Clogged Computer

roblyerd · 06-09-2008, 05:12 PM

Helping a friend whose PC is clogged with malware. He's running XP (SP2) and symptoms are very sluggish, lots of popups, buffer overflow msgs, and attempt to install McAfee recently appeared to work, but program doesn't operate properly.

DSS main.txt is below. Extra.txt and Panda scans are attached. Your help is greatly appreciated.

Dwight

main.txt***************
Deckard's System Scanner v20071014.68
Run by fam on 2008-06-09 18:56:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
108: 2008-06-09 23:56:21 UTC - RP299 - Deckard's System Scanner Restore Point
107: 2008-06-09 21:07:51 UTC - RP298 - System Checkpoint
106: 2008-06-08 20:43:22 UTC - RP297 - System Checkpoint
105: 2008-06-07 20:13:45 UTC - RP296 - System Checkpoint
104: 2008-06-05 17:51:29 UTC - RP295 - System Checkpoint

-- First Restore Point --
1: 2008-05-15 20:16:41 UTC - RP192 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).

-- HijackThis (run as fam.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:16 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\fam\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\fam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: {89759dcd-19e4-4779-3184-eec3fa8b2382} - {2832b8af-3cee-4813-9774-4e91dcd95798} - C:\WINDOWS\system32\hmbgeuij.dll
O2 - BHO: (no name) - {4855CC91-9912-46CF-8DCE-270EE2069FF6} - C:\WINDOWS\system32\iiffEXqP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\mlJAqnMF.dll
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing)
O2 - BHO: (no name) - {D7953349-2B19-4654-BE43-26629652213A} - C:\WINDOWS\system32\efcBtUOi.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Tracy.TURBO\Application Data\Deskbar_{EE464417-8E32-47dd-8DF5-0EE50BAA86D3}\starter.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\VRDQ5B90\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [BM97b6fe8d] Rundll32.exe "C:\WINDOWS\system32\aowfnnvc.dll",s
O4 - HKLM\..\Run: [9485cd11] rundll32.exe "C:\WINDOWS\system32\svpbtxcb.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: mlJAqnMF - C:\WINDOWS\SYSTEM32\mlJAqnMF.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 7447 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 aecc - c:\windows\system32\drivers\aecc.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 mr7910 (Photo Viewer) - c:\windows\system32\drivers\mr7910.sys <Not Verified; Mars Semiconductor Corp.; PhotoViewer>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-15 16:28:42 348 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-05-15 16:28:41 350 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-09 18:58:39 0 d-------- C:\Program Files\Trend Micro
2008-06-09 18:39:12 0 d-------- C:\ie-spyad_zo
2008-06-09 18:20:40 0 d-------- C:\Program Files\SpywareBlaster
2008-06-09 10:46:36 0 d-------- C:\Program Files\Panda Security
2008-06-09 10:46:34 0 d-------- C:\WINDOWS\LastGood
2008-06-09 10:38:37 111616 --a------ C:\WINDOWS\system32\hmbgeuij.dll
2008-06-09 10:35:30 96256 --a------ C:\WINDOWS\system32\svpbtxcb.dll
2008-06-09 10:33:45 108544 --a------ C:\WINDOWS\system32\aowfnnvc.dll
2008-06-08 22:00:56 113664 --a------ C:\WINDOWS\system32\qfsydpjd.dll
2008-06-08 21:58:46 101376 -----n--- C:\WINDOWS\system32\pxtccvdu.dll
2008-06-08 21:58:15 105472 --a------ C:\WINDOWS\system32\utotswpf.dll
2008-06-08 13:31:54 0 d-------- C:\WINDOWS\pss
2008-06-08 12:50:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-08 12:48:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-08 12:48:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-08 12:48:35 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-08 12:48:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-08 12:48:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-08 12:48:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-08 12:48:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-08 12:48:34 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-08 12:48:34 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-08 12:48:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-07 21:59:51 111616 --a------ C:\WINDOWS\system32\xsnrcuwd.dll
2008-06-07 21:59:33 101376 --a------ C:\WINDOWS\system32\gnmxbfpr.dll
2008-06-06 21:58:04 93184 --a------ C:\WINDOWS\system32\avwurjdd.dll
2008-06-06 21:57:53 108544 --a------ C:\WINDOWS\system32\ttbeidvu.dll
2008-06-06 21:57:38 107520 --a------ C:\WINDOWS\system32\jrdcefaw.dll
2008-06-06 21:56:17 107520 --a------ C:\WINDOWS\system32\bcohiwfg.dll
2008-06-05 15:00:36 0 d-------- C:\Documents and Settings\Guest\Application Data\Move Networks
2008-06-04 21:11:15 97280 -----n--- C:\WINDOWS\system32\oqxhdbsp.dll
2008-06-04 21:11:06 104448 --a------ C:\WINDOWS\system32\fcaibryo.dll
2008-06-04 21:10:49 106496 --a------ C:\WINDOWS\system32\mpylqmro.dll
2008-06-03 14:37:01 114688 --a------ C:\WINDOWS\system32\twakmbgs.dll
2008-06-02 13:07:47 114688 --a------ C:\WINDOWS\system32\utbgrkss.dll
2008-06-01 13:03:00 108544 --a------ C:\WINDOWS\system32\ugnexgrj.dll
2008-06-01 12:59:54 104448 --a------ C:\WINDOWS\system32\pnaejahk.dll
2008-05-31 13:01:20 108544 --a------ C:\WINDOWS\system32\xkkwjtul.dll
2008-05-31 12:59:27 95232 -----n--- C:\WINDOWS\system32\mwsjykyc.dll
2008-05-31 12:59:13 104448 --a------ C:\WINDOWS\system32\slxquroj.dll
2008-05-31 12:46:55 0 d-------- C:\Documents and Settings\fam\Application Data\Leadertech
2008-05-30 13

39 104448 --a------ C:\WINDOWS\system32\yhtjapgi.dll
2008-05-30 12:58:31 109568 --a------ C:\WINDOWS\system32\mxlkyirm.dll
2008-05-29 22:33:01 0 d-------- C:\Documents and Settings\fam\Application Data\Yahoo!
2008-05-29 22:33:01 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-29 11:58:56 101376 -----n--- C:\WINDOWS\system32\igtutjtt.dll
2008-05-29 11:58:48 111616 --a------ C:\WINDOWS\system32\qdkqpskn.dll
2008-05-29 11:58:33 106496 --a------ C:\WINDOWS\system32\sujvscyg.dll
2008-05-29 11:57:50 106496 --a------ C:\WINDOWS\system32\klkevmfd.dll
2008-05-28 10:50:43 97280 -----n--- C:\WINDOWS\system32\vgfyhbui.dll
2008-05-28 10:50:28 104448 --a------ C:\WINDOWS\system32\wnaaimsu.dll
2008-05-26 02:20:29 94208 -----n--- C:\WINDOWS\system32\qxgxrkeq.dll
2008-05-26 02:16:15 117760 --a------ C:\WINDOWS\system32\ukjesyso.dll
2008-05-26 02:14:26 109056 --a------ C:\WINDOWS\system32\pgtkyrfv.dll
2008-05-24 23:35:13 117760 --a------ C:\WINDOWS\system32\dsmasgyr.dll
2008-05-24 23:30:43 108544 --a------ C:\WINDOWS\system32\iennvokw.dll
2008-05-23 22:45:51 118272 --a------ C:\WINDOWS\system32\ntgmnjuq.dll
2008-05-23 22:39:52 110080 --a------ C:\WINDOWS\system32\ypqidihb.dll
2008-05-22 22:44:09 93184 --a------ C:\WINDOWS\system32\twnkoujp.dll
2008-05-22 22:40:42 117760 --a------ C:\WINDOWS\system32\hykswuei.dll
2008-05-22 22:38:50 109568 --a------ C:\WINDOWS\system32\vfjhucyu.dll
2008-05-22 12:03:44 0 d-------- C:\Documents and Settings\fam\Application Data\MSNInstaller
2008-05-21 22:56:08 117760 --a------ C:\WINDOWS\system32\uomkmmru.dll
2008-05-21 20:58:06 109056 --a------ C:\WINDOWS\system32\glijdlhy.dll
2008-05-21 12:51:26 93696 -----n--- C:\WINDOWS\system32\sraxkwar.dll
2008-05-20 21:00:06 118272 --a------ C:\WINDOWS\system32\fyoylbyk.dll
2008-05-20 20:57:03 109056 --a------ C:\WINDOWS\system32\nlhdbrnc.dll
2008-05-19 21:04:00 117760 --a------ C:\WINDOWS\system32\qkadwfvb.dll
2008-05-19 21:01:05 94208 --a------ C:\WINDOWS\system32\canxkbrb.dll
2008-05-19 20:55:01 109056 --a------ C:\WINDOWS\system32\tmmhfael.dll
2008-05-19 13:08:43 0 d-------- C:\Documents and Settings\fam\Application Data\Macromedia
2008-05-19 13:07:45 0 d-------- C:\Documents and Settings\fam\Application Data\Adobe
2008-05-19 13:07:09 0 d-------- C:\Documents and Settings\fam\Application Data\SiteAdvisor
2008-05-19 13

27 0 d-------- C:\Documents and Settings\fam\Application Data\Identities
2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\Templates
2008-05-19 13:05:58 0 dr------- C:\Documents and Settings\fam\Start Menu
2008-05-19 13:05:58 0 dr-h----- C:\Documents and Settings\fam\SendTo
2008-05-19 13:05:58 0 dr-h----- C:\Documents and Settings\fam\Recent
2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\PrintHood
2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\NetHood
2008-05-19 13:05:58 0 dr------- C:\Documents and Settings\fam\My Documents
2008-05-19 13:05:58 0 d--h----- C:\Documents and Settings\fam\Local Settings
2008-05-19 13:05:58 0 dr------- C:\Documents and Settings\fam\Favorites
2008-05-19 13:05:58 0 d-------- C:\Documents and Settings\fam\Desktop
2008-05-19 13:05:58 0 d--hs---- C:\Documents and Settings\fam\Cookies
2008-05-19 13:05:58 0 dr-h----- C:\Documents and Settings\fam\Application Data
2008-05-19 13:05:57 3670016 --ah----- C:\Documents and Settings\fam\NTUSER.DAT
2008-05-18 21:21:50 0 d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2008-05-18 20:59:02 95232 --a------ C:\WINDOWS\system32\narytiqq.dll
2008-05-18 20:53:00 737556 --ahs---- C:\WINDOWS\system32\iOUtBcfe.ini2
2008-05-18 20:52:54 375808 --a------ C:\WINDOWS\system32\efcBtUOi.dll
2008-05-17 15:20:59 109568 --a------ C:\WINDOWS\system32\idmixyju.dll
2008-05-17 10:34:39 83664 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-17 10:24:25 95232 --a------ C:\WINDOWS\system32\slwhbhfy.dll
2008-05-16 16:22:39 0 d-------- C:\Program Files\Svconr
2008-05-16 16:22:38 0 d-------- C:\Program Files\Temporary
2008-05-16 15:29:16 93696 -----n--- C:\WINDOWS\system32\udnlixhq.dll
2008-05-16 15:20:15 108544 --a------ C:\WINDOWS\system32\ifmgfjmk.dll
2008-05-16 14:30:34 93696 --a------ C:\WINDOWS\system32\yaxgkmlg.dll
2008-05-16 14:28:53 108544 --a------ C:\WINDOWS\system32\shwbhrlq.dll
2008-05-16 14:27:32 1342214 --ahs---- C:\WINDOWS\system32\gQYGOXbc.ini2
2008-05-16 12:44:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-15 21:45:45 0 d-------- C:\Program Files\AntiSpywareMaster
2008-05-15 17:25:39 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Desktop
2008-05-15 17:25:39 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\SiteAdvisor
2008-05-15 16:32:21 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Desktop
2008-05-15 16:32:21 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\SiteAdvisor
2008-05-15 16:32:05 0 d-------- C:\Program Files\SiteAdvisor
2008-05-15 16:32:04 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-05-15 16:27:58 0 d-------- C:\Program Files\McAfee.com
2008-05-15 16:27:34 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-15 16:27:22 0 d-------- C:\Program Files\McAfee
2008-05-15 16:22:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-05-15 15:22:31 116224 --a------ C:\WINDOWS\system32\prhykopg.dll
2008-05-15 15:19:19 0 d-------- C:\Temp
2008-05-15 15:18:56 0 d-------- C:\Program Files\dbar
2008-05-15 15:17:50 108544 --a------ C:\WINDOWS\system32\jlpjqfst.dll
2008-05-15 14:04:29 0 d-------- C:\Program Files\Common Files\Scanner
2008-05-15 14:04:28 0 d-------- C:\Program Files\PCPitstop
2008-05-15 14:02:31 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites
2008-05-14 16:46:33 1345106 --ahs---- C:\WINDOWS\system32\PqXEffii.ini2
2008-05-14 16:45:07 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-05-14 16:42:25 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-14 16:41:48 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-14 16:41:41 0 d--hs---- C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk
2008-05-14 16:41:39 49159 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-05-14 16:41:30 86144 -----n--- C:\WINDOWS\system32\drivers\aecc.sys
2008-05-14 16:41:29 0 d-------- C:\Program Files\winvi
2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\polX
2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\GUI2
2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\binR
2008-05-14 16:41:26 0 d-------- C:\WINDOWS\system32\3036a
2008-05-14 16:41:22 0 d-------- C:\WINDOWS\system32\dFrnx18
2008-05-14 16:41:16 28672 -----n--- C:\WINDOWS\system32\mlJAqnMF.dll
2008-05-14 15:15:45 0 d-------- C:\Program Files\Microsoft Works
2008-05-14 15:07:58 0 d-------- C:\WINDOWS\SHELLNEW
2008-05-13 15:01:40 0 d-------- C:\Program Files\Microsoft Small Business
2008-05-13 14:57:45 0 d-------- C:\Program Files\Microsoft.NET
2008-05-13 14:55:00 0 d-------- C:\Program Files\Microsoft SQL Server
2008-05-12 08:43:38 68096 --a------ C:\WINDOWS\b155.exe

-- Find3M Report ---------------------------------------------------------------

2008-05-29 22:28:33 0 d-------- C:\Program Files\Yahoo!
2008-05-22 12:02:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-22 12:00:15 0 d-------- C:\Program Files\Common Files
2008-05-18 01:13:18 0 d-------- C:\Program Files\Hunting Unlimited
2008-05-15 15:21:45 0 d-------- C:\Program Files\LimeWire
2008-05-15 15:21:30 0 d-------- C:\Program Files\Google

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2832b8af-3cee-4813-9774-4e91dcd95798}]
06/09/2008 10:38 AM 111616 --a------ C:\WINDOWS\system32\hmbgeuij.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4855CC91-9912-46CF-8DCE-270EE2069FF6}]
C:\WINDOWS\system32\iiffEXqP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
05/14/2008 04:41 PM 28672 --------- C:\WINDOWS\system32\mlJAqnMF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
C:\Program Files\dbar\Deskbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7953349-2B19-4654-BE43-26629652213A}]
05/18/2008 08:52 PM 375808 --a------ C:\WINDOWS\system32\efcBtUOi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"dbar_starter"="C:\Documents and Settings\Tracy.TURBO\Application Data\Deskbar_{EE464417-8E32-47dd-8DF5-0EE50BAA86D3}\starter.exe" []
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [06/21/2007 03:06 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SBI"="C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\VRDQ5B90\setup_sbd_en[1].exe" [05/15/2008 11:29 PM]
"BM97b6fe8d"="C:\WINDOWS\system32\aowfnnvc.dll" [06/09/2008 10:33 AM]
"9485cd11"="C:\WINDOWS\system32\svpbtxcb.dll" [06/09/2008 10:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\mlJAqnMF.dll [05/14/2008 04:41 PM 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnMF]
mlJAqnMF.dll 05/14/2008 04:41 PM 28672 C:\WINDOWS\system32\mlJAqnMF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\efcBtUOi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

*Newly Created Service* - RKPAVPROC

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8382 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-06-09 19:01:15 ------------

roblyerd · 06-12-2008, 06:32 PM

BUMP, please.

tetonbob · 06-12-2008, 07:39 PM

If your system seems sluggish, it could be due to low RAM, as well as the infections present.

Quote:

Total Physical Memory: 384 MiB (512 MiB recommended).

Please read the following article after the cleaning is complete: http://www.techsupportforum.com/secu...ning-slow.html

Please visit Crucial where you can either input your model number or download a small application that will tell you exactly the type of RAM you need.

Address this as needed after the cleaning is complete.

===================================

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

roblyerd · 06-13-2008, 09:34 AM

3 logs attached: 2x combofix and 1x hijackthis. Had trouble finding how to turn off all resident parts of McAfee, but thought we'd finally done it. Also, the recovery console install did not appear to work as expected. First combofix log (combofix_1.txt) identified both problems: AV still running and recoveryconsole not installed. So uninstalled McAfee. Recovery console install worked 2nd time. Second combofix log (combofix_2.txt) went much more quickly. Finally, ran hijackthis--log pasted below.

Roger the RAM problem. Have some DIMMs that should work.

Thanks for your time and expertise.

Dwight

ComboFix 08-06-11.7 - fam 2008-06-13 11:11:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\fam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\fam\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Glen\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Glen\Start Menu\Programs\Startup\DW_Start.lnk
C:\temp\tn3
C:\WINDOWS\b155.exe
C:\WINDOWS\system32\drivers\aecc.sys
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AECC
-------\Service_aecc

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-11 01:34 . 2008-06-11 01:35 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Move Networks
2008-06-09 18:58 . 2008-06-09 18:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 18:55 . 2008-06-09 18:55 <DIR> d-------- C:\Deckard
2008-06-09 18:39 . 2008-06-09 18:42 <DIR> d-------- C:\ie-spyad_zo
2008-06-09 18:20 . 2008-06-09 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-09 10:46 . 2008-06-09 10:50 <DIR> d-------- C:\Program Files\Panda Security
2008-06-08 12:48 . 2008-06-08 12:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-05 15:00 . 2008-06-05 15:05 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Move Networks
2008-05-31 12:46 . 2008-05-31 12:46 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Leadertech
2008-05-29 22:33 . 2008-05-29 22:33 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Yahoo!
2008-05-22 12:03 . 2008-05-22 12:03 <DIR> d-------- C:\Documents and Settings\fam\Application Data\MSNInstaller
2008-05-19 13:05 . 2008-06-08 12:40 <DIR> d-------- C:\Documents and Settings\fam
2008-05-17 10:34 . 2008-05-17 10:34 83,664 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-16 15:57 . 2008-06-02 15:01 637 --a------ C:\WINDOWS\wininit.ini
2008-05-16 12:44 . 2008-05-16 12:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 12:44 . 2008-05-16 19:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-15 16:32 . 2008-06-13 11:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-05-15 16:22 . 2008-06-13 11:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-05-15 15:19 . 2008-06-13 11:14 <DIR> d-------- C:\Temp
2008-05-15 14:04 . 2008-05-15 14:04 <DIR> d-------- C:\Program Files\PCPitstop
2008-05-15 14:04 . 2008-05-15 15:14 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-05-14 16:45 . 2008-05-14 16:45 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-14 16:41 . 2008-05-15 17:24 <DIR> d--hs---- C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk
2008-05-14 16:41 . 2008-05-14 16:41 <DIR> d-------- C:\WINDOWS\system32\polX
2008-05-14 16:41 . 2008-06-09 18:08 <DIR> d-------- C:\WINDOWS\system32\GUI2
2008-05-14 16:41 . 2008-05-15 17:19 <DIR> d-------- C:\WINDOWS\system32\dFrnx18
2008-05-14 16:41 . 2008-05-14 16:41 <DIR> d-------- C:\WINDOWS\system32\binR
2008-05-14 16:41 . 2008-05-14 16:41 <DIR> d-------- C:\WINDOWS\system32\3036a
2008-05-14 15:15 . 2008-05-14 15:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-14 15:07 . 2008-05-14 15:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-13 15:18 . 2008-05-13 15:18 422 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-05-13 15:01 . 2008-05-22 11:57 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-05-13 14:57 . 2008-05-22 11:58 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-13 14:55 . 2008-05-13 15:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 15:51 --------- d-----w C:\Program Files\Yahoo!
2008-06-13 15:35 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-05-22 17:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-22 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-18 06:13 --------- d-----w C:\Program Files\Hunting Unlimited
2008-05-15 22:19 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-05-15 20:21 --------- d-----w C:\Program Files\LimeWire
2008-05-15 20:21 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\tZU5v21VxrlCtrLAvaL4.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-06-13_10.55.44.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-06-13 15:52:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 16:15:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 16:13:51 2,046 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{DF1E336C-AFD1-455D-9051-B66A5BE80B41}.bin
- 2004-08-04 10:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2004-08-04 10:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 10:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 10:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 10:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 10:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 10:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 10:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 10:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 10:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 10:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 10:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 10:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 10:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 10:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2004-08-04 10:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 10:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 10:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 10:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 10:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 10:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 10:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 10:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 10:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 10:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 10:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 10:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 10:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13AC25C6-947A-4CF0-8EC3-8285EC3B5EE3}]
C:\WINDOWS\system32\efcBtUOi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4855CC91-9912-46CF-8DCE-270EE2069FF6}]
C:\WINDOWS\system32\iiffEXqP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
C:\WINDOWS\system32\mlJAqnMF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
C:\Program Files\dbar\Deskbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\mlJAqnMF.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnMF]
mlJAqnMF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 17:29]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 11:16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-06-13 11:18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-13 16:18:48
ComboFix2.txt 2008-06-13 15:56:47

Pre-Run: 139,409,104,896 bytes free
Post-Run: 139,319,607,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

233 --- E O F --- 2008-06-13 16:12:51

HIJACKTHIS Log***************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:38 AM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {13AC25C6-947A-4CF0-8EC3-8285EC3B5EE3} - C:\WINDOWS\system32\efcBtUOi.dll (file missing)
O2 - BHO: (no name) - {4855CC91-9912-46CF-8DCE-270EE2069FF6} - C:\WINDOWS\system32\iiffEXqP.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\mlJAqnMF.dll (file missing)
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: mlJAqnMF - mlJAqnMF.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

--
End of file - 4536 bytes

tetonbob · 06-13-2008, 10:51 AM

Wow, uninstalling McAfee seems drastic. Now there's no protection on the machine. Perhaps you'd like to take this opportunity to install something else? I can give you links an excellent freeware AntiVirus. Let me know in this next reply, or reinstall McAfee after running ComboFix, but before the new HijackThis log.

======================================

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\vbzip10.dll
Folder::
C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk
C:\WINDOWS\system32\polX
C:\WINDOWS\system32\GUI2
C:\WINDOWS\system32\dFrnx18
C:\WINDOWS\system32\binR
C:\WINDOWS\system32\3036a
C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13AC25C6-947A-4CF0-8EC3-8285EC3B5EE3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4855CC91-9912-46CF-8DCE-270EE2069FF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqnMF]

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

roblyerd · 06-13-2008, 07:31 PM

Ran script you provided.

ComboFix log is attached.

Reinstalled McAfee. My friend has a year subscription so will install freeware before that runs out. Which one do you recommend?

HijackThis log is pasted below.

There are also weird symbols on the boot screen when first starting the computer. Any ideas about that? Was already planning to check for BIOS updates once the viruses were gone. And add the RAM.

Greatly appreciate your help with all of this.

Dwight

***************

ComboFix 08-06-11.7 - fam 2008-06-13 21:03:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -5:00]
Running from: C:\Documents and Settings\fam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\fam\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\3036a
C:\WINDOWS\system32\3036a\dBparsdll.exe
C:\WINDOWS\system32\binR
C:\WINDOWS\system32\binR\Wvram13.exe
C:\WINDOWS\system32\dFrnx18
C:\WINDOWS\system32\GUI2
C:\WINDOWS\system32\polX
C:\WINDOWS\system32\polX\roEbdll2.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk
C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\command.exe
C:\WINDOWS\Z2xlbiBydXRoZXJmb3Jk\tZU5v21VxrlCtrLAvaL4.vbs

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-13 20:44 . 2008-06-13 20:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-13 12:43 . 2008-06-13 12:43 <DIR> d--h----- C:\BJPrinter
2008-06-13 12:43 . 2002-09-05 14:00 87,552 --a------ C:\WINDOWS\system32\CNMLM3m.DLL
2008-06-13 12:43 . 2002-07-30 02:59 73,728 --a------ C:\WINDOWS\system32\CNMCP3m.exe
2008-06-13 12:43 . 2002-09-05 14:00 5,632 --a------ C:\WINDOWS\system32\CNMVS3m.DLL
2008-06-11 01:34 . 2008-06-11 01:35 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Move Networks
2008-06-09 18:58 . 2008-06-09 18:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 18:55 . 2008-06-09 18:55 <DIR> d-------- C:\Deckard
2008-06-09 18:39 . 2008-06-09 18:42 <DIR> d-------- C:\ie-spyad_zo
2008-06-09 18:20 . 2008-06-09 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-09 10:46 . 2008-06-09 10:50 <DIR> d-------- C:\Program Files\Panda Security
2008-06-08 12:48 . 2008-06-08 12:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-05 15:00 . 2008-06-05 15:05 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Move Networks
2008-05-31 12:46 . 2008-05-31 12:46 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Leadertech
2008-05-29 22:33 . 2008-05-29 22:33 <DIR> d-------- C:\Documents and Settings\fam\Application Data\Yahoo!
2008-05-22 12:03 . 2008-05-22 12:03 <DIR> d-------- C:\Documents and Settings\fam\Application Data\MSNInstaller
2008-05-19 13:05 . 2008-06-08 12:40 <DIR> d-------- C:\Documents and Settings\fam
2008-05-17 10:34 . 2008-05-17 10:34 83,664 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-16 15:57 . 2008-06-02 15:01 637 --a------ C:\WINDOWS\wininit.ini
2008-05-16 12:44 . 2008-05-16 12:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 12:44 . 2008-05-16 19:24 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-15 16:32 . 2008-06-13 11:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-05-15 16:22 . 2008-06-13 11:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-05-15 15:19 . 2008-06-13 11:14 <DIR> d-------- C:\Temp
2008-05-15 14:04 . 2008-05-15 14:04 <DIR> d-------- C:\Program Files\PCPitstop
2008-05-15 14:04 . 2008-05-15 15:14 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-05-14 15:15 . 2008-05-14 15:15 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-14 15:07 . 2008-05-14 15:21 <DIR> d-------- C:\WINDOWS\SHELLNEW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 16:43 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-13 15:51 --------- d-----w C:\Program Files\Yahoo!
2008-05-22 17:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-22 17:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 16:58 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-22 16:57 --------- d-----w C:\Program Files\Microsoft Small Business
2008-05-18 06:13 --------- d-----w C:\Program Files\Hunting Unlimited
2008-05-15 22:19 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
2008-05-15 20:21 --------- d-----w C:\Program Files\LimeWire
2008-05-15 20:21 --------- d-----w C:\Program Files\Google
2008-05-13 20:00 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-13_11.18.29.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 16:15:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 01:42:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 10:00:00 2,804,224 ----a-w C:\WINDOWS\system32\dllcache\msi.dll
+ 2005-05-04 19:45:32 2,890,240 -c--a-w C:\WINDOWS\system32\dllcache\msi.dll
- 2004-08-04 10:00:00 77,312 ----a-w C:\WINDOWS\system32\dllcache\msiexec.exe
+ 2005-05-04 19:45:36 78,848 -c--a-w C:\WINDOWS\system32\dllcache\msiexec.exe
- 2004-08-04 10:00:00 331,264 ----a-w C:\WINDOWS\system32\dllcache\msihnd.dll
+ 2005-05-04 19:45:36 271,360 -c--a-w C:\WINDOWS\system32\dllcache\msihnd.dll
- 2004-08-04 10:00:00 884,736 ----a-w C:\WINDOWS\system32\dllcache\msimsg.dll
+ 2005-05-04 19:45:36 884,736 -c--a-w C:\WINDOWS\system32\dllcache\msimsg.dll
- 2004-08-04 10:00:00 44,032 ----a-w C:\WINDOWS\system32\dllcache\msisip.dll
+ 2005-05-04 19:45:36 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
- 2004-08-04 10:00:00 2,804,224 ----a-w C:\WINDOWS\system32\msi.dll
+ 2005-05-04 19:45:32 2,890,240 ----a-w C:\WINDOWS\system32\msi.dll
- 2004-08-04 10:00:00 77,312 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2005-05-04 19:45:36 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2004-08-04 10:00:00 331,264 ----a-w C:\WINDOWS\system32\msihnd.dll
+ 2005-05-04 19:45:36 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll
- 2004-08-04 10:00:00 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
+ 2005-05-04 19:45:36 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
- 2004-08-04 10:00:00 44,032 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2005-05-04 19:45:36 15,360 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2002-09-05 19:00:00 51,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNBMC130.DLL
+ 2002-09-05 19:00:00 50,176 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP3m.DLL
+ 2002-09-05 19:00:00 208,384 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD43m.DLL
+ 2002-09-05 19:00:00 400,384 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR3m.DLL
+ 2002-09-05 19:00:00 17,920 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU3m.DLL
+ 2002-09-05 19:00:00 13,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP3m.DLL
+ 2002-09-05 19:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP03m.DAT
+ 2002-09-05 19:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP13m.DAT
+ 2002-09-05 19:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP23m.DAT
+ 2002-09-05 19:00:00 6,144 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI3m.DLL
+ 2002-09-05 19:00:00 57,856 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV3m.EXE
+ 2002-09-05 19:00:00 876,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB3m.DLL
+ 2002-09-05 19:00:00 9,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD3m.EXE
+ 2002-09-05 19:00:00 109,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM3m.EXE
+ 2002-09-05 19:00:00 6,144 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ3m.EXE
+ 2002-09-05 19:00:00 47,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR3m.DLL
+ 2002-09-05 19:00:00 110,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB3m.DLL
+ 2002-09-05 19:00:00 1,406,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI3m.DLL
+ 2002-09-05 19:00:00 146,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR3m.DLL
+ 2002-09-05 19:00:00 13,824 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD3m.DLL
+ 2002-09-05 19:00:00 46,080 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP3m.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 17:29]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 21:05:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 21

31
ComboFix-quarantined-files.txt 2008-06-14 02

28
ComboFix2.txt 2008-06-13 16:18:53
ComboFix3.txt 2008-06-13 15:56:47

Pre-Run: 139,098,345,472 bytes free
Post-Run: 139,164,205,056 bytes free

159 --- E O F --- 2008-06-13 22:54:43

\Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:37 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1006.bak\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-1007.bak\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Guest')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [9485cd11] rundll32.exe "C:\WINDOWS\system32\avwurjdd.dll",b (User 'Guest')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [BM97b6fe8d] Rundll32.exe "C:\WINDOWS\system32\jrdcefaw.dll",s (User 'Guest')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: McAfee Application Installer Cleanup (0154771213409802) (0154771213409802mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\fam\LOCALS~1\Temp\015477~1.EXE
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 7117 bytes

tetonbob · 06-13-2008, 07:45 PM

Hi Dwight -

Quote:

There are also weird symbols on the boot screen when first starting the computer.

Does the logon screen look something like this?

http://i195.photobucket.com/albums/z...screenshot.jpg

roblyerd · 06-14-2008, 08:39 AM

No, sir. Logon screen looks fine. It is the Dell boot screen, white text on black background, that has the problem. There is a horizontal line or two about 2" from the top of the screen that have odd ASCI symbols scattered across them. That was why I was thinking BIOS might have something to do with it. I know you are the security guys, so this question very well might belong in another forum. It was just that I saw this the first time I rebooted by friends machine and wondered if there might be a connection to some of the malware. However, now that the machine is about clean, that problem has not disappeared....

Thanx,
Dwight

tetonbob · 06-14-2008, 09:24 AM

Hmm, I had something if it had been what I thought...

It might be something in a BIOS setup, in which case, yes, somewhere else on the forum would be a better place to ask. Hardware forum, perhaps, in the BIOS section.

Let's finish the cleanup...

Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [9485cd11] rundll32.exe "C:\WINDOWS\system32\avwurjdd.dll",b (User 'Guest')
O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [BM97b6fe8d] Rundll32.exe "C:\WINDOWS\system32\jrdcefaw.dll",s (User 'Guest')

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please run a new online scan with Panda ActiveScan, and post the log. Also post a new HijackThis log.

roblyerd · 06-16-2008, 10:30 AM

Sorry for the delay in responding.

Ran the Hijackthis and found none of the items you told us to look for.

Ran a new Panda scan. See attached.

Ran a second Hijackthis. Log is pasted below.

All the "infections" flagged by Panda caused some concern here, although we're hoping that all are not the type to worry about. If there are new infections, we'll want your advice on training the kids that use this machine in better safe surfing practices and also anti-malware protection that is better than McAfee!

Thanx,
Dwight

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:26 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ndows-i586.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 6804 bytes

tetonbob · 06-16-2008, 10:38 AM

Most of those items are cookies, or in quarantine folder, or in System Restore points. We'll address them all before we're done. I see no new active infections.

I'd be glad to offer you alternatives, there are a few excellent free AntiVirus and Firewall applications, or other paid applications.

Cookies are nothing to be worried about. They get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click Exceptions, identify the site you want to block, and click on Block.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

You can tidy up with this tool:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Deckard\System Scanner\backup\DOCUME~1\fam\LOCALS~1\Temp\ProductPath\sysrep.exe"
"C:\Documents and Settings\Guest\s2.tmp"
"C:\Documents and Settings\Guest\s59.tmp"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (

%systemdrive%\Deckard

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

roblyerd · 06-16-2008, 11:06 AM

Done. Changed cookie settings. Ran ATF. Fix.bat returned "Deleted successfully."

What's Next? Have been shuttling back and forth to this computer, but will stay here to complete these final steps.

BTW, we upgraded the RAM to the minimum 512 with available DIMM.

tetonbob · 06-16-2008, 11:24 AM

From a malware perspective, we're done.

The other items found by Panda will be addressed by uninstalling ComboFix as instructed below.

Your logs appear clean.You should be good to go. We still have a few items to address.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

roblyerd · 06-16-2008, 01:12 PM

Thank you so much. All done. Ready to close this one.

Discovered that "search" won't work, so we're now going to post on the XP forum, as well as the bios forum for the hyroglyphics.

Best to you,
Dwight

tetonbob · 06-16-2008, 01:18 PM

Good deal.

You may want to have a look here under

Question: Why doesn't Search work?

http://www.kellys-korner-xp.com/top10faqs2.htm

06-12-2008, 06:32 PM	#2 (permalink)
roblyerd Registered User Join Date: Jun 2008 Posts: 10 OS: XP SP2	Re: Clogged Computer BUMP, please.

06-14-2008, 08:39 AM	#8 (permalink)
roblyerd Registered User Join Date: Jun 2008 Posts: 10 OS: XP SP2	Re: Clogged Computer No, sir. Logon screen looks fine. It is the Dell boot screen, white text on black background, that has the problem. There is a horizontal line or two about 2" from the top of the screen that have odd ASCI symbols scattered across them. That was why I was thinking BIOS might have something to do with it. I know you are the security guys, so this question very well might belong in another forum. It was just that I saw this the first time I rebooted by friends machine and wondered if there might be a connection to some of the malware. However, now that the machine is about clean, that problem has not disappeared.... Thanx, Dwight

06-14-2008, 09:24 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,622 OS: 2000 Pro; XP Pro; XP Home	Re: Clogged Computer Hmm, I had something if it had been what I thought... It might be something in a BIOS setup, in which case, yes, somewhere else on the forum would be a better place to ask. Hardware forum, perhaps, in the BIOS section. Let's finish the cleanup... Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [9485cd11] rundll32.exe "C:\WINDOWS\system32\avwurjdd.dll",b (User 'Guest') O4 - HKUS\S-1-5-21-790525478-1532298954-682003330-501\..\Run: [BM97b6fe8d] Rundll32.exe "C:\WINDOWS\system32\jrdcefaw.dll",s (User 'Guest') Close HijackThis now. --------------------------------------------------------------------------------------------- Please run a new online scan with Panda ActiveScan, and post the log. Also post a new HijackThis log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

06-16-2008, 10:38 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,622 OS: 2000 Pro; XP Pro; XP Home	Re: Clogged Computer Most of those items are cookies, or in quarantine folder, or in System Restore points. We'll address them all before we're done. I see no new active infections. I'd be glad to offer you alternatives, there are a few excellent free AntiVirus and Firewall applications, or other paid applications. Cookies are nothing to be worried about. They get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits. Most of those cookies are third party cookies that can be blocked: In Firefox go to Tools > Options > Privacy > Cookies Click Exceptions, identify the site you want to block, and click on Block. In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab Now put a check next to "Override automatic cookie handling" Set first party cookies to Accept and third party cookies to Block Also put a check to "Always allow session cookies" OK your way out. This won't prevent all bad cookies from being installed, but will reduce the amount. Also there is another program you can use. Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer. You can read more about cookies at the Cookie Concept You can tidy up with this tool: Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- Open NOTEPAD.exe and copy/paste the text in the codebox below into it: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Deckard\System Scanner\backup\DOCUME~1\fam\LOCALS~1\Temp\ProductPath\sysrep.exe" "C:\Documents and Settings\Guest\s2.tmp" "C:\Documents and Settings\Guest\s59.tmp" ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%g>>"%temp%\log.txt" ) for %%g in ( %systemdrive%\Deckard ) do ( rd /s/q %%g >nul 2>&1 if exist %%g echo.%%g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it says __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

06-16-2008, 11:06 AM	#12 (permalink)
roblyerd Registered User Join Date: Jun 2008 Posts: 10 OS: XP SP2	Re: Clogged Computer Done. Changed cookie settings. Ran ATF. Fix.bat returned "Deleted successfully." What's Next? Have been shuttling back and forth to this computer, but will stay here to complete these final steps. BTW, we upgraded the RAM to the minimum 512 with available DIMM.

06-16-2008, 11:24 AM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,622 OS: 2000 Pro; XP Pro; XP Home	Re: Clogged Computer From a malware perspective, we're done. The other items found by Panda will be addressed by uninstalling ComboFix as instructed below. Your logs appear clean.You should be good to go. We still have a few items to address. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. FIREWALL Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here Do not install more than one firewall program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

06-16-2008, 01:12 PM	#14 (permalink)
roblyerd Registered User Join Date: Jun 2008 Posts: 10 OS: XP SP2	Re: Clogged Computer Thank you so much. All done. Ready to close this one. Discovered that "search" won't work, so we're now going to post on the XP forum, as well as the bios forum for the hyroglyphics. Best to you, Dwight

06-16-2008, 01:18 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,622 OS: 2000 Pro; XP Pro; XP Home	Re: Clogged Computer Good deal. You may want to have a look here under Question: Why doesn't Search work? http://www.kellys-korner-xp.com/top10faqs2.htm __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.