS\SYSTEM32\imqtqavp.dll
2008-07-31 11:42 . 2008-07-31 11:42 105,472 --a------ C:\WINDOWS\SYSTEM32\wvirpw.dll
2008-07-31 11:42 . 2008-07-31 11:42 105,472 --a------ C:\WINDOWS\SYSTEM32\mkxpgiki.dll
2008-07-31 11:42 . 2008-07-31 11:42 91,648 --a------ C:\WINDOWS\SYSTEM32\ifcanguk.dll
2008-07-31 11:37 . 2008-07-31 11:37 <DIR> d-------- C:\VundoFix Backups
2008-07-30 11:43 . 2008-07-30 11:43 105,472 --a------ C:\WINDOWS\SYSTEM32\warvqdls.dll
2008-07-30 11:43 . 2008-07-30 11:43 105,472 --a------ C:\WINDOWS\SYSTEM32\dggqyb.dll
2008-07-30 11:42 . 2008-07-30 11:42 83,456 --a------ C:\WINDOWS\SYSTEM32\mjejiywc.dll
2008-07-30 11:29 . 2008-07-30 11:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\kBin19
2008-07-30 11:29 . 2008-07-30 11:29 <DIR> d-------- C:\temp\epr1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 19:51 --------- d-----w C:\Documents and Settings\Alex\Application Data\SiteAdvisor
2008-08-05 18:20 --------- d-----w C:\Program Files\McAfee
2008-07-20 17:40 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2008-06-26 23:24 --------- d-----w C:\Documents and Settings\Jeff\Application Data\McAfee
2008-06-23 16:17 --------- d-----w C:\Documents and Settings\Alex\Application Data\AdobeUM
2008-06-22 15:16 --------- d-----w C:\Documents and Settings\Jeff\Application Data\SiteAdvisor
2008-06-20 21:57 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Auslogics
2008-06-20 21:46 --------- d-----w C:\Program Files\Advanced System Optimizer
2008-06-20 21:44 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Systweak
2008-06-20 20:46 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Uniblue
2008-06-20 18:36 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AdobeUM
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 18:30 --------- d-----w C:\Documents and Settings\Hannah\Application Data\SiteAdvisor
2008-06-14 16:02 --------- d-----w C:\Documents and Settings\Hannah\Application Data\AdobeUM
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 04:05 --------- d-----w C:\Program Files\Apple Software Update
2008-06-13 03:57 --------- d-----w C:\Program Files\iTunes
2008-06-13 03:57 --------- d-----w C:\Program Files\iPod
2008-06-13 03:54 --------- d-----w C:\Program Files\QuickTime
2008-04-23 00:40 20,019 ----a-w C:\Program Files\unfreez.zip
2007-04-15 21:48 891,281 -c--a-w C:\Documents and Settings\Jeff\CIC.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{475ab01a-b7f8-4762-8174-ea3c24a6e3e5}]
2008-08-05 16:23 105472 --a------ C:\WINDOWS\system32\lfjsee.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-03 19:20 185784]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 11:42 36904]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 14:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"BMa3b56f89"="C:\WINDOWS\system32\efihcwoi.dll" [2008-08-05 16:20 91648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\Cat Daddy Games\\Renegade Paintball\\PaintballGame.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ce62342-4c1d-11db-b594-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-06-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2006-10-07 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-a0865c15 - C:\WINDOWS\system32\mbtjcgic.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://home.bellsouth.net/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://media66.fastclick.net/w/safepop.cgi?mid=37618&sid=15231&id=102196&len=0&c=44&nfcp=1&fp=2
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
O15 -: Trusted Zone: *.amaena.com
O15 -: Trusted Zone: *.onerateld.com

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 16:42:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
.
**************************************************************************
.
Completion time: 2008-08-05 16:56:32 - machine was rebooted [Alex]
ComboFix-quarantined-files.txt 2008-08-05 20:56:27

Pre-Run: 41,825,669,120 bytes free
Post-Run: 42,049,691,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

206 --- E O F --- 2008-08-05 20:51:17

08-05-2008, 03:28 PM	#14 (permalink)
clearwaterbeach Registered User Join Date: Aug 2008 Posts: 28 OS: XP	Re: Possible Malware - Frequent Pop-Ups - winlogon.exe Here is the log. New HJT log will be posted momentarily. Thanks. ComboFix 08-08-04.07 - Alex 2008-08-05 16:26:45.1 - NTFSx86 Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Alex\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\#SharedObjects\YBDG5BB4\interclick.com C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\#SharedObjects\YBDG5BB4\interclick.com\ud.sol C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\#SharedObjects\4AGVSDZ8\interclick.com C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\#SharedObjects\4AGVSDZ8\interclick.com\ud.sol C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Hannah\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Temp\gbRve12 C:\WINDOWS\BMa3b56f89.txt C:\WINDOWS\BMa3b56f89.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\SYSTEM32\BacbdMoq.ini C:\WINDOWS\SYSTEM32\BacbdMoq.ini2 C:\WINDOWS\SYSTEM32\cigcjtbm.ini C:\WINDOWS\SYSTEM32\cwyijejm.ini C:\WINDOWS\SYSTEM32\frefsmhc.ini C:\WINDOWS\SYSTEM32\jmllm.ini C:\WINDOWS\SYSTEM32\jmllm.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mmcobgmf.ini C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\pac.txt C:\WINDOWS\SYSTEM32\pvaqtqmi.ini C:\WINDOWS\system32\qoMdbcaB.dll C:\WINDOWS\system32\yioojsmo.ini . ((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))) . 2008-08-05 16:20 . 2008-08-05 16:20 91,648 --a------ C:\WINDOWS\SYSTEM32\efihcwoi.dll 2008-08-04 16:38 . 2008-08-04 16:38 105,472 --a------ C:\WINDOWS\SYSTEM32\ysyjfc.dll 2008-08-04 16:38 . 2008-08-04 16:38 105,472 --a------ C:\WINDOWS\SYSTEM32\nxteedks.dll 2008-08-04 16:36 . 2008-08-04 16:36 2,048 --a------ C:\WINDOWS\SYSTEM32\csxkvkhg.exe 2008-08-04 16:26 . 2008-08-04 16:26 2,048 --a------ C:\WINDOWS\SYSTEM32\dcsxkvkh.exe 2008-08-04 16:20 . 2008-08-04 16:20 105,472 --a------ C:\WINDOWS\SYSTEM32\zqotbb.dll 2008-08-04 16:20 . 2008-08-04 16:20 105,472 --a------ C:\WINDOWS\SYSTEM32\tsrxxeqw.dll 2008-08-04 16:20 . 2008-08-04 16:20 91,648 --a------ C:\WINDOWS\SYSTEM32\ceihtsrx.dll 2008-08-04 16:20 . 2008-08-04 16:20 83,456 --a------ C:\WINDOWS\SYSTEM32\fmgbocmm.dll 2008-08-04 16:18 . 2008-08-04 16:18 91,648 --a------ C:\WINDOWS\SYSTEM32\hbhqygce.dll 2008-08-03 16:20 . 2008-08-03 16:20 83,456 --a------ C:\WINDOWS\SYSTEM32\omsjooiy.dll 2008-08-03 16:18 . 2008-08-03 16:18 114,176 --a------ C:\WINDOWS\SYSTEM32\qnvsjaoe.dll 2008-08-03 16:17 . 2008-08-03 16:17 91,648 --a------ C:\WINDOWS\SYSTEM32\axsayfrq.dll 2008-08-02 21:13 . 2008-08-02 21:13 <DIR> d-------- C:\Deckard 2008-08-02 16:23 . 2008-08-02 16:23 114,176 --a------ C:\WINDOWS\SYSTEM32\jtkelgmj.dll 2008-08-02 16:17 . 2008-08-02 16:17 91,648 --a------ C:\WINDOWS\SYSTEM32\mrkfilju.dll 2008-08-02 10:13 . 2008-08-02 12:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-01 22:28 . 2008-08-01 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-01 16:18 . 2008-08-01 16:18 114,176 --a------ C:\WINDOWS\SYSTEM32\mtrfnt.dll 2008-08-01 16:18 . 2008-08-01 16:18 114,176 --a------ C:\WINDOWS\SYSTEM32\dgwdcycd.dll 2008-08-01 16:18 . 2008-08-01 16:18 83,456 --a------ C:\WINDOWS\SYSTEM32\imqtqavp.dll 2008-07-31 11:42 . 2008-07-31 11:42 105,472 --a------ C:\WINDOWS\SYSTEM32\wvirpw.dll 2008-07-31 11:42 . 2008-07-31 11:42 105,472 --a------ C:\WINDOWS\SYSTEM32\mkxpgiki.dll 2008-07-31 11:42 . 2008-07-31 11:42 91,648 --a------ C:\WINDOWS\SYSTEM32\ifcanguk.dll 2008-07-31 11:37 . 2008-07-31 11:37 <DIR> d-------- C:\VundoFix Backups 2008-07-30 11:43 . 2008-07-30 11:43 105,472 --a------ C:\WINDOWS\SYSTEM32\warvqdls.dll 2008-07-30 11:43 . 2008-07-30 11:43 105,472 --a------ C:\WINDOWS\SYSTEM32\dggqyb.dll 2008-07-30 11:42 . 2008-07-30 11:42 83,456 --a------ C:\WINDOWS\SYSTEM32\mjejiywc.dll 2008-07-30 11:29 . 2008-07-30 11:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\kBin19 2008-07-30 11:29 . 2008-07-30 11:29 <DIR> d-------- C:\temp\epr1 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-05 19:51 --------- d-----w C:\Documents and Settings\Alex\Application Data\SiteAdvisor 2008-08-05 18:20 --------- d-----w C:\Program Files\McAfee 2008-07-20 17:40 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor 2008-06-26 23:24 --------- d-----w C:\Documents and Settings\Jeff\Application Data\McAfee 2008-06-23 16:17 --------- d-----w C:\Documents and Settings\Alex\Application Data\AdobeUM 2008-06-22 15:16 --------- d-----w C:\Documents and Settings\Jeff\Application Data\SiteAdvisor 2008-06-20 21:57 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Auslogics 2008-06-20 21:46 --------- d-----w C:\Program Files\Advanced System Optimizer 2008-06-20 21:44 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Systweak 2008-06-20 20:46 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Uniblue 2008-06-20 18:36 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AdobeUM 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-15 18:30 --------- d-----w C:\Documents and Settings\Hannah\Application Data\SiteAdvisor 2008-06-14 16:02 --------- d-----w C:\Documents and Settings\Hannah\Application Data\AdobeUM 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 04:05 --------- d-----w C:\Program Files\Apple Software Update 2008-06-13 03:57 --------- d-----w C:\Program Files\iTunes 2008-06-13 03:57 --------- d-----w C:\Program Files\iPod 2008-06-13 03:54 --------- d-----w C:\Program Files\QuickTime 2008-04-23 00:40 20,019 ----a-w C:\Program Files\unfreez.zip 2007-04-15 21:48 891,281 -c--a-w C:\Documents and Settings\Jeff\CIC.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{475ab01a-b7f8-4762-8174-ea3c24a6e3e5}] 2008-08-05 16:23 105472 --a------ C:\WINDOWS\system32\lfjsee.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 13:00 200704] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-03 19:20 185784] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 11:42 36904] "McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 14:59 4838952] "MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048] "BMa3b56f89"="C:\WINDOWS\system32\efihcwoi.dll" [2008-08-05 16:20 91648] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"= "C:\\Program Files\\Cat Daddy Games\\Renegade Paintball\\PaintballGame.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ce62342-4c1d-11db-b594-00038a000015}] \Shell\AutoRun\command - E:\LaunchU3.exe . Contents of the 'Scheduled Tasks' folder 2008-06-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2006-10-07 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - HKLM-Run-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe HKLM-Run-a0865c15 - C:\WINDOWS\system32\mbtjcgic.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://home.bellsouth.net/ R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://media66.fastclick.net/w/safepop.cgi?mid=37618&sid=15231&id=102196&len=0&c=44&nfcp=1&fp=2 R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/http://www.yahoo.com O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 -: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html O15 -: Trusted Zone: .amaena.com O15 -: Trusted Zone: .onerateld.com *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-05 16:42:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\McAfee\MBK\MBackMonitor.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\WINDOWS\SYSTEM32\nvsvc32.exe C:\WINDOWS\SYSTEM32\HPZipm12.exe C:\WINDOWS\SYSTEM32\wscntfy.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe . ************************************************************************ . Completion time: 2008-08-05 16:56:32 - machine was rebooted [Alex] ComboFix-quarantined-files.txt 2008-08-05 20:56:27 Pre-Run: 41,825,669,120 bytes free Post-Run: 42,049,691,648 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 206 --- E O F --- 2008-08-05 20:51:17