|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-02-2007, 09:43 AM
|
#1 (permalink) |
|
I helped the forums.
Join Date: Mar 2005
Location: Long Island, NY
Posts: 21
OS: XP
|
malware help please
Deckard's System Scanner v20070426.43
Run by Kenneth J. Rivalsi on 2007-06-02 at 10:31:11 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 99: 2007-06-02 15:31:18 UTC - RP1069 - Deckard's System Scanner Restore Point 98: 2007-06-02 01:21:43 UTC - RP1068 - Installed Ad-Aware SE Personal 97: 2007-06-01 23:43:38 UTC - RP1067 - System Checkpoint 96: 2007-05-31 22:50:37 UTC - RP1066 - System Checkpoint 95: 2007-05-30 22:49:22 UTC - RP1065 - System Checkpoint -- First Restore Point -- 1: 2007-03-04 23:23:34 UTC - RP971 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Kenneth J. Rivalsi.exe) ---------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 10:35:23 AM, on 6/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Digital Line Detect\DLG.exe C:\QUICKENW\QWDLLS.EXE C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\tmp\dss\dss.exe C:\Security\HIJACK~1\Kenneth J. Rivalsi.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\nnnoljk.dll O2 - BHO: (no name) - {342D42EA-2E1F-4B99-AC19-9A976FC3E5D2} - C:\WINDOWS\system32\jkhhf.dll O2 - BHO: (no name) - {36362D3C-2940-48E5-802D-CD07E93C0F26} - C:\WINDOWS\system32\xjoybswo.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\amoiiqrl.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\pfayutld.dll",realset O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175043024921 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll O20 - Winlogon Notify: nnnoljk - C:\WINDOWS\SYSTEM32\nnnoljk.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- File Associations ----------------------------------------------------------- .ini - UltraEdit.ini - DefaultIcon - unable to read value .ini - UltraEdit.ini - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1" .js - UltraEdit.js - DefaultIcon - unable to read value .js - UltraEdit.js - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1" .txt - UltraEdit.txt - DefaultIcon - unable to read value .txt - UltraEdit.txt - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing) R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi> S3 CQX (Susteen Virtual Serial Port Driver) - c:\windows\system32\drivers\cqx.sys <Not Verified; Susteen Inc.; Susteen USB Cable> S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing) S3 SUSTUCAM (Susteen USB Cable Modem Driver) - c:\windows\system32\drivers\sustucam.sys <Not Verified; Susteen, Inc.; Susteen USB Cable> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Scheduled Tasks ------------------------------------------------------------- 2007-06-01 06:40:03 378 --a------ C:\WINDOWS\Tasks\McQcTask.job 2007-05-15 01:14:34 376 --a------ C:\WINDOWS\Tasks\McDefragTask.job -- Files created between 2007-05-02 and 2007-06-02 ----------------------------- 2007-06-01 23:05:31 0 d-------- C:\ie-spyad 2007-06-01 22:46:43 0 d-------- C:\Program Files\SpywareBlaster 2007-06-01 20:46:50 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 20:27:00 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Lavasoft 2007-06-01 20:21:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-06-01 20:09:46 2580 --a------ C:\WINDOWS\system32\aythwrvb.exe 2007-06-01 20  38 131124 --a------ C:\WINDOWS\system32\pfayutld.dll2007-06-01 20:03:46 125460 --a------ C:\WINDOWS\system32\xjoybswo.dll 2007-06-01 20:00:49 1594797 ---hs---- C:\WINDOWS\system32\fhhkj.bak2 2007-05-31 20:09:30 50740 --a------ C:\WINDOWS\system32\amoiiqrl.dll 2007-05-31 20:00:39 1541369 ---hs---- C:\WINDOWS\system32\fhhkj.bak1 2007-05-31 20:00:23 263220 ---hs---- C:\WINDOWS\system32\jkhhf.dll 2007-05-31 19:52:07 29206 --a------ C:\WINDOWS\system32\pmnonoo.dll 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\T6 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\T4 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\T3 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\pog 2007-05-31 19:51:28 40183 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2007-05-31 19:51:27 0 d-------- C:\WINDOWS\system32\T1QaSQ 2007-05-31 19:51:26 0 d-------- C:\Temp 2007-05-31 19:51:25 29206 --a------ C:\WINDOWS\system32\nnnoljk.dll 2007-05-09 19:04:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 -- Find3M Report --------------------------------------------------------------- 2007-06-01 23:29:49 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-01 23:29:49 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-01 21:38:11 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-06-01 21:38:08 0 d-------- C:\Program Files\Messenger 2007-06-01 21:35:18 0 d-------- C:\Program Files\iTunes 2007-06-01 21:34:32 0 d-------- C:\Program Files\Google 2007-06-01 21:34:28 0 d-------- C:\Program Files\Digital Line Detect 2007-06-01 20:21:49 0 d-------- C:\Program Files\Lavasoft 2007-05-31 19:51:36 0 d-------- C:\Program Files\MSN Gaming Zone 2007-05-30 22:11:20 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\AdobeUM 2007-05-26 10:16:01 0 d-------- C:\Program Files\McAfee 2007-05-13 20:35:35 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Canon 2007-04-27 19:07:12 108 --a------ C:\WINDOWS\Winsus1.dat 2007-04-27 18:43:10 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-04-27 18:31:45 0 d-------- C:\Program Files\Susteen 2007-04-19 19:45:09 0 d-------- C:\Program Files\Windows Media Connect 2 2007-04-15 14:15:21 0 d-------- C:\Program Files\Windows CE Tools 2007-03-28 20:23:36 2528 --a------ C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\$_hpcst$.hpc -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll {2432F099-F8E2-43C9-B765-3AF002FFC6A7} C:\WINDOWS\system32\nnnoljk.dll {342D42EA-2E1F-4B99-AC19-9A976FC3E5D2} C:\WINDOWS\system32\jkhhf.dll {36362D3C-2940-48E5-802D-CD07E93C0F26} C:\WINDOWS\system32\xjoybswo.dll {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll {5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll {AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll {CD3447D4-CA39-4377-8084-30E86331D74C} C:\WINDOWS\system32\amoiiqrl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe" "DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ATIModeChange"="Ati2mdxx.exe" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe" "CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE" "CTHelper"="CTHELPER.EXE" "AsioReg"="REGSVR32.EXE /S CTASIO.DLL" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "Genuine"="rundll32.exe \"C:\\WINDOWS\\system32\\pfayutld.dll\",realset" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "SB Audigy 2 Startup Menu"=" /L:ENG" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{2432F099-F8E2-43C9-B765-3AF002FFC6A7}"="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhf HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoljk HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-06-02 at 10:36:39 --------- |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-06-2007, 04:03 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: malware help please
Hi islavir
I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. ================================== Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== We will be cleaning out the Temp folders so before proceeding any further, please move Deckard's System Scanner (DSS) to your Desktop =============================================== Additional Downloads ================= 1. Download this file - Here * IMPORTANT !!! Place combofix.exe on your Desktop Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post the ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ================= In your next post, please include fresh logs from:
|
|
|
|
|
06-06-2007, 06:56 PM
|
#5 (permalink) |
|
I helped the forums.
Join Date: Mar 2005
Location: Long Island, NY
Posts: 21
OS: XP
|
Re: malware help please
Here are the results of combofix and a new DSS scan.
Just after the first post, I had also run VundoFix.exe and Look2Me-Destroyer.exe. "Kenneth J. Rivalsi" - 2007-06-06 19:14:17 Service Pack 2 NTFS ComboFix 07-06-06 - Running from: "" (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\xjoybswo.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Temp\0b9 C:\Temp\0b9\tmpTF.log C:\WINDOWS\system32\pog C:\WINDOWS\system32\T3 C:\WINDOWS\system32\T4 ((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 ))))))))))))))))))))))))))))))) 2007-06-06 19:13 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-05 06:41 <DIR> d-------- C:\VundoFix Backups 2007-06-04 20:15 <DIR> d--hs---- C:\WINDOWS\CSC 2007-06-04 20:05 2,580 --a------ C:\WINDOWS\SYSTEM32\lseurfgd.exe 2007-06-03 20:07 2,580 --a------ C:\WINDOWS\SYSTEM32\ohhsoocb.exe 2007-06-02 20:08 2,580 --a------ C:\WINDOWS\SYSTEM32\olchebdq.exe 2007-06-02 10:30 <DIR> d-------- C:\Deckard 2007-06-01 23:05 <DIR> d-------- C:\ie-spyad 2007-06-01 22:46 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-06-01 20:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-06-01 20:27 <DIR> d-------- C:\DOCUME~1\KENNET~1.RIV\APPLIC~1\Lavasoft 2007-06-01 20:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-06-01 20:09 2,580 --a------ C:\WINDOWS\SYSTEM32\aythwrvb.exe 2007-05-31 19:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T6 2007-05-31 19:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\T1QaSQ 2007-05-31 19:51 <DIR> d-------- C:\Temp\x2b 2007-05-31 19:51 <DIR> d-------- C:\Temp 2007-05-09 19:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-07 00:19:35 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-07 00:19:35 288 ----a-w C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-07 00:02:29 -------- d-----w C:\DOCUME~1\KENNET~1.RIV\APPLIC~1\Canon 2007-06-02 02:38:11 -------- d-----w C:\Program Files\Microsoft ActiveSync 2007-06-02 02:38:08 -------- d-----w C:\Program Files\Messenger 2007-06-02 02:35:18 -------- d-----w C:\Program Files\iTunes 2007-06-02 02:34:32 -------- d-----w C:\Program Files\Google 2007-06-02 02:34:28 -------- d-----w C:\Program Files\Digital Line Detect 2007-06-02 01:21:49 -------- d-----w C:\Program Files\Lavasoft 2007-06-01 00:51:36 -------- d-----w C:\Program Files\MSN Gaming Zone 2007-05-31 03:11:20 -------- d-----w C:\DOCUME~1\KENNET~1.RIV\APPLIC~1\AdobeUM 2007-05-26 15:16:01 -------- d-----w C:\Program Files\McAfee 2007-04-28 00:07:12 108 ----a-w C:\WINDOWS\Winsus1.dat 2007-04-27 23:43:10 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-04-27 23:31:45 -------- d-----w C:\Program Files\Susteen 2007-04-20 00:45:09 -------- d-----w C:\Program Files\Windows Media Connect 2 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-04-17 03:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll 2007-04-15 19:15:21 -------- d-----w C:\Program Files\Windows CE Tools 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-11-03 17:17] {41A09F2C-7931-4861-A562-23ED0F74ADF9}=C:\WINDOWS\system32\jkhhf.dll [] {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2004-05-12 01:03] {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2003-08-06 01:04] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 16:02] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-19 23:55] {AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 00:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47] "Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 10:38] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 21:10] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe] "CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 08:18] "CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 00:00] "CTHelper"="CTHELPER.EXE" [2003-02-20 17:45 C:\WINDOWS\SYSTEM32\CTHELPER.EXE] "AsioReg"="REGSVR32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\regsvr32.exe] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SB Audigy 2 Startup Menu"=" /L:ENG" [] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-24 07:40] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoljk] nnnoljk.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* Contents of the 'Scheduled Tasks' folder 2007-05-15 06:14:34 C:\WINDOWS\tasks\McDefragTask.job 2007-06-01 11:40:03 C:\WINDOWS\tasks\McQcTask.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-06 19:20:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-06 19:22:12 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-06 19:22 --- E O F --- ****************** Deckard's System Scanner v20070426.43 Run by Kenneth J. Rivalsi on 2007-06-06 at 19:30:44 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Kenneth J. Rivalsi.exe) ---------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:31:17 PM, on 6/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\QUICKENW\QWDLLS.EXE C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\tmp\dss\dss.exe C:\Security\HIJACK~1\KENNET~1.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {41A09F2C-7931-4861-A562-23ED0F74ADF9} - C:\WINDOWS\system32\jkhhf.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175043024921 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: nnnoljk - nnnoljk.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- Files created between 2007-05-06 and 2007-06-06 ----------------------------- 2007-06-05 06:41:05 0 d-------- C:\VundoFix Backups 2007-06-04 20:15:21 0 d--hs---- C:\WINDOWS\CSC 2007-06-04 20:05:03 2580 --a------ C:\WINDOWS\system32\lseurfgd.exe 2007-06-03 20:07:02 2580 --a------ C:\WINDOWS\system32\ohhsoocb.exe 2007-06-02 20:08:13 2580 --a------ C:\WINDOWS\system32\olchebdq.exe 2007-06-01 23:05:31 0 d-------- C:\ie-spyad 2007-06-01 22:46:43 0 d-------- C:\Program Files\SpywareBlaster 2007-06-01 20:46:50 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 20:27:00 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Lavasoft 2007-06-01 20:21:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-06-01 20:09:46 2580 --a------ C:\WINDOWS\system32\aythwrvb.exe 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\T6 2007-05-31 19:51:27 0 d-------- C:\WINDOWS\system32\T1QaSQ 2007-05-31 19:51:26 0 d-------- C:\Temp 2007-05-09 19:04:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 -- Find3M Report --------------------------------------------------------------- 2007-06-06 19:19:35 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-06 19:19:35 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-06 19:02:29 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Canon 2007-06-01 21:38:11 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-06-01 21:38:08 0 d-------- C:\Program Files\Messenger 2007-06-01 21:35:18 0 d-------- C:\Program Files\iTunes 2007-06-01 21:34:32 0 d-------- C:\Program Files\Google 2007-06-01 21:34:28 0 d-------- C:\Program Files\Digital Line Detect 2007-06-01 20:21:49 0 d-------- C:\Program Files\Lavasoft 2007-05-31 19:51:36 0 d-------- C:\Program Files\MSN Gaming Zone 2007-05-30 22:11:20 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\AdobeUM 2007-05-26 10:16:01 0 d-------- C:\Program Files\McAfee 2007-04-27 19:07:12 108 --a------ C:\WINDOWS\Winsus1.dat 2007-04-27 18:43:10 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-04-27 18:31:45 0 d-------- C:\Program Files\Susteen 2007-04-19 19:45:09 0 d-------- C:\Program Files\Windows Media Connect 2 2007-04-15 14:15:21 0 d-------- C:\Program Files\Windows CE Tools 2007-03-28 20:23:36 2528 --a------ C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\$_hpcst$.hpc -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll {41A09F2C-7931-4861-A562-23ED0F74ADF9} C:\WINDOWS\system32\jkhhf.dll [x] {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll {5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll {AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ATIModeChange"="Ati2mdxx.exe" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe" "CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE" "CTHelper"="CTHELPER.EXE" "AsioReg"="REGSVR32.EXE /S CTASIO.DLL" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "SB Audigy 2 Startup Menu"=" /L:ENG" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\"" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoljk HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-06-06 at 19:31:41 --------- |
|
|
|
|
06-07-2007, 02:48 AM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: malware help please
Hi islavir
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== Additional Downloads Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. ================= Please download the OTMoveIt by OldTimer. Save it to your desktop. Double-click OTMoveIt.exe to run it.
=================================== Run a scan with HiJackThis & select/tick the following & click "Fix checked" : O2 - BHO: (no name) - {41A09F2C-7931-4861-A562-23ED0F74ADF9} - C:\WINDOWS\system32\jkhhf.dll (file missing) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O20 - Winlogon Notify: nnnoljk - nnnoljk.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. =============================================== Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ================= Please Run a scan with Deckards System Scanner (DSS) and save the log =============================================== Please post the following logs in your next reply, in the following order:
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now. |
|
|
|
|
06-07-2007, 07:28 PM
|
#7 (permalink) |
|
I helped the forums.
Join Date: Mar 2005
Location: Long Island, NY
Posts: 21
OS: XP
|
Re: malware help please
***** OTMoveIt Log ******
C:\WINDOWS\SYSTEM32\lseurfgd.exe moved successfully. C:\WINDOWS\SYSTEM32\ohhsoocb.exe moved successfully. C:\WINDOWS\SYSTEM32\olchebdq.exe moved successfully. C:\WINDOWS\SYSTEM32\aythwrvb.exe moved successfully. Created on 06/07/2007 05:43:15 ****** Kaspersky Extended Scan Log ****** ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, June 07, 2007 7:59:09 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 7/06/2007 Kaspersky Anti-Virus database records: 341449 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan Statistics: Total number of scanned objects: 167212 Number of viruses found: 7 Number of infected objects: 15 Number of suspicious objects: 19 Duration of the scan process: 02:44:43 Infected Object Name / Virus Name / Last Action C:\backup\even\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/20 Sep 2002 18:10 from jkassel:Please try again.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\even\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/23 Sep 2002 18:32 from steve200:Darling.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\even\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/26 Sep 2002 17:46 from eeniemini:Hello,the Garden of Eden.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\even\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/07 Oct 2002 15:00 from Debra:Re: USA exam.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\even\dad.zip/outlook/outlook_backup.pst Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\even\dad.zip ZIP: suspicious - 5 skipped C:\backup\odd\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/20 Sep 2002 18:10 from jkassel:Please try again.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\odd\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/23 Sep 2002 18:32 from steve200:Darling.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\odd\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/26 Sep 2002 17:46 from eeniemini:Hello,the Garden of Eden.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\odd\dad.zip/outlook/outlook_backup.pst/Personal Folders/Deleted Items/07 Oct 2002 15:00 from Debra:Re: USA exam.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\odd\dad.zip/outlook/outlook_backup.pst Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\backup\odd\dad.zip ZIP: suspicious - 5 skipped C:\Deckard\System Scanner\20070605165340\backup\DOCUME~1\KENNET~1.RIV\LOCALS~1\Temp\NI.UWAS6_0001_N68M2301\setup.exe Infected: not-a-virus:FraudTool.Win32.WinAnti skipped C:\Deckard\System Scanner\20070605165340\backup\DOCUME~1\KENNET~1.RIV\LOCALS~1\Temp\WinAntiSpyware2006Setup.exe/Stream/data0003 Infected: not-a-virus:FraudTool.Win32.WinAnti skipped C:\Deckard\System Scanner\20070605165340\backup\DOCUME~1\KENNET~1.RIV\LOCALS~1\Temp\WinAntiSpyware2006Setup.exe/Stream Infected: not-a-virus:FraudTool.Win32.WinAnti skipped C:\Deckard\System Scanner\20070605165340\backup\DOCUME~1\KENNET~1.RIV\LOCALS~1\Temp\WinAntiSpyware2006Setup.exe Inno: infected - 2 skipped C:\Deckard\System Scanner\20070605165340\backup\DOCUME~1\KENNET~1.RIV\LOCALS~1\Temp\yazzlesnet.exe Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{408E44E6-0773-48B4-8032-520198C89AAE}.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FF85258B-6CF5-4758-BD69-BD131F598B66}.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR4.tmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\$_hpcst$.hpc Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Local Settings\Temp\WCESLog.log Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Kenneth J. Rivalsi\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_788.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\My Documents\dad\outlook\outlook_backup.pst/Personal Folders/Deleted Items/20 Sep 2002 18:10 from jkassel:Please try again.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\My Documents\dad\outlook\outlook_backup.pst/Personal Folders/Deleted Items/23 Sep 2002 18:32 from steve200:Darling.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\My Documents\dad\outlook\outlook_backup.pst/Personal Folders/Deleted Items/26 Sep 2002 17:46 from eeniemini:Hello,the Garden of Eden.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\My Documents\dad\outlook\outlook_backup.pst/Personal Folders/Deleted Items/07 Oct 2002 15:00 from Debra:Re: USA exam.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped C:\My Documents\dad\outlook\outlook_backup.pst Mail MS Mail: suspicious - 4 skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_59.trc Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xjoybswo.dll.vir Suspicious: Packed.Win32.Morphine.a skipped C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1066\A0091318.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1072\A0092293.dll Infected: Trojan.Win32.BHO.bd skipped C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1072\A0092296.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1072\A0092297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1073\A0092375.dll Suspicious: Packed.Win32.Morphine.a skipped C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1074\change.log Object is locked skipped C:\VundoFix Backups\amoiiqrl.dll.bad Infected: Trojan.Win32.BHO.bd skipped C:\VundoFix Backups\jkhhf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped C:\VundoFix Backups\pfayutld.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\mcmsc_CcaQyXbNJlLmbBd Object is locked skipped C:\WINDOWS\Temp\mcmsc_ccLU7HSVUD4XCCa Object is locked skipped C:\WINDOWS\Temp\mcmsc_FJK4L7FiW4TbpQn Object is locked skipped C:\WINDOWS\Temp\mcmsc_qCXVyuTdi44pSHh Object is locked skipped C:\WINDOWS\Temp\mcmsc_s3t505Q1hyYwWIQ Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF Object is locked skipped C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\aythwrvb.exe Infected: Trojan.Win32.Agent.anr skipped C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\lseurfgd.exe Infected: Trojan.Win32.Agent.anr skipped C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\ohhsoocb.exe Infected: Trojan.Win32.Agent.anr skipped C:\_OTMoveIt\MovedFiles\WINDOWS\SYSTEM32\olchebdq.exe Infected: Trojan.Win32.Agent.anr skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. ********** main.txt ******** Deckard's System Scanner v20070426.43 Run by Kenneth J. Rivalsi on 2007-06-07 at 20:18:07 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Kenneth J. Rivalsi.exe) ---------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 8:18:39 PM, on 6/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\QUICKENW\QWDLLS.EXE C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\tmp\dss\dss.exe C:\tmp\HIJACK~1\HIJACK~1\Kenneth J. Rivalsi.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175043024921 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- Files created between 2007-05-07 and 2007-06-07 ----------------------------- 2007-06-07 16:49:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-06-07 16:49:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-06-07 16:49:41 0 d-------- C:\WINDOWS\LastGood 2007-06-05 06:41:05 0 d-------- C:\VundoFix Backups 2007-06-04 20:15:21 0 d--hs---- C:\WINDOWS\CSC 2007-06-01 23:05:31 0 d-------- C:\ie-spyad 2007-06-01 22:46:43 0 d-------- C:\Program Files\SpywareBlaster 2007-06-01 20:46:50 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 20:27:00 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Lavasoft 2007-06-01 20:21:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\T6 2007-05-31 19:51:27 0 d-------- C:\WINDOWS\system32\T1QaSQ 2007-05-31 19:51:26 0 d-------- C:\Temp 2007-05-09 19:04:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 -- Find3M Report --------------------------------------------------------------- 2007-06-07 06:10:57 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-07 06:10:57 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-06 19:02:29 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Canon 2007-06-01 21:38:11 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-06-01 21:38:08 0 d-------- C:\Program Files\Messenger 2007-06-01 21:35:18 0 d-------- C:\Program Files\iTunes 2007-06-01 21:34:32 0 d-------- C:\Program Files\Google 2007-06-01 21:34:28 0 d-------- C:\Program Files\Digital Line Detect 2007-06-01 20:21:49 0 d-------- C:\Program Files\Lavasoft 2007-05-31 19:51:36 0 d-------- C:\Program Files\MSN Gaming Zone 2007-05-30 22:11:20 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\AdobeUM 2007-05-26 10:16:01 0 d-------- C:\Program Files\McAfee 2007-04-27 19:07:12 108 --a------ C:\WINDOWS\Winsus1.dat 2007-04-27 18:43:10 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-04-27 18:31:45 0 d-------- C:\Program Files\Susteen 2007-04-19 19:45:09 0 d-------- C:\Program Files\Windows Media Connect 2 2007-04-15 14:15:21 0 d-------- C:\Program Files\Windows CE Tools 2007-03-28 20:23:36 2528 --a------ C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\$_hpcst$.hpc -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll {5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll {AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ATIModeChange"="Ati2mdxx.exe" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe" "CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE" "CTHelper"="CTHELPER.EXE" "AsioReg"="REGSVR32.EXE /S CTASIO.DLL" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "SB Audigy 2 Startup Menu"=" /L:ENG" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\"" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-06-07 at 20:19:04 --------- |
|
|
|
|
06-07-2007, 11:24 PM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: malware help please
Hi islavir
Locate and delete the following folders and files:
You can make a fresh backup of outlook now ComboFix, Deckards System Scanner and OTMoveIt can all be deleted C:\System Volume Information\_restore the infected files here will be dealt with in a minute Your log are clean. If there aren't any more problems, please continue with these final instructions.  Enable Windows Auto Update *Go to Start>Run - type wuaucpl.cpl *Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: Download the McAfee Site Advisor--free. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Spyware Guard to catch and block spyware before it can execute. IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Follow this list and your potential for infections will reduce dramatically.  Please respond to this thread one more time so we can mark this thread as resolved. Last edited by alba; 06-07-2007 at 11:30 PM. |
|
|
|
|
06-08-2007, 06:41 PM
|
#9 (permalink) |
|
I helped the forums.
Join Date: Mar 2005
Location: Long Island, NY
Posts: 21
OS: XP
|
Re: malware help please
Things seem to be much better now, thanks very much.
No more pop-ups or redirected IE. Below is a new main.txt log. I hope it is clean. ******************* Deckard's System Scanner v20070603.47 Run by Kenneth J. Rivalsi on 2007-06-08 at 19:37:02 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 2 Restore Point(s) -- 2: 2007-06-09 00:37:08 UTC - RP1077 - Deckard's System Scanner Restore Point 1: 2007-06-08 12:21:19 UTC - RP1076 - System Checkpoint Performed disk cleanup. -- HijackThis (run as Kenneth J. Rivalsi.exe) ---------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:37:48 PM, on 6/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe C:\tmp\dss\dss.exe C:\tmp\HIJACK~1\HIJACK~1\KENNET~1.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175043024921 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- HijackThis Fixed Entries (C:\tmp\HIJACK~1\HIJACK~1\backups\) ---------------- backup-20070607-060452-635 O2 - BHO: (no name) - {41A09F2C-7931-4861-A562-23ED0F74ADF9} - C:\WINDOWS\system32\jkhhf.dll (file missing) backup-20070607-060452-706 O20 - Winlogon Notify: nnnoljk - nnnoljk.dll (file missing) backup-20070607-060452-926 O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) -- File Associations ----------------------------------------------------------- .ini - UltraEdit.ini - DefaultIcon - unable to read value .ini - UltraEdit.ini - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1" .js - UltraEdit.js - DefaultIcon - unable to read value .js - UltraEdit.js - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1" .txt - UltraEdit.txt - DefaultIcon - unable to read value .txt - UltraEdit.txt - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing) R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi> S3 CQX (Susteen Virtual Serial Port Driver) - c:\windows\system32\drivers\cqx.sys <Not Verified; Susteen Inc.; Susteen USB Cable> S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing) S3 SUSTUCAM (Susteen USB Cable Modem Driver) - c:\windows\system32\drivers\sustucam.sys <Not Verified; Susteen, Inc.; Susteen USB Cable> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Scheduled Tasks ------------------------------------------------------------- 2007-06-01 06:40:03 378 --a------ C:\WINDOWS\Tasks\McQcTask.job 2007-05-15 01:14:34 376 --a------ C:\WINDOWS\Tasks\McDefragTask.job -- Files created between 2007-05-08 and 2007-06-08 ----------------------------- 2007-06-08 19:24:06 0 d-------- C:\Program Files\SpywareGuard 2007-06-08 19:22:45 0 d-------- C:\Documents and Settings\NetworkService\Desktop 2007-06-08 19:22:45 0 d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor 2007-06-08 19:22:36 0 d-------- C:\Program Files\SiteAdvisor 2007-06-08 19:22:14 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\SiteAdvisor 2007-06-08 19:22:14 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2007-06-07 16:49:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-06-07 16:49:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-06-04 20:15:21 0 d--hs---- C:\WINDOWS\CSC 2007-06-01 23:05:31 0 d-------- C:\ie-spyad 2007-06-01 22:46:43 0 d-------- C:\Program Files\SpywareBlaster 2007-06-01 20:46:50 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-06-01 20:27:00 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Lavasoft 2007-06-01 20:21:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-05-31 19:51:33 0 d-------- C:\WINDOWS\system32\T6 2007-05-31 19:51:27 0 d-------- C:\WINDOWS\system32\T1QaSQ 2007-05-31 19:51:26 0 d-------- C:\Temp 2007-05-09 19:04:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 -- Find3M Report --------------------------------------------------------------- 2007-06-08 19:25:37 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-08 19:25:37 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat 2007-06-06 19:02:29 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\Canon 2007-06-01 21:38:11 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-06-01 21:38:08 0 d-------- C:\Program Files\Messenger 2007-06-01 21:35:18 0 d-------- C:\Program Files\iTunes 2007-06-01 21:34:32 0 d-------- C:\Program Files\Google 2007-06-01 21:34:28 0 d-------- C:\Program Files\Digital Line Detect 2007-06-01 20:21:49 0 d-------- C:\Program Files\Lavasoft 2007-05-31 19:51:36 0 d-------- C:\Program Files\MSN Gaming Zone 2007-05-30 22:11:20 0 d-------- C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\AdobeUM 2007-05-26 10:16:01 0 d-------- C:\Program Files\McAfee 2007-04-27 19:07:12 108 --a------ C:\WINDOWS\Winsus1.dat 2007-04-27 18:43:10 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-04-27 18:31:45 0 d-------- C:\Program Files\Susteen 2007-04-19 19:45:09 0 d-------- C:\Program Files\Windows Media Connect 2 2007-04-15 14:15:21 0 d-------- C:\Program Files\Windows CE Tools 2007-03-28 20:23:36 2528 --a------ C:\Documents and Settings\Kenneth J. Rivalsi\Application Data\$_hpcst$.hpc -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll {089FD14D-132B-48FC-8861-0048AE113215} C:\Program Files\SiteAdvisor\6066\SiteAdv.dll {4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll {5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll {7DB2D5A0-7241-4E79-B68D-6309F01C5231} c:\program files\mcafee\virusscan\scriptcl.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll {AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "ATIModeChange"="Ati2mdxx.exe" "CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe" "CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE" "CTHelper"="CTHELPER.EXE" "AsioReg"="REGSVR32.EXE /S CTASIO.DLL" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6066\\SiteAdv.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "SB Audigy 2 Startup Menu"=" /L:ENG" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\"" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-06-08 at 19:38:23 --------- |
|
|
|
|
06-09-2007, 05:58 AM
|
#10 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Re: malware help please
Hi islavir
Yep your logs are all clean, you are good to go. If you follow my recommendations in the previous Post it should help to protect you in the future Have a nice weekend  alba |
|
|
|
| Thread Tools | |
|
|
