Vundo Trojan Attacks

[chkchkka]

In reading "first steps" link: Disable any script blocker, and then double click dds.scr to run the tool.

Where do I find Script Blocker? In use IE 7, XP. Thank you

[chkchkka]

Here’s my system info. Dell Dimension DXP061, Intel® Core ™ 2 CPU 6700 @ 2.66GHz. Windows XP Home Version 2002, SP3. IE 7.0.5730.13. I have loaded on the upgrades form MS website.

Use McAfee Total Protection: Security Center 9.0, VirusScan 13.0. Personal Firewall 10.0, Site Advisor 2.9, Anti-Spam 10.0,

I have been experiencing pop-ups constantly, opening new windows (pop-up blocker wasn’t stopping them).

McAfee has located and quarantined C:\windows\system32 (goes back to 12/2):
Husosaza.dil.tmp Nogezote.dll.tmp Vepujoto.dll.tmp Buvoyaki.dill
Dararudi.dll.tmp Givinoye.dill.tmp Kataliwo.dll.tmp Katowola.dll
Kojofaba.dll Lagadaza.dll Lewowesa.dll.tmp Maligohoa.dll
Mijejabe.dll Mupitera.dll Pikusuba.dll Pazowaha.dll
Tiwedihu.dll Vavedena.dll Vepujoto.dll Vobuturi.dll
Vozutiso.dll Yatevippi.dll.tmp Zimuworo.dll Zosusewa.dll
Dijineho.dll Fapumoke.dll.tmp

McAfee has also located and quarantined c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp256\a0041869.dll, a0041870.dll, a0042320.dll, a0042321.dll, a0042322.dll, and on & on

I actually paid McAfee to clean viruses off my computer, of which they removed 2. When I logged on again, I had several more of them. Since I had 5 days to correct any problems, I contacted them and they cleaned it again, removing 6 more. They did a system restore and reset my IE to the default mode.

Two days later, I ran Windows OneCare scan, and found :

Virus located: Trojan:win32/vundo.JD.dll & Trojan:win32/vundo.Gen!AH.
c:\windows\system32\rulosuka.dill.tmp
c:\windows\system32\milevige.dll.tmp
c:\windows\system32\gokegubo.dll.tmp

I am to the point now I don’t feel safe on the computer. I use it daily with McAfee Site advisor to make sure I don’t go anywhere I’m not supposed to.

Your assistance is greatly appreciated.

See DDS below (disabled Script Scanning Protection on McAfee to run) Attached ark.txt and Attach txt

DDS (Version 1.1.0) - NTFSx86
Run by Kerry Cejka at 17:19:38.95 on Mon 12/29/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2360 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kerry Cejka\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarCU/YSetSearch/2008/12/21/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {473a4354-a3fe-404b-9299-9e197ffebb46} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MWLExe] c:\program files\mcafee\mwl\MWLGui.exe /Start
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [USSShReg] c:\progra~1\uleads~1\uleadp~1.2\ssaver\Ussshreg.exe /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\albumf~1.lnk - c:\program files\ulead systems\ulead photoimpact 4.2\ABMTSR.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\raramuge.dll c:\windows\system32\hogumana.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\raramuge.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-7-22 207656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" [2008-10-2 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-22 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-7-22 144704]
R2 YahooAUService;Yahoo! Updater;"c:\program files\yahoo!\softwareupdate\YahooAUService.exe" [2008-11-9 602392]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-7-22 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-7-22 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-7-22 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-7-22 34152]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-7-22 40488]
S3 Boonty Games;Boonty Games;"c:\program files\common files\boonty shared\service\Boonty.exe" [2007-12-26 69120]

=============== Created Last 30 ================

2008-12-27 12:42 <DIR> --d----- C:\!KillBox
2008-12-23 20:23 <DIR> --d----- c:\program files\Citrix
2008-12-23 20:18 1,744 a---h--- c:\windows\system32\rosupiwa
2008-12-21 19:08 <DIR> --d----- c:\windows\pss
2008-12-20 20:03 <DIR> --d----- c:\program files\common files\Scanner
2008-12-20 20:03 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy

==================== Find3M ====================

2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-06 16:58 747,873 a------- c:\program files\gmer114.zip
2008-11-01 19:29 61,224 a------- c:\documents and settings\kerry cejka\GoToAssistDownloadHelper.exe
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-11 16:05 78,351 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 04:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2007-11-25 13:03 571,046 ac------ c:\program files\printkey510ef.zip
2007-09-23 14:45 5,903,928 ac------ c:\program files\picasaweb-current-setup.exe
2007-09-23 10:11 6,860,800 ac------ c:\program files\G2S40S30WI390EN.exe
2007-08-26 17:21 5,534,720 ac------ c:\program files\n670uwin7031en.exe
2007-08-26 17:20 8,807 ac------ c:\program files\License_EN.txt

============= FINISH: 17:19:53.25 ===============

[Ried]

Hello chkchkka,

No AV will effectively remove this infection, specialty tools are required.

With McAfee quarantining a piece of your system volume information cache, your System Restore 'chain' has now been broken and System Restore will not be able to complete for you. It's important to have a fall back point. Even an infected one is better than none at all should things go from bad to worse.

Let's set one now.

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
Windows will automatically create the new Restore point.

--------------------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[chkchkka]

Thank you, Ried, for your quick reply. I will start with the instructions you provided. Wish me "luck".

[chkchkka]

Reid, I have tried to install the recovery console. Here are my problems: I am advised the system on my CD is older than the version on my computer.

I click OK and it gave me a windows setup prompt. I click Yes, and the screen "Dynamic Update" did not appear. It downloaded the information on my computer. I was advised the Windows recover console was successfully installed. I clicked OK.


So, I hope I did this right.

ComboFix 08-12-30.01 - Kerry Cejka 2008-12-30 21:36:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2605 [GMT -6:00]
Running from: c:\documents and settings\Kerry Cejka\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-29 17:24 . 2008-12-29 17:24 250 --a------ c:\windows\gmer.ini
2008-12-27 12:42 . 2008-12-27 12:42 <DIR> d-------- C:\!KillBox
2008-12-23 20:23 . 2008-12-23 20:23 <DIR> d-------- c:\program files\Citrix
2008-12-23 20:18 . 2008-12-23 20:48 1,744 --ah----- c:\windows\system32\rosupiwa
2008-12-20 20:03 . 2008-12-20 20:03 <DIR> d-------- c:\program files\Common Files\Scanner
2008-12-20 20:03 . 2008-12-20 20:05 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-12-20 19:45 . 2008-12-20 19:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-20 19:45 . 2008-12-20 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-20 10:07 . 2008-12-28 15:54 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-14 21:14 . 2008-11-14 21:14 <DIR> d-------- c:\documents and settings\Kerry Cejka\Application Data\InstallShield
2008-11-14 21:07 . 2008-07-29 11:27 208,896 --a------ c:\windows\system32\ConTest.dll
2008-11-14 21:07 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2008-11-14 21:07 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2008-11-14 21:07 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2008-11-14 21:06 . 2008-11-15 09:20 <DIR> d-------- c:\program files\Ascentive
2008-11-12 16:57 . 2008-12-20 13:06 <DIR> d-------- c:\documents and settings\Kerry Cejka\Application Data\Yahoo!
2008-11-12 16:20 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 16:19 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-06 16:58 . 2008-11-06 16:58 <DIR> d-------- c:\program files\gmer114
2008-11-06 16:58 . 2008-11-06 16:58 747,873 --a------ c:\program files\gmer114.zip
2008-11-03 16:12 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-03 16:12 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-02 13:56 . 2008-11-02 13:56 <DIR> d-------- c:\windows\system32\Dell
2008-11-02 07:47 . 2008-11-02 07:47 <DIR> d-------- c:\documents and settings\Kerry Cejka\Application Data\McAfee
2008-11-01 19:37 . 2008-11-01 19:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2008-11-01 19:29 . 2008-11-01 19:29 61,224 --a------ c:\documents and settings\Kerry Cejka\GoToAssistDownloadHelper.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 16:07 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-21 01:45 --------- d-----w c:\program files\Yahoo!
2008-12-20 13:34 --------- d-----w c:\program files\McAfee
2008-11-30 21:41 --------- d-----w c:\program files\America Online 9.0
2008-11-15 03:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-04 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-02 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2007-11-25 19:03 571,046 -c--a-w c:\program files\printkey510ef.zip
2007-09-23 20:45 5,903,928 -c--a-w c:\program files\picasaweb-current-setup.exe
2007-09-23 16:11 6,860,800 -c--a-w c:\program files\G2S40S30WI390EN.exe
2007-08-26 23:21 5,534,720 -c--a-w c:\program files\n670uwin7031en.exe
2007-08-26 23:20 8,807 -c--a-w c:\program files\License_EN.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-11-20 15:21 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-10 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 169984]
"MWLExe"="c:\program files\Mcafee\MWL\MWLGui.exe" [2007-07-28 1279336]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-07-16 26112]
"USSShReg"="c:\progra~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe" [1997-11-23 20992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-16 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-11-21 25214]
Album Fast Start.lnk - c:\program files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE [2007-09-23 22528]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2007-11-25 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-02 206096]
R2 YahooAUService;Yahoo! Updater;"c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe" [2008-11-09 602392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-01-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2007-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{473a4354-a3fe-404b-9299-9e197ffebb46} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 21:40:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2035052980-3311108617-1673203947-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2035052980-3311108617-1673203947-1006
@Allowed: (Full) (S-1-5-21-2035052980-3311108617-1673203947-1006)
@Allowed: (Full) (S-1-5-21-2035052980-3311108617-1673203947-1006)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)

[HKEY_USERS\S-1-5-21-2035052980-3311108617-1673203947-1006\Software\Microsoft\SystemCertificates\AddressBook*\Certificates]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-2035052980-3311108617-1673203947-1006\Software\Microsoft\SystemCertificates\AddressBook*\CRLs]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-2035052980-3311108617-1673203947-1006\Software\Microsoft\SystemCertificates\AddressBook*\CTLs]
@Security="Inherited"

[HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrators
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\drivers\CDANTSRV.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\McAfee\MWL\MwlSvc.exe
.
**************************************************************************
.
Completion time: 2008-12-30 21:42:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 03:42:08

Pre-Run: 230,616,133,632 bytes free
Post-Run: 230,603,755,520 bytes free

195 --- E O F --- 2008-12-22 00:09:45

[Ried]

You did just fine installing the Recovery Console.

The logs look good. It is important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[chkchkka]

Ried, I opened the link to Kaspersky, followed the prompt to download Java Version 1.5. Verified it downloaded. Disabled McAfee Spyware, script scanning and Systems Guards. I cannot proceed, as the accept button is 'grayed' out. I have tried reconnecting to Kaspersky, it advises me to install java again. Did it again. I then checked my internet options, verified on the advance tab, the box is checked for Java Version. Also checked the Security tab, custom level, Scripting of Java applets is enabled.

I then deleted the other JAVA program (J2SE 5.0 update 6).

What am I doing wrong?

Help

[chkchkka]

Ried, was able to find the error noted on the previsous post.

Ups! I did the scan, and realized Real Time was not turned off. Will send a new report to you. Sorry

[chkchkka]

Sorry this took so long to respond. I was having trouble disabling McAfee for the total amount of time required to run Kaspersky...see attached report. I also noticed Kaspersky does not check for Viruses, Trojans, rootkits - (found in settings). It is grayed out.

I have to share with you of one change on my side...I didn't realize when I ran DDS and Combofix, I didn't have my external drive on. I only use this as my backup drive and usually keep it off when I am surfing the web. If I need to redo these scans, please let me know? So Sorry.

Also, enable McAfee right after the Kaspersky scan. The scan reports a potentially unwanted program. RemAdm-ProcLaunch!171 (associated with ComboFix).

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 12:07:56
Records in database: 1547934
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 87298
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 00:49:45


File name / Threat name / Threats count
E:\AOL Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
E:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\82508710.asw Infected: not-a-virus:AdWare.Win32.ImiBar.b 1
E:\Program Files\Ebates_MoeMoneyMaker\disp350.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c 1
E:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe Infected: not-a-virus:AdWare.Win32.WebRebates.d 1

The selected area was scanned.

[chkchkka]

Ried, just received another alert from McAfee. I am not currently on IE, but have my computer on. Potentially Unwanted Program, Name: Tool-nitCmd. Told McAfee to remove it.

Thanks

[Ried]

No worries about the delay, I appreciate your efforts.

Not much left to do. Click Start>My Computer and navigate to the following folder:

E:\Program Files\Ebates_MoeMoneyMaker

Right click the folder and selece 'Delete'.

-----------------------------------------------

The files you told McAfee to remove, belonged to ComboFix and were false alerts. I'll need you to delete your existing ComboFix.exe and download it again from here so we may perform important clean up measures with it.

As before, save it to your desktop.


If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[chkchkka]

Completed the ComboFix (see below).

Ried, I currently have McAfee Total Protection, which includes Virus Protection, Spyware Protection, SystemsGuards, Email/IM Virus & Spam Protection. I am currently using McAfee Site Advisor. Automatic updates are currently enabled.

I appreciate your recommendation to get SpywareBlaster & IESpyAD Zoned Out. Wouldn't this be duplicates for what I already have? If not, I will take your advise.

Again, thank you for all your help

Hopefully, after you check the ComboFix, this thread can be considered Resolved.

ComboFix 09-01-01.02 - Kerry C 2009-01-02 16:27:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2603 [GMT -6:00]
Running from: c:\documents and settings\Kerry C\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 15:07 . 2009-01-01 15:07 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-01 15:07 . 2009-01-01 15:07 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-31 09:58 . 2008-12-31 09:58 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-29 17:24 . 2008-12-29 17:24 250 --a------ c:\windows\gmer.ini
2008-12-27 12:42 . 2008-12-27 12:42 <DIR> d-------- C:\!KillBox
2008-12-23 20:23 . 2008-12-23 20:23 <DIR> d-------- c:\program files\Citrix
2008-12-23 20:18 . 2008-12-23 20:48 1,744 --ah----- c:\windows\system32\rosupiwa
2008-12-20 20:03 . 2008-12-20 20:03 <DIR> d-------- c:\program files\Common Files\Scanner
2008-12-20 20:03 . 2008-12-20 20:05 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-12-20 19:45 . 2008-12-20 19:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-20 19:45 . 2008-12-20 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-20 10:07 . 2008-12-28 15:54 <DIR> d-------- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 21:43 --------- d-----w c:\program files\Java
2008-12-27 16:07 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-21 01:45 --------- d-----w c:\program files\Yahoo!
2008-12-20 19:06 --------- d-----w c:\documents and settings\Kerry C\Application Data\Yahoo!
2008-12-20 13:34 --------- d-----w c:\program files\McAfee
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-30 21:41 --------- d-----w c:\program files\America Online 9.0
2008-11-15 15:20 --------- d-----w c:\program files\Ascentive
2008-11-15 03:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 03:14 --------- d-----w c:\documents and settings\Kerry C\Application Data\InstallShield
2008-11-06 22:58 747,873 ----a-w c:\program files\gmer114.zip
2008-11-06 22:58 --------- d-----w c:\program files\gmer114
2008-11-04 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-02 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-11-02 13:47 --------- d-----w c:\documents and settings\Kerry C\Application Data\McAfee
2008-11-02 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2008-11-02 01:29 61,224 ----a-w c:\documents and settings\Kerry C\GoToAssistDownloadHelper.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2007-11-25 19:03 571,046 -c--a-w c:\program files\printkey510ef.zip
2007-09-23 20:45 5,903,928 -c--a-w c:\program files\picasaweb-current-setup.exe
2007-09-23 16:11 6,860,800 -c--a-w c:\program files\G2S40S30WI390EN.exe
2007-08-26 23:21 5,534,720 -c--a-w c:\program files\n670uwin7031en.exe
2007-08-26 23:20 8,807 -c--a-w c:\program files\License_EN.txt
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_21.41.35.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-14 23:32:24 69,632 ----a-w c:\windows\setupupd\temp\wsdueng.dll
- 2008-12-31 01:44:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-02 21:50:20 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-31 01:44:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-02 21:50:20 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-31 01:44:55 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-02 21:50:20 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-10 16:27:06 49,248 ----a-w c:\windows\system32\java.exe
+ 2009-01-01 21:07:33 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 16:27:16 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-01 21:07:33 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 18:03:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-01 21:07:33 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-02 22:14:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-11-20 15:21 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-10 7323648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 169984]
"MWLExe"="c:\program files\Mcafee\MWL\MWLGui.exe" [2007-07-28 1279336]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-07-16 26112]
"USSShReg"="c:\progra~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe" [1997-11-23 20992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-16 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-11-21 25214]
Album Fast Start.lnk - c:\program files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE [2007-09-23 22528]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2007-11-25 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-02 206096]
R2 YahooAUService;Yahoo! Updater;"c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe" [2008-11-09 602392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-01-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2007-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/armhelper.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 16:28:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-02 16:28:56
ComboFix-quarantined-files.txt 2009-01-02 22:28:33
ComboFix2.txt 2009-01-02 22:19:38
ComboFix3.txt 2008-12-31 03:42:12

Pre-Run: 230,468,771,840 bytes free
Post-Run: 230,461,247,488 bytes free

183 --- E O F --- 2008-12-22 00:09:45

[Ried]

Hello chkchkka,

Quote:

Wouldn't this be duplicates for what I already have?

Not quite. All these programs do different things. Some of them may have features that are similar and may even "overlap" in a way, but for the most part, they will only have a "piece" of what other programs can do completely. For example, IE-Spyad is used to block out malware related sites. IE-Spyad will also block out some bad ActiveX controls, but SpywareBlaster probably does a more thorough job in this since it's focused in that area only.

Spyware Blaster focuses on bad ActiveX controls that try to download on your computer. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database, and list of restricted sites--after you've installed it, launch the program and click on each of the tabs on the main display page.

Best of all, the 2 programs mentioned above require no system resources. They are not what is referred to as 'active protection' - meaning they do not have to actively monitor everything you do, to protect your system. You install them and that's it (and you will have to periodically checking for updates). They do all their work behind the scenes.

Please carry out the following now:

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

After that has completed, you're good to go chkchkka.

[chkchkka]

Thank you sooooo much for all your help!

I have learned more about my computer working with you than in any class.

[Ried]

You're most welcome, chkchkka.

Take care, and surf safely.