1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

newbie needs hlep trojan irp_mj_create

Discussion in 'Virus & Other Malware Removal' started by bettyjobob, Oct 6, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. bettyjobob

    bettyjobob Thread Starter

    Joined:
    Aug 20, 2008
    Messages:
    24
    Newbie needs help with irp_mj_create. Mcaffee deletes the trojan but always reappears. Also I am getting a dep on bootup LSA shell export. Also getting random internet popups for a variety of commercial sites. I am running spyhunter and mcaffees. I am marginally literate on thes issues, if at all.

    HJT log attached. Thanks for any help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:58:48 PM, on 10/6/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Chaos Software\Chaos 6\alarm.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\Chaos Software\Chaos 6\chaos.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
    C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dogpile.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: {e2256163-dc6f-8748-cb44-24d9987dbef2} - {2febd789-9d42-44bc-8478-f6cd3616522e} - C:\WINDOWS\system32\udwoim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Alarm Monitor.lnk = C:\Program Files\Chaos Software\Chaos 6\alarm.exe
    O4 - Global Startup: Data Import Wizard.lnk.disabled
    O4 - Global Startup: Data Repair Utility.lnk.disabled
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: SmartUI.lnk = ?
    O4 - Global Startup: Time & Chaos.lnk = C:\Program Files\Chaos Software\Chaos 6\chaos.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O20 - AppInit_DLLs: udwoim.dll
    O23 - Service: McAfee Application Installer Cleanup (0203561223315210) (0203561223315210mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\020356~1.EXE
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    --
    End of file - 9660 bytes
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please download Malwarebytes' Anti-Malware to your desktop
    from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

    Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

    Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

    If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
    Once the program has loaded, select Perform quick scan, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click Remove Selected.
    When completed, a log will open in Notepad.
    Please include this log in your next reply.
     
  3. bettyjobob

    bettyjobob Thread Starter

    Joined:
    Aug 20, 2008
    Messages:
    24
    Hi Derek: Thanks for your reply. Below is the log you requested. I will now reboot per malwarebytes.

    Malwarebytes' Anti-Malware 1.28
    Database version: 1234
    Windows 5.1.2600 Service Pack 3
    10/6/2008 4:01:41 PM
    mbam-log-2008-10-06 (16-01-41).txt
    Scan type: Quick Scan
    Objects scanned: 56102
    Time elapsed: 7 minute(s), 52 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 19
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 15
    Files Infected: 8
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\SYSTEM32\udwoim.dll (Trojan.Vundo) -> Delete on reboot.
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2febd789-9d42-44bc-8478-f6cd3616522e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2febd789-9d42-44bc-8478-f6cd3616522e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati5rpxx (Rootkit.Agent) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati5rpxx (Rootkit.Agent) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati5rpxx (Rootkit.Agent) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc3u8j0ep3v (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\rhc3u8j0ep3v (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc3u8j0ep3v (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\rhc3u8j0ep3v (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jim Powell\Application Data\rhc3u8j0ep3v\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
    Files Infected:
    C:\WINDOWS\SYSTEM32\udwoim.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\SYSTEM32\ucsfqwki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\DRIVERS\ati5rpxx.sys (Rootkit.Agent) -> Delete on reboot.
    C:\Documents and Settings\Jim Powell\Local Settings\Temporary Internet Files\Content.IE5\G8N82XGL\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM3f1f3ce1.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\BM3f1f3ce1.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Program Files\Setup.Exe (Rogue.Installer) -> Quarantined and deleted successfully.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  5. bettyjobob

    bettyjobob Thread Starter

    Joined:
    Aug 20, 2008
    Messages:
    24
    Hi Derek: the combofix and HJT logs follow this. I don't know if autorun is a problem for me or not. Just in case it is please let me know how to enable this feature.


    ComboFix 08-10-06.08 - Jim Powell 2008-10-07 10:47:18.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.537 [GMT -5:00]
    Running from: C:\Documents and Settings\Jim Powell\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Jim Powell\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\Jim Powell\err.log
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\dao350.dll
    C:\WINDOWS\SYSTEM32\GPpYayay.ini
    C:\WINDOWS\SYSTEM32\GPpYayay.ini2
    C:\WINDOWS\system32\jquvwnba.dll
    C:\WINDOWS\system32\ohoqcfdo.ini
    C:\WINDOWS\system32\qpzbwb.dll
    C:\WINDOWS\system32\rpiwgtdj.ini
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_SYSREST.SYS
    -------\Legacy_TCPSR
    -------\Service_sysrest.sys

    ((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
    .
    2008-10-06 15:52 . 2008-10-07 09:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-06 15:52 . 2008-10-06 15:52 <DIR> d-------- C:\Documents and Settings\Jim Powell\Application Data\Malwarebytes
    2008-10-06 15:52 . 2008-10-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-06 15:52 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2008-10-06 15:52 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
    2008-10-06 13:57 . 2008-10-06 13:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-25 15:19 . 2008-09-29 13:58 <DIR> d-------- C:\Program Files\NOS
    2008-09-25 15:19 . 2008-09-29 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-06 21:08 --------- d-----w C:\Program Files\McAfee
    2008-09-29 20:24 --------- d-----w C:\Program Files\Eraser
    2008-08-11 17:06 --------- d-----w C:\Program Files\DivX
    2008-08-08 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
    2008-08-08 15:26 61,224 ----a-w C:\Documents and Settings\Jim Powell\GoToAssistDownloadHelper.exe
    2006-02-15 19:55 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
    2006-02-13 21:48 1,140,064 ----a-w C:\Program Files\Windows-KB890830-V1.12-ENU.exe
    2006-02-07 22:05 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
    2006-02-07 21:42 6,524,912 ----a-w C:\Program Files\sdsetup.exe
    2006-02-03 22:14 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
    2006-02-03 21:04 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe
    2006-01-30 21:49 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
    2006-01-03 16:08 167,173,872 ----a-w C:\Program Files\English_PaintShopProStudio101_Dell_PREMIUMESD.exe
    2005-06-06 19:31 590 ----a-w C:\Program Files\Shortcut to Favorites.lnk
    2005-04-06 14:03 483,401 ----a-w C:\Documents and Settings\Jim Powell\gotomypc.exe
    2005-03-25 13:35 12,363,776 ----a-w C:\Program Files\Setup.msi
    2005-03-25 13:34 237 ----a-w C:\Program Files\Setup.Ini
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
    "IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
    "mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 114688]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    Alarm Monitor.lnk - C:\Program Files\Chaos Software\Chaos 6\alarm.exe [2005-04-14 249856]
    Data Import Wizard.lnk.disabled [2005-04-14 808]
    Data Repair Utility.lnk.disabled [2005-04-14 756]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-05-17 806912]
    SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2002-08-12 1568768]
    Time & Chaos.lnk - C:\Program Files\Chaos Software\Chaos 6\chaos.exe [2005-04-14 1096704]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=udwoim.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5rpxx.sys]
    @="Driver"
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 2944]
    R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 3168]
    R3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 39552]
    R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
    .
    Contents of the 'Scheduled Tasks' folder
    2008-10-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
    2008-09-15 C:\WINDOWS\Tasks\McDefragTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
    2008-10-01 C:\WINDOWS\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
    2008-10-07 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe []
    .
    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = www.dogpile.com/
    R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    O8 -: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 -: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 -: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 -: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 -: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-07 10:51:27
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\SYSTEM32\BRSS01A.EXE
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
    C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
    C:\Program Files\McAfee\MPF\MpfSrv.exe
    C:\Program Files\McAfee\MSK\msksrver.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\SYSTEM32\BrmfRsmg.exe
    C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-07 10:56:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-07 15:56:01
    Pre-Run: 9,839,955,968 bytes free
    Post-Run: 9,755,181,056 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    172 --- E O F --- 2008-09-10 13:39:02


    HJT Log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:58:15 AM, on 10/7/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Chaos Software\Chaos 6\alarm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    c:\PROGRA~1\mcafee\msc\mcuimgr.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dogpile.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Alarm Monitor.lnk = C:\Program Files\Chaos Software\Chaos 6\alarm.exe
    O4 - Global Startup: Data Import Wizard.lnk.disabled
    O4 - Global Startup: Data Repair Utility.lnk.disabled
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: SmartUI.lnk = ?
    O4 - Global Startup: Time & Chaos.lnk = C:\Program Files\Chaos Software\Chaos 6\chaos.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - AppInit_DLLs: udwoim.dll
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    --
    End of file - 7909 bytes
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     

    Attached Files:

  7. bettyjobob

    bettyjobob Thread Starter

    Joined:
    Aug 20, 2008
    Messages:
    24
    Hi Derek;

    Thank you for all of your help. Below is the combofix log followed by HJT log. Did the last exercise restore autorun? Is there anything else I need to do? If this fixed everything, please let me know so I can mark this thread solved. Man would that be great or what?

    Again thank you for all of your help.

    ComboFix 08-10-06.08 - Jim Powell 2008-10-08 9:03:43.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.614 [GMT -5:00]
    Running from: C:\Documents and Settings\Jim Powell\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Jim Powell\Desktop\CFScript.txt
    * Created a new restore point
    .
    ((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
    .
    2008-10-06 15:52 . 2008-10-07 09:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-06 15:52 . 2008-10-06 15:52 <DIR> d-------- C:\Documents and Settings\Jim Powell\Application Data\Malwarebytes
    2008-10-06 15:52 . 2008-10-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-06 15:52 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2008-10-06 15:52 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
    2008-10-06 13:57 . 2008-10-06 13:57 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-25 15:19 . 2008-09-29 13:58 <DIR> d-------- C:\Program Files\NOS
    2008-09-25 15:19 . 2008-09-29 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-06 21:08 --------- d-----w C:\Program Files\McAfee
    2008-09-29 20:24 --------- d-----w C:\Program Files\Eraser
    2008-08-11 17:06 --------- d-----w C:\Program Files\DivX
    2008-08-08 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
    2008-08-08 15:26 61,224 ----a-w C:\Documents and Settings\Jim Powell\GoToAssistDownloadHelper.exe
    2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
    2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
    2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
    2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
    2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
    2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
    2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
    2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
    2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
    2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
    2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
    2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
    2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
    2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
    2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
    2006-02-15 19:55 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
    2006-02-13 21:48 1,140,064 ----a-w C:\Program Files\Windows-KB890830-V1.12-ENU.exe
    2006-02-07 22:05 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
    2006-02-07 21:42 6,524,912 ----a-w C:\Program Files\sdsetup.exe
    2006-02-03 22:14 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
    2006-02-03 21:04 7,050,552 ----a-w C:\Program Files\psa30se_en_us.exe
    2006-01-30 21:49 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
    2006-01-03 16:08 167,173,872 ----a-w C:\Program Files\English_PaintShopProStudio101_Dell_PREMIUMESD.exe
    2005-06-06 19:31 590 ----a-w C:\Program Files\Shortcut to Favorites.lnk
    2005-04-06 14:03 483,401 ----a-w C:\Documents and Settings\Jim Powell\gotomypc.exe
    2005-03-25 13:35 12,363,776 ----a-w C:\Program Files\Setup.msi
    2005-03-25 13:34 237 ----a-w C:\Program Files\Setup.Ini
    .
    ((((((((((((((((((((((((((((( [email protected]_10.55.31.76 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-07 15:45:27 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    + 2008-10-08 13:52:31 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
    - 2008-10-07 15:45:27 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-10-08 13:52:31 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
    "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
    "PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
    "IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
    "mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 114688]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    Alarm Monitor.lnk - C:\Program Files\Chaos Software\Chaos 6\alarm.exe [2005-04-14 249856]
    Data Import Wizard.lnk.disabled [2005-04-14 808]
    Data Repair Utility.lnk.disabled [2005-04-14 756]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 757760]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-05-17 806912]
    SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2002-08-12 1568768]
    Time & Chaos.lnk - C:\Program Files\Chaos Software\Chaos 6\chaos.exe [2005-04-14 1096704]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5rpxx.sys]
    @="Driver"
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 2944]
    R3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 3168]
    R3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 39552]
    R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 60416]
    .
    Contents of the 'Scheduled Tasks' folder
    2008-10-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
    2008-09-15 C:\WINDOWS\Tasks\McDefragTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
    2008-10-01 C:\WINDOWS\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
    2008-10-08 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe []
    .
    **************************************************************************
    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-08 09:06:27
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2008-10-08 9:07:50
    ComboFix-quarantined-files.txt 2008-10-08 14:07:35
    ComboFix2.txt 2008-10-07 15:56:09
    Pre-Run: 9,750,552,576 bytes free
    Post-Run: 9,732,653,056 bytes free
    148 --- E O F --- 2008-09-10 13:39:02


    HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:11:36 AM, on 10/8/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Chaos Software\Chaos 6\alarm.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dogpile.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Alarm Monitor.lnk = C:\Program Files\Chaos Software\Chaos 6\alarm.exe
    O4 - Global Startup: Data Import Wizard.lnk.disabled
    O4 - Global Startup: Data Repair Utility.lnk.disabled
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: SmartUI.lnk = ?
    O4 - Global Startup: Time & Chaos.lnk = C:\Program Files\Chaos Software\Chaos 6\chaos.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    --
    End of file - 7809 bytes
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

    *Follow these steps to uninstall Combofix and tools used in the removal of malware*
    * Click *START* then *RUN*
    * Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
    [​IMG]


    then
    Turn off system restore by following instructions here
    for XP http://www.thespykiller.co.uk/index.php?page=8
    or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


    I urge you to consider purchasing the protection component in Malwarebytes to prevent further infections of this nature
    Open Malwarebytes Antimalware, select the protection tab, press test to see if your system will benefit from it & if it says yes, then you can press the purchase button

    The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

    1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

    2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

    Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
    Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

    Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

    Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

    Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

    Insert a game cd or software cd, and Windows might automatically begin the installation setup.

    Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/756680

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice