There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware help please hijackthis hjt hjt log install internet internet explorer itunes javascript keyboard laptop log malware monitor network networking openoffice outlook outlook 2003 outlook express password popups problem router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows xp winxp wireless youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
genericmultidropper.d, genericpacked, genericdownloader.x and of course VUNDO


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Page 1 of 2 1 2 >
 
Thread Tools
Shemsu-Hor's Avatar
Junior Member with 9 posts.
  
Join Date: May 2008
Location: Elgin, Scotland
Experience: Advanced
10-May-2008, 12:02 PM #1
Unhappy genericmultidropper.d, genericpacked, genericdownloader.x and of course VUNDO
Hi guys,
Long time reader, first time poster.....
I'm normally quite switched on with virii, trojans etc but I'm in well over my depth with this one. Here we go, a friend has asked me to have a look at their machine as they thought it might have a virus. McAfee was stuck in a loop reporting Vundo and pretty much nothing else would work. Eventually managed to get McAfee out of it's predicament by booting clean in safe mode and deleting 'gocgsimi.ini' and 'imisgcog.dll'. McAfee then quite happily spent the next 52 HOURS scanning the machine and found approximately 49,000 infections within a hidden folder named ' in the windows\fonts folder. These were all thankfully quarantined. The problem I now have is that every time the machine boots it reports finding new trojans (different at each boot) the latest being those listed in the title. Internet explorer is also VERY reluctant to visit anywhere other than the sites the infection points it to and the machine is still getting popups asking to install the likes of 'Antispywaremaster' & 'Trustedantivirus', suggesting I was somewhat less than successfull in my attempts to remove the Vundo problem
Hijackthis log is listed below.
Any help/advice is very much appreciated.
Regards.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:34:07, on 10/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\17PHolmes1188.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=4061128
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=4061128
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.orange.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [f00b593d] rundll32.exe "C:\WINDOWS\system32\abdkglsd.dll",b
O4 - HKLM\..\Run: [BMf3386aa1] Rundll32.exe "C:\WINDOWS\system32\laiycoya.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 10492 bytes
Cookiegal's Avatar
Administrator with 51,861 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
13-May-2008, 09:14 AM #2
Hi and welcome to TSG,

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security

Alliance of Security Analysis Professionals
Shemsu-Hor's Avatar
Junior Member with 9 posts.
  
Join Date: May 2008
Location: Elgin, Scotland
Experience: Advanced
13-May-2008, 12:58 PM #3
Combofix
Hi there,
Many, many thanks for your time and effort, you really are a star.
I've installed and ran combofix on the machine in question and listed below is the log file along with the new Hijackthis log file as requested.
during the reboot a couple of warnings appeared saying 'urahmqui.dll' and 'abdkglsd.dll' could not be started as the files couldn't be found. Combofix seems to have deleted them according to the log but I'm just trying to be thorough.
Also, I haven't installed the recovery console as I can run it from the CD.
Thanks again,

ComboFix 08-05-12.1 - DAD 2008-05-13 17:24:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.496 [GMT 1:00]
Running from: C:\Documents and Settings\DAD\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\abdkglsd.dll
C:\WINDOWS\system32\avqtyusn.dll
C:\WINDOWS\system32\awoemlmd.dll
C:\WINDOWS\system32\BKkjQqru.ini
C:\WINDOWS\system32\BKkjQqru.ini2
C:\WINDOWS\system32\cohocpmg.dll
C:\WINDOWS\system32\dslgkdba.ini
C:\WINDOWS\system32\gydskvnj.dll
C:\WINDOWS\system32\laiycoya.dll
C:\WINDOWS\system32\laumcply.ini
C:\WINDOWS\system32\ljmsjurq.dll
C:\WINDOWS\system32\lpcngfie.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ndeftxul.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phjpfoxe.ini
C:\WINDOWS\system32\pmnmmNHX.dll
C:\WINDOWS\system32\qntiwrip.ini
C:\WINDOWS\system32\TAGhjkkj.ini
C:\WINDOWS\system32\TAGhjkkj.ini2
C:\WINDOWS\system32\urahmque.dll
C:\WINDOWS\system32\urqQjkKB.dll
C:\WINDOWS\system32\vkrcflmo.dll
C:\WINDOWS\system32\wqlgjetf.dll
C:\WINDOWS\system32\wvpduldd.ini
C:\WINDOWS\system32\yxemcrey.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 17:21 . 2008-05-13 17:21 53,312 --a------ C:\WINDOWS\system32\ofyvdihb.dll
2008-05-10 16:33 . 2008-05-10 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 16:05 . 2008-05-10 16:05 2,112 --a------ C:\WINDOWS\system32\nmtcceug.exe
2008-05-10 16:00 . 2008-05-10 16:00 28,672 --a------ C:\WINDOWS\system32\opnkljjG.dll
2008-05-10 15:59 . 2008-05-10 15:59 53,312 --a------ C:\WINDOWS\system32\nadjqhas.dll
2008-05-08 20:20 . 2008-05-08 20:20 2,112 --a------ C:\WINDOWS\system32\ntnbejin.exe
2008-05-08 20:14 . 2008-05-08 20:14 53,312 --a------ C:\WINDOWS\system32\yfjqwhgt.dll
2008-05-07 23:16 . 2008-05-07 23:16 2,112 --a------ C:\WINDOWS\system32\oqoeksew.exe
2008-05-07 23:10 . 2008-05-07 23:10 53,312 --a------ C:\WINDOWS\system32\equrjeii.dll
2008-05-06 19:43 . 2008-05-06 19:43 2,112 --a------ C:\WINDOWS\system32\beigratd.exe
2008-05-06 19:40 . 2008-05-06 19:40 53,312 --a------ C:\WINDOWS\system32\kiimfjog.dll
2008-05-06 19:14 . 2008-05-06 19:14 2,112 --a------ C:\WINDOWS\system32\ylyqxfam.exe
2008-05-06 19:05 . 2008-05-06 19:05 53,312 --a------ C:\WINDOWS\system32\vxkaesji.dll
2008-05-06 18:45 . 2008-05-06 19:37 <DIR> d-------- C:\Program Files\MalwareAlarm
2008-04-25 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-25 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-18 18:04 . 2008-04-18 18:04 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
2008-04-18 18:04 . 2008-04-18 18:04 <DIR> d-------- C:\Temp\berDrv11
2008-04-18 18:04 . 2008-04-18 18:04 <DIR> d-------- C:\Temp
2008-04-13 17:22 . 2008-04-13 17:22 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-13 17:22 . 2008-04-13 17:22 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Zylom Games
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Shareaza
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\MonopolyHereNowEdition_at
2008-04-13 11:42 . 2008-05-13 17:21 109,180 --a------ C:\WINDOWS\BMf3386aa1.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 16:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 16:21 --------- d-----w C:\Program Files\Dl_cats
2008-05-10 14:58 --------- d-----w C:\Program Files\McAfee
2008-04-13 13:27 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-13 13:16 --------- d-----w C:\Program Files\RGB
2008-04-13 12:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 16:13 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-11 19:50 --------- d-----w C:\Documents and Settings\DAD\Application Data\Zylom
2008-04-11 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-10 18:24 --------- d-----w C:\Documents and Settings\DAD\Application Data\SpinTop
2008-03-28 19:05 --------- d-----w C:\Program Files\PartyGaming
2008-03-24 13:06 --------- d-----w C:\Program Files\Disc2Phone
2008-03-21 17:53 --------- d-----w C:\Program Files\Java
2008-02-17 18:17 1,286 -c--a-w C:\Documents and Settings\DAD\Application Data\wklnhst.dat
2007-05-13 16:16 251 -c--a-w C:\Program Files\wt3d.ini
2006-12-05 17:30 278,528 -c--a-w C:\Program Files\Common Files\FDEUnInstaller.exe
2007-11-10 13:58 88 -csh--r C:\WINDOWS\system32\84C138E885.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26735cf9-27f0-4f6d-9033-5421142cbde8}]
C:\WINDOWS\system32\avqtyusn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD13B5A-6917-4E76-B13F-5DA624D83219}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE11B357-FAF4-4DEE-AD3B-7BA2053B79FE}]
C:\WINDOWS\system32\urqQjkKB.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57 395776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 09:39 7323648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 11:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-10 00:22 497240]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-28 15:56 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 15:56 98304]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 15:20 462336]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 00:55 73728]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-09 05:37 36904]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [ ]
"f00b593d"="C:\WINDOWS\system32\abdkglsd.dll" [ ]
"BMf3386aa1"="C:\WINDOWS\system32\urahmque.dll" [ ]
"combofix"="C:\WINDOWS\system32\CF127.exe" [2004-08-10 06:00 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2006-11-28 15:55:51 156784]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-11-28 16:01:57 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXqRHxv]
cbXqRHxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmmNHX]
pmnmmNHX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-02-15 18:40:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 01:00:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 17:28:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
.
**************************************************************************
.
Completion time: 2008-05-13 17:31:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 16:31:48

Pre-Run: 100,020,281,344 bytes free
Post-Run: 99,956,473,856 bytes free

209 --- E O F --- 2008-04-13 13:40:58







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:41:52, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=4061128
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.orange.co.uk/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O20 - Winlogon Notify: cbXqRHxv - cbXqRHxv.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 10223 bytes
Cookiegal's Avatar
Administrator with 51,861 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
13-May-2008, 04:44 PM #4
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\ofyvdihb.dll
C:\WINDOWS\system32\nmtcceug.exe
C:\WINDOWS\system32\opnkljjG.dll
C:\WINDOWS\system32\nadjqhas.dll
C:\WINDOWS\system32\ntnbejin.exe
C:\WINDOWS\system32\yfjqwhgt.dll
C:\WINDOWS\system32\oqoeksew.exe
C:\WINDOWS\system32\equrjeii.dll
C:\WINDOWS\system32\beigratd.exe
C:\WINDOWS\system32\kiimfjog.dll
C:\WINDOWS\system32\ylyqxfam.exe
C:\WINDOWS\system32\vxkaesji.dll
C:\WINDOWS\BMf3386aa1.xml
C:\Program Files\wt3d.ini

Folder::
C:\Program Files\MalwareAlarm
C:\WINDOWS\system32\xcsDd18
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26735cf9-27f0-4f6d-9033-5421142cbde8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD13B5A-6917-4E76-B13F-5DA624D83219}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE11B357-FAF4-4DEE-AD3B-7BA2053B79FE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=- 
"f00b593d"=- 
"BMf3386aa1"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXqRHxv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmmNHX]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security

Alliance of Security Analysis Professionals
Shemsu-Hor's Avatar
Junior Member with 9 posts.
  
Join Date: May 2008
Location: Elgin, Scotland
Experience: Advanced
13-May-2008, 05:15 PM #5
OK, here we go, contents of latest Combofix and Hijackthis log files.

Thank you,

ComboFix 08-05-12.1 - DAD 2008-05-13 22:02:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.587 [GMT 1:00]
Running from: C:\Documents and Settings\DAD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DAD\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\wt3d.ini
C:\WINDOWS\BMf3386aa1.xml
C:\WINDOWS\system32\beigratd.exe
C:\WINDOWS\system32\equrjeii.dll
C:\WINDOWS\system32\kiimfjog.dll
C:\WINDOWS\system32\nadjqhas.dll
C:\WINDOWS\system32\nmtcceug.exe
C:\WINDOWS\system32\ntnbejin.exe
C:\WINDOWS\system32\ofyvdihb.dll
C:\WINDOWS\system32\opnkljjG.dll
C:\WINDOWS\system32\oqoeksew.exe
C:\WINDOWS\system32\vxkaesji.dll
C:\WINDOWS\system32\yfjqwhgt.dll
C:\WINDOWS\system32\ylyqxfam.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MalwareAlarm
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\MalwareAlarm0.ma
C:\Program Files\MalwareAlarm\MalwareAlarm1.ma
C:\Program Files\MalwareAlarm\mfc71.dll
C:\Program Files\MalwareAlarm\msvcp71.dll
C:\Program Files\MalwareAlarm\msvcr71.dll
C:\Program Files\MalwareAlarm\Uninstall.exe
C:\Program Files\wt3d.ini
C:\Temp
C:\WINDOWS\BMf3386aa1.xml
C:\WINDOWS\system32\beigratd.exe
C:\WINDOWS\system32\equrjeii.dll
C:\WINDOWS\system32\kiimfjog.dll
C:\WINDOWS\system32\nadjqhas.dll
C:\WINDOWS\system32\nmtcceug.exe
C:\WINDOWS\system32\ntnbejin.exe
C:\WINDOWS\system32\ofyvdihb.dll
C:\WINDOWS\system32\opnkljjG.dll
C:\WINDOWS\system32\oqoeksew.exe
C:\WINDOWS\system32\vxkaesji.dll
C:\WINDOWS\system32\xcsDd18
C:\WINDOWS\system32\yfjqwhgt.dll
C:\WINDOWS\system32\ylyqxfam.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-10 16:33 . 2008-05-10 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-25 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-13 17:22 . 2008-04-13 17:22 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-13 17:22 . 2008-04-13 17:22 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Zylom Games
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Shareaza
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\MonopolyHereNowEdition_at

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 16:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 16:21 --------- d-----w C:\Program Files\Dl_cats
2008-05-10 14:58 --------- d-----w C:\Program Files\McAfee
2008-04-13 13:27 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-13 13:16 --------- d-----w C:\Program Files\RGB
2008-04-13 12:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 16:37 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-04-12 16:13 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-11 19:50 --------- d-----w C:\Documents and Settings\DAD\Application Data\Zylom
2008-04-11 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-10 18:24 --------- d-----w C:\Documents and Settings\DAD\Application Data\SpinTop
2008-03-28 19:05 --------- d-----w C:\Program Files\PartyGaming
2008-03-24 13:06 --------- d-----w C:\Program Files\Disc2Phone
2008-03-21 17:53 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 17:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 18:11 7,982 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-17 18:17 1,286 -c--a-w C:\Documents and Settings\DAD\Application Data\wklnhst.dat
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-12-05 17:30 278,528 -c--a-w C:\Program Files\Common Files\FDEUnInstaller.exe
2007-11-10 13:58 88 -csh--r C:\WINDOWS\system32\84C138E885.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_17.31.33.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 16:28:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 16:38:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57 395776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 09:39 7323648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 11:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-10 00:22 497240]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-28 15:56 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 15:56 98304]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 15:20 462336]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 00:55 73728]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-09 05:37 36904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2006-11-28 15:55:51 156784]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-11-28 16:01:57 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXqRHxv]
cbXqRHxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-02-15 18:40:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 01:00:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 22:03:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 22:05:13
ComboFix-quarantined-files.txt 2008-05-13 21:04:43
ComboFix2.txt 2008-05-13 16:31:53

Pre-Run: 99,943,829,504 bytes free
Post-Run: 99,928,125,440 bytes free

180 --- E O F --- 2008-04-13 13:40:58



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09:22, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=4061128
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.orange.co.uk/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 10239 bytes
Cookiegal's Avatar
Administrator with 51,861 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
13-May-2008, 06:38 PM #6
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\vbzip10.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXqRHxv]
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Microsoft MVP - Consumer Security

Alliance of Security Analysis Professionals
Shemsu-Hor's Avatar
Junior Member with 9 posts.
  
Join Date: May 2008
Location: Elgin, Scotland
Experience: Advanced
13-May-2008, 08:04 PM #7
This is my last post for the night as it's 1am over here and I need to be up for work at 6. Thank's for your help this evening Cookiegal you're a star. Hope to catch you tomorrow.

ComboFix 08-05-12.1 - DAD 2008-05-14 0:43:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT 1:00]
Running from: C:\Documents and Settings\DAD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DAD\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-10 16:33 . 2008-05-10 16:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-25 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-13 17:22 . 2008-04-13 17:22 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-13 17:22 . 2008-04-13 17:22 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Zylom Games
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\Shareaza
2008-04-13 14:27 . 2008-04-13 14:27 <DIR> d-------- C:\Program Files\MonopolyHereNowEdition_at

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 21:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 16:21 --------- d-----w C:\Program Files\Dl_cats
2008-05-10 14:58 --------- d-----w C:\Program Files\McAfee
2008-04-13 13:27 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-13 13:16 --------- d-----w C:\Program Files\RGB
2008-04-13 12:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 16:13 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-11 19:50 --------- d-----w C:\Documents and Settings\DAD\Application Data\Zylom
2008-04-11 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-10 18:24 --------- d-----w C:\Documents and Settings\DAD\Application Data\SpinTop
2008-03-28 19:05 --------- d-----w C:\Program Files\PartyGaming
2008-03-24 13:06 --------- d-----w C:\Program Files\Disc2Phone
2008-03-21 17:53 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 17:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 18:11 7,982 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-17 18:17 1,286 -c--a-w C:\Documents and Settings\DAD\Application Data\wklnhst.dat
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-12-05 17:30 278,528 -c--a-w C:\Program Files\Common Files\FDEUnInstaller.exe
2007-11-10 13:58 88 -csh--r C:\WINDOWS\system32\84C138E885.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_17.31.33.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 16:28:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 21:07:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57 395776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 09:39 7323648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 11:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-11-10 00:22 497240]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-11-28 15:56 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 15:56 98304]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 15:20 462336]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 00:55 73728]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-09 05:37 36904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2006-11-28 15:55:51 156784]
Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-11-28 16:01:57 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-02-15 18:40:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 01:00:06 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 00:44:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 0:46:01
ComboFix-quarantined-files.txt 2008-05-13 23:45:27
ComboFix2.txt 2008-05-13 21:05:14
ComboFix3.txt 2008-05-13 16:31:53

Pre-Run: 99,923,628,032 bytes free
Post-Run: 99,910,619,136 bytes free

140 --- E O F --- 2008-04-13 13:40:58




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:56:10, on 14/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=4061128
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.orange.co.uk/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER<