1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Alcra.F & Crypt.E

Discussion in 'Virus & Other Malware Removal' started by 1984 tribble, Jul 5, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    I am running windows XP & having problems with freezes, my computer is very slow
    I think it is infected with Alcra.F worm & possibly Crypt.E trojan, I would be grateful for any help:confused:


    I Logfile of HijackThis v1.99.1
    Scan saved at 20:16:59, on 05/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Office Outlook] "C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE" /recycle
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm021YYGB
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
    O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
     
  2. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
  3. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    My computer is infected with spyware, virus, worms,etc it's running very slow\freezing.
    Please help me eliminate it.:(
     
  4. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
  5. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    :confused: I think there was a problem with my original thread, so I have tried again.
    My computer is infected with spyware,adware viruses etc. I am using Spyware Doctor, which has quarantined some, but not all the problems. My computer is v slow & freezes, also Outlook Express detected wo:confused: rm activity - How long does it usually take.

    I would be grateful for any help.

    Logfile of HijackThis v1.99.1
    Scan saved at 18:58:19, on 15/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\essspk.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\TrojanHunter 4.7\THGuard.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\sistray.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm021YYGB
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
    O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,262
    Download AVG Anti-Spyware from HERE and save that file to your desktop. Note for AVG Free anti-virus users only: this is not the same program that you already have, this is an anti-spyware program.

    When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.


    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

    1. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    3. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    4. If you have any infections you will be prompted. Then select "Apply all actions."
    5. Next select the "Reports" icon at the top.
    6. Select the "Save report as" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    7. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • You need to use IE to run this scan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
     
  7. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    Thank you for replying. I did an AVG scan, 6 malaware items were found, but no report was available.
    Here are my HJT & Panda logs

    wLogfile of HijackThis v1.99.1
    Scan saved at 20:13:36, on 17/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\WINDOWS\essspk.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\sistray.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm021YYGB
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
    O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


    Incident Status Location

    Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\
    Potentially unwanted tool:application/funweb Not disinfected


    Spyware doctor has quarantined spyware, trojans & Adware. Outlook Express reported 'How long does it usually take' worm.

    Hope this is ok
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,262
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
    • Instead of Windows loading as normal, the Advanced Options Menu should appear
    • Select the first option, to run Windows in Safe Mode, then press Enter
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to the clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  9. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    Thank you for your help. Here are the SDFix & HJT reports.

    SDFix: Version 1.92

    Run by gillygate on 20/07/2007 at 13:58

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    No Trojan Files Found




    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\ABBYY FineReader 4.0 Sprint\\sprint.exe"="C:\\Program Files\\ABBYY FineReader 4.0 Sprint\\sprint.exe:*:Disabled:ABBYY FineReader 4.0 Sprint"
    "C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:*:Enabled:Outlook Express"
    "C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Disabled:Shareaza Ultimate File Sharing"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\GameBubbles\\Brave Dwarves 2\\BraveDwarves2.exe"="C:\\Program Files\\GameBubbles\\Brave Dwarves 2\\BraveDwarves2.exe:*:Enabled:BraveDwarves2"
    "C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files:
    ---------------


    Files with Hidden Attributes:


    Finished


    Logfile of HijackThis v1.99.1
    Scan saved at 14:17:36, on 20/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\essspk.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\sistray.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm021YYGB
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
    O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,262
    Download ComboFix to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
     
  11. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    Here are my Combofix & HJT Logs

    "gillygate" - 2007-07-23 13:50:34 - ComboFix 07-07-14.6 - Service Pack 2 NTFS [SAFE MODE]


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\All Users.\documents\setup.exe
    C:\WINDOWS\system32\components
    C:\WINDOWS\system32\components\rlxf.dll
    C:\WINDOWS\system32\model.dat


    ((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


    2007-07-22 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-20 13:56 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-07-18 17:09 <DIR> d-------- C:\Program Files\XoftSpySE
    2007-07-17 18:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-07-16 19:48 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-07-14 13:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-07-14 13:26 <DIR> d-------- C:\DOCUME~1\GILLYG~1\.housecall6.6
    2007-07-12 13:24 <DIR> d-------- C:\DOCUME~1\GILLYG~1\APPLIC~1\TrojanHunter
    2007-07-12 12:43 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
    2007-07-09 16:29 <DIR> d-------- C:\Program Files\Common Files\iS3
    2007-07-08 18:45 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-07-08 17:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-08 16:34 <DIR> d-------- C:\VundoFix Backups
    2007-07-08 14:09 <DIR> d-------- C:\DOCUME~1\GILLYG~1\APPLIC~1\GlarySoft
    2007-07-05 16:56 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2007-07-05 16:56 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2007-07-05 16:56 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2007-07-05 16:56 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
    2007-07-05 16:56 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2007-07-05 16:56 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-07-05 16:56 <DIR> d-------- C:\DOCUME~1\GILLYG~1\APPLIC~1\PC Tools
    2007-07-03 16:15 164 --a------ C:\install.dat
    2007-07-02 18:48 <DIR> d-------- C:\DOCUME~1\GILLYG~1\APPLIC~1\Spyware Terminator
    2007-07-02 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
    2007-06-30 18:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-30 14:01 <DIR> d-------- C:\DOCUME~1\GILLYG~1\APPLIC~1\Big Fish Games
    2007-06-29 13:08 <DIR> d-------- C:\Program Files\ReflexiveArcade
    2007-06-28 13:56 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-06-23 16:18 <DIR> d-------- C:\DOCUME~1\GILLYG~1\APPLIC~1\Mind Control Software


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-17 18:30:40 -------- d-----w C:\Program Files\Messenger
    2007-07-05 13:16:15 -------- d-----w C:\Program Files\Google
    2007-06-29 14:43:05 -------- d-----w C:\DOCUME~1\GILLYG~1\APPLIC~1\AdobeUM
    2007-06-28 12:43:54 -------- d-----w C:\Program Files\Common Files\Sandlot Shared
    2007-06-27 16:57:56 -------- d-----w C:\DOCUME~1\GILLYG~1\APPLIC~1\Zylom
    2007-06-23 15:19:17 -------- d-----w C:\DOCUME~1\GILLYG~1\APPLIC~1\PlayFirst
    2007-06-16 15:03:39 -------- d-----w C:\DOCUME~1\GILLYG~1\APPLIC~1\SpinTop
    2007-06-12 14:37:04 -------- d-----w C:\Program Files\AOL Games
    2007-06-12 13:12:43 4 ----a-w C:\WINDOWS\timelock.dat
    2007-06-06 15:34:01 103 ---ha-w C:\WINDOWS\popcinfo.dat
    2007-06-03 09:28:46 -------- d-----w C:\DOCUME~1\GILLYG~1\APPLIC~1\Gaijin Ent
    2007-05-31 12:51:40 -------- d-----w C:\DOCUME~1\GILLYG~1\APPLIC~1\Alawar
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-07 15:55:38 172,032 ----a-w C:\WINDOWS\system32\cncs32.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-01-12 17:51:12 1,497,584 ----a-w C:\Program Files\ccsetup135.exe
    2006-08-11 16:28:12 1,456,312 ----a-w C:\Program Files\ccsetup130.exe
    2006-08-08 18:03:04 256,056 ----a-w C:\Program Files\netguard-reset.exe
    2005-12-29 18:48:41 2,817 ----a-w C:\Program Files\legitcheck.hta
    2005-07-17 17:20:54 6,363,648 ----a-w C:\Program Files\CJXP600SE.EXE
    2005-04-09 15:03:21 2,855,664 ----a-w C:\Program Files\PCSafe-2.3.7.exe
    2005-03-03 17:31:20 20,798,256 ----a-w C:\Program Files\AdbeRdr70_enu_full.exe
    2005-03-03 17:20:18 6,811,904 ----a-w C:\Program Files\psa2011se_us.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}]
    2005-11-03 15:10 348160 --a------ c:\program files\mcafee\spamkiller\mcapfbho.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 11:15]
    "EssSpkPhone"="essspk.exe" [2002-05-31 11:34 C:\WINDOWS\essspk.exe]
    "VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18]
    "VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
    "OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
    "MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
    "MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-12-07 12:42]
    "MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 11:26]
    "MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 14:49]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
    "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"=1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoShellSearchButton"=0 (0x0)
    "NoFileAssociate"=0 (0x0)
    "NoFileMenu"=0 (0x0)
    "NoResolveTrack"=1 (0x1)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 13:29]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "SoundMan"=SOUNDMAN.EXE
    "SiS Windows KeyHook"=C:\WINDOWS\system32\keyhook.exe
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"


    Contents of the 'Scheduled Tasks' folder
    2007-06-29 16:15:04 C:\WINDOWS\tasks\1-Click Maintenance.job
    2007-07-18 16:08:33 C:\WINDOWS\tasks\Symantec NetDetect.job
    2007-07-23 12:31:24 C:\WINDOWS\tasks\XoftSpySE 2.job
    2007-07-18 16:09:41 C:\WINDOWS\tasks\XoftSpySE.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-23 13:53:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-23 13:54:35
    C:\ComboFix-quarantined-files.txt ... 2007-07-23 13:54

    --- E O F ---


    Logfile of HijackThis v1.99.1
    Scan saved at 14:10:08, on 23/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\program files\mcafee.com\agent\mcupdate.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\sistray.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\System32\imapi.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm021YYGB
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
    O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,262
    Download GMER from: http://majorgeeks.com/download.php?det=5198

    Save it somewhere on your hard drive and unzip it to desktop.

    Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click Copy. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.
     
  13. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    Thank you for your help. Here is the GMER report


    GMER 1.0.13.12551 - http://www.gmer.net
    Rootkit scan 2007-07-26 17:25:59
    Windows 5.1.2600 Service Pack 2


    ---- Devices - GMER 1.0.13 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F9EFC466] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F9F0494A] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F9EFC8A4] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F9EFC31C] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9F0541E] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F9EFC408] sisidex.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F9FACBC0] ikfileflt.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F5C11930] naiavf5x.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F5C11930] naiavf5x.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F67A64EA] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F67A64EA] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F67A64EA] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F67A64EA] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F67A229C] MpFirewall.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [804FB8DE] ntoskrnl.exe
    AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [804FB8DE] ntoskrnl.exe

    ---- EOF - GMER 1.0.13 ----
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,262
    Go to Control Panel - Add/Remove programs and remove:

    FunWebProducts
    MyWebSearch



    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm021YYGB



    Reboot and post a new HijackThis log please.
     
  15. 1984 tribble

    1984 tribble Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    36
    I really appreciate all your help. Here is my new HJT Log


    Logfile of HijackThis v1.99.1
    Scan saved at 19:01:11, on 27/07/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\essspk.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\system32\sistray.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\System32\imapi.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
    O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592144

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice