[Closed] McAfee Virus scan won't work, possible other issues

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Closed] McAfee Virus scan won't work, possible other issues

Options

st72646 View Member Profile	Aug 5 2008, 07:15 PM Post #1
New Member Group: New Member Posts: 10 Joined: 9-December 07 From: Philadelphia, PA Member No.: 75,065 Operating System: Windows XP Pro	The volunteers on this board have been very helpful to me in my malware issues, and a friend of mine is having bad malware issues as well. I cleared a few malware programs successfully (XP Antivirus 2008 and a few others) but I can't get his McAfee VirusScan to update nor run, and his Superantispyware crashes. I can't update it, nor can I update the .dat files for McAfee. I've also installed and run the Malwarebytes tool. Attached is his HJT log. Thank you for any suggestions you can offer! ______________________________ Logfile of HijackThis v1.99.1 Scan saved at 11:46:16 AM, on 8/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe C:\Program Files\Dell Photo AIO Printer 942\memcard.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\program files\mcafee\msc\mcuimgr.exe C:\WINDOWS\system32\DllHost.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.earthlink.net/wam/login.jsp...p;x=-1717680945 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Cyrillic Keyboard] C:\CYR2000\CYRKBD32.EXE O4 - HKCU\..\Run: [MenaceFighter] C:\Program Files\SecurePCCleaner\GDC.exe O4 - HKCU\..\Run: [con] C:\WINDOWS\system32\dllh8jkd1q2.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [dziqtkpx] C:\WINDOWS\system32\zapgngfs.exe O4 - HKCU\..\Run: [antispy] C:\Program Files\IEAntiVirus\ANTIVIR.exe O4 - HKCU\..\Run: [Antivirus 2008] C:\Program Files\Antivirus 2008\antvrs.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: *.errorprotector.com O17 - HKLM\System\CCS\Services\Tcpip\..\{1E797DEA-40DC-49E1-B474-070C8C5E608F}: NameServer = 85.255.116.69,85.255.112.75 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.75 O17 - HKLM\System\CS1\Services\Tcpip\..\{1E797DEA-40DC-49E1-B474-070C8C5E608F}: NameServer = 85.255.116.69,85.255.112.75 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.69 85.255.112.75 O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: btrklfr - {47995E3E-1CA1-45D3-ADDF-6711CCC2E1F8} - C:\WINDOWS\btrklfr.dll (file missing) O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

Tomk View Member Profile	Aug 5 2008, 07:53 PM Post #2
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Hi st72646, and Welcome to WhatTheTech My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. Download and Run FixWarout Download FixWareout by LonnyRJones from one of the two links below and save it to your desktop http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe Launch Fixwareout.exe, and follow the prompts. Make sure Run fixit is checked. You will be asked to reboot your computer, do so. Your system may take longer than usual to load; this is normal. After the reboot there will be a log located at c:\fixwareout\report.txt. Include this log in your next reply. Then A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop. Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version. B. Now we must disable some of your security programs so that they do not interfere with the running of our tools: MCAFEE ANTIVIRUS Please navigate to the system tray on the bottom right hand corner and look for a sign. right-click it -> chose "Exit." a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard. You succesfully disabled the McAfee Guard. C.Go to -> Run -> copy/paste the following single line command in the runbox & click OK "%userprofile%\desktop\combofix.exe" /killall DO NOT USE your computer for any other purpose while ComboFix is running. ComboFix may restart your computer, this is normal. When finished, it will produce a log, ComboFix.txt. Please post ComboFix.txt in your next reply along with a new HijackThis log. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. 3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. So in your next reply please provide: report.txt ComboFix.txt New HijackThis log

st72646 View Member Profile	Aug 11 2008, 09:50 AM Post #3
New Member Group: New Member Posts: 10 Joined: 9-December 07 From: Philadelphia, PA Member No.: 75,065 Operating System: Windows XP Pro	Thank you for your reply, and sorry for the delay. I've run the steps per your instructions. Attached are the three logs for your review: Report.txt Username "Frank" - 08/11/2008 11:11:22 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "nameserver"="85.255.116.69 85.255.112.75" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1E797DEA-40DC-49E1-B474-070C8C5E608F} "nameserver"="85.255.116.69,85.255.112.75" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EA219350-B25F-4304-B0A7-CA6C15D25C3F} "DhcpNameServer"="85.255.116.69,85.255.112.75" <Value cleared. Successfully flushed the DNS Resolver Cache. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe" "IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "Dell Photo AIO Printer 942"="\"C:\\Program Files\\Dell Photo AIO Printer 942\\dlbubmgr.exe\"" "DellMCM"="\"C:\\Program Files\\Dell Photo AIO Printer 942\\memcard.exe\"" "igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe" "igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe" "igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe" "SiteAdvisor"="\"C:\\Program Files\\SiteAdvisor\\6261\\SiteAdv.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Cyrillic Keyboard"="C:\\CYR2000\\CYRKBD32.EXE" "MenaceFighter"="C:\\Program Files\\SecurePCCleaner\\GDC.exe" "con"="C:\\WINDOWS\\system32\\dllh8jkd1q2.exe" "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" "dziqtkpx"="C:\\WINDOWS\\system32\\zapgngfs.exe" "antispy"="C:\\Program Files\\IEAntiVirus\\ANTIVIR.exe" "Antivirus 2008"="C:\\Program Files\\Antivirus 2008\\antvrs.exe" "SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe" "Antivirus-2008.exe"="C:\\Program Files\\Antivirus 2008\\Antivirus-2008.exe" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ Combofix log ComboFix 08-08-10.04 - Frank 2008-08-11 11:25:54.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.282 [GMT -4:00] Running from: C:\Documents and Settings\Frank\desktop\combofix.exe Command switches used :: /killall * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Frank\Application Data\Antivirus 2008 C:\Documents and Settings\Frank\Application Data\macromedia\Flash Player\#SharedObjects\6GPF263D\interclick.com C:\Documents and Settings\Frank\Application Data\macromedia\Flash Player\#SharedObjects\6GPF263D\interclick.com\ud.sol C:\Documents and Settings\Frank\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Frank\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008.lnk C:\Documents and Settings\Frank\Desktop\Antivirus-2008.lnk C:\Documents and Settings\Frank\Desktop\Error Cleaner.url C:\Documents and Settings\Frank\Desktop\Privacy Protector.url C:\Documents and Settings\Frank\Desktop\Spyware&Malware Protection.url C:\Documents and Settings\Frank\err.log c:\documents and settings\frank\favorites\Error Cleaner.url c:\documents and settings\frank\favorites\Privacy Protector.url c:\documents and settings\frank\favorites\Spyware&Malware Protection.url C:\Documents and Settings\Frank\ResErrors.log C:\Documents and Settings\Frank\Start Menu\Programs\Antivirus 2008 C:\Documents and Settings\Frank\Start Menu\Programs\Antivirus 2008\Antivirus-2008.lnk C:\Program Files\Antivirus 2008 C:\Program Files\Antivirus 2008\Antivirus-2008.exe C:\Program Files\Antivirus 2008\vscan.tsi C:\Program Files\Antivirus 2008\zlib.dll C:\WINDOWS\bgrqfetx.dll C:\WINDOWS\dat.txt C:\WINDOWS\eqbn.exe C:\WINDOWS\lnvegaow.exe C:\WINDOWS\privacy_danger C:\WINDOWS\privacy_danger\images\capt.gif C:\WINDOWS\privacy_danger\images\danger.jpg C:\WINDOWS\privacy_danger\images\down.gif C:\WINDOWS\privacy_danger\images\spacer.gif C:\WINDOWS\privacy_danger\index.htm C:\WINDOWS\search_res.txt C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\clbinit.dll C:\WINDOWS\system32\servers.ini C:\WINDOWS\tfnslopk.dll C:\WINDOWS\wnlmdakqanr.dll C:\WINDOWS\xokvrpwg.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ASC3550P -------\Legacy_CLBDRIVER -------\Legacy_FOPF -------\Service_clbdriver -------\Service_Driver ((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 ))))))))))))))))))))))))))))))) . 2008-08-11 11:10 . 2008-08-11 11:14 <DIR> d-------- C:\fixwareout 2008-08-08 07:39 . 2008-08-08 07:39 26,624 --a------ C:\WINDOWS\CYKA7.tmp 2008-08-05 12:12 . 2008-08-05 12:12 26,624 --a------ C:\WINDOWS\CYK95.tmp 2008-08-04 09:47 . 2008-08-04 09:47 26,624 --a------ C:\WINDOWS\CYK86.tmp 2008-08-02 13:43 . 2008-08-02 13:43 26,624 --a------ C:\WINDOWS\CYK94.tmp 2008-08-02 11:41 . 2008-08-02 11:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-02 10:17 . 2008-08-02 10:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-08-02 10:01 . 2008-08-02 10:01 26,624 --a------ C:\WINDOWS\CYK85.tmp 2008-08-02 09:38 . 2008-08-02 09:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-07-26 17:37 . 2008-07-26 17:37 <DIR> d-------- C:\Documents and Settings\New Folder 2008-07-19 23:14 . 2008-07-19 23:14 26,624 --a------ C:\WINDOWS\CYK93.tmp 2008-07-19 22:28 . 2008-07-19 22:28 26,624 --a------ C:\WINDOWS\CYK90.tmp 2008-07-19 20:13 . 2008-07-19 20:13 26,624 --a------ C:\WINDOWS\CYK92.tmp 2008-07-19 19:49 . 2008-07-19 19:49 26,624 --a------ C:\WINDOWS\CYK8F.tmp 2008-07-19 10:39 . 2008-07-19 10:39 26,624 --a------ C:\WINDOWS\CYK91.tmp 2008-07-19 08:43 . 2008-07-19 08:43 26,624 --a------ C:\WINDOWS\CYK8E.tmp 2008-07-19 07:26 . 2008-07-19 07:26 26,624 --a------ C:\WINDOWS\CYKB9.tmp 2008-07-18 15:55 . 2008-07-18 15:55 26,624 --a------ C:\WINDOWS\CYK8D.tmp 2008-07-18 15:47 . 2008-07-18 15:47 26,624 --a------ C:\WINDOWS\CYK8C.tmp 2008-07-18 15:04 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys 2008-07-18 15:04 . 2008-07-18 15:04 13 --a------ C:\WINDOWS\uid.dat 2008-07-18 14:41 . 2008-08-09 18:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-07-18 14:41 . 2008-07-18 14:41 1,409 --a------ C:\WINDOWS\QTFont.for 2008-07-17 09:36 . 2008-07-17 09:36 26,624 --a------ C:\WINDOWS\CYK8B.tmp 2008-07-14 07:19 . 2008-07-14 07:19 26,624 --a------ C:\WINDOWS\CYKA5.tmp 2008-07-12 05:41 . 2008-07-12 05:41 26,624 --a------ C:\WINDOWS\CYKA6.tmp 2008-07-11 20:01 . 2008-07-11 20:01 26,624 --a------ C:\WINDOWS\CYK8A.tmp 2008-07-11 16:57 . 2008-07-11 16:57 26,624 --a------ C:\WINDOWS\CYK9B.tmp 2008-07-11 13:49 . 2008-07-11 13:49 26,624 --a------ C:\WINDOWS\CYK89.tmp 2008-07-11 10:19 . 2008-07-11 10:19 26,624 --a------ C:\WINDOWS\CYK87.tmp 2008-07-11 07:41 . 2008-07-11 07:41 26,624 --a------ C:\WINDOWS\CYK46.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-05 19:18 --------- d-----w C:\Documents and Settings\Frank\Application Data\SiteAdvisor 2008-08-02 15:41 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-08-02 13:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-02 13:09 --------- d-----w C:\Program Files\SpywareBlaster 2008-08-01 21:11 --------- d-----w C:\Documents and Settings\Frank\Application Data\Menologion 2008-07-26 11:57 --------- d-----w C:\Program Files\EarthLink TotalAccess 2008-07-19 17:55 17 ----a-w C:\Program Files\stng399.opt 2008-07-17 11:57 --------- d-----w C:\Documents and Settings\Frank\Application Data\AdobeUM 2008-07-10 16:21 26,624 ----a-w C:\WINDOWS\CYK84.tmp 2008-07-07 15:11 26,624 ----a-w C:\WINDOWS\CYK7D.tmp 2008-07-06 03:05 26,624 ----a-w C:\WINDOWS\CYK83.tmp 2008-07-05 18:07 50,688 ----a-w C:\Program Files\ATF-Cleaner.exe 2008-07-05 18:00 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-07-05 18:00 --------- d-----w C:\Documents and Settings\Frank\Application Data\Malwarebytes 2008-07-05 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-05 17:53 1,973,255 ----a-w C:\Program Files\stng399.exe 2008-07-05 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\zibwhahc 2008-07-05 17:01 --------- d-----w C:\Documents and Settings\Frank\Application Data\SUPERAntiSpyware.com 2008-07-05 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-07-05 16:07 26,624 ----a-w C:\WINDOWS\CYK82.tmp 2008-07-03 15:40 26,624 ----a-w C:\WINDOWS\CYK88.tmp 2008-06-30 17:19 26,624 ----a-w C:\WINDOWS\CYK81.tmp 2008-06-30 13:17 26,624 ----a-w C:\WINDOWS\CYK7F.tmp 2008-06-29 00:09 26,624 ----a-w C:\WINDOWS\CYK7E.tmp 2008-06-28 18:20 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-28 18:20 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys 2008-06-28 12:26 26,624 ----a-w C:\WINDOWS\CYK80.tmp 2008-06-27 13:41 26,624 ----a-w C:\WINDOWS\CYK7C.tmp 2008-06-20 14:16 26,624 ----a-w C:\WINDOWS\CYK7B.tmp 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-19 13:13 26,624 ----a-w C:\WINDOWS\CYK7A.tmp 2008-06-15 07:47 26,624 ----a-w C:\WINDOWS\CYK79.tmp 2008-06-14 21:28 26,624 ----a-w C:\WINDOWS\CYK78.tmp 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 10:46 26,624 ----a-w C:\WINDOWS\CYK77.tmp 2008-06-09 16:53 26,624 ----a-w C:\WINDOWS\CYK76.tmp 2008-06-09 11:56 26,624 ----a-w C:\WINDOWS\CYK75.tmp 2008-06-08 03:03 26,624 ----a-w C:\WINDOWS\CYK73.tmp 2008-06-08 02:29 26,624 ----a-w C:\WINDOWS\CYK74.tmp 2008-06-07 22:45 26,624 ----a-w C:\WINDOWS\CYK72.tmp 2008-06-07 21:53 26,624 ----a-w C:\WINDOWS\CYK71.tmp 2008-06-07 20:23 26,624 ----a-w C:\WINDOWS\CYK70.tmp 2008-06-06 15:54 26,624 ----a-w C:\WINDOWS\CYK6F.tmp 2008-06-05 11:34 26,624 ----a-w C:\WINDOWS\CYK6E.tmp 2008-06-01 17:42 26,624 ----a-w C:\WINDOWS\CYK6D.tmp 2008-06-01 00:31 26,624 ----a-w C:\WINDOWS\CYK6C.tmp 2008-05-31 20:34 26,624 ----a-w C:\WINDOWS\CYK6B.tmp 2008-05-22 22:01 26,624 ----a-w C:\WINDOWS\CYK6A.tmp 2008-05-22 18:21 26,624 ----a-w C:\WINDOWS\CYK69.tmp 2008-05-19 13:20 26,624 ----a-w C:\WINDOWS\CYK68.tmp 2008-05-17 22:16 26,624 ----a-w C:\WINDOWS\CYK67.tmp 2008-05-16 15:06 26,624 ----a-w C:\WINDOWS\CYK66.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "Cyrillic Keyboard"="C:\CYR2000\CYRKBD32.EXE" [2001-12-12 04:03 113664] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42 1404928] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920] "Dell Photo AIO Printer 942"="C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 04:08 294912] "DellMCM"="C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 10:08 262144] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-28 18:38 98304] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-15 12:06 185896] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11:06 11776] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-03-30 11:42 36904] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winlogon.sys] @="driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-08-28 18:38 98304 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-06-15 12:06 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= S3 PSFactoryBuffer;PSFactoryBuffer Service;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs PSFactoryBuffer . Contents of the 'Scheduled Tasks' folder 2007-07-15 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-01-17 19:02] 2008-03-01 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-01-17 19:02] . - - - - ORPHANS REMOVED - - - - Toolbar-{968232F5-0910-483D-B059-4C6AB5C785DC} - C:\WINDOWS\bgrqfetx.dll HKCU-Run-MenaceFighter - C:\Program Files\SecurePCCleaner\GDC.exe HKCU-Run-con - C:\WINDOWS\system32\dllh8jkd1q2.exe HKCU-Run-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe HKCU-Run-dziqtkpx - C:\WINDOWS\system32\zapgngfs.exe SSODL-btrklfr-{47995E3E-1CA1-45D3-ADDF-6711CCC2E1F8} - C:\WINDOWS\btrklfr.dll MSConfigStartUp-mmtask - C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe MSConfigStartUp-PAS_Check - C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe MSConfigStartUp-SDR6_Check - C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe MSConfigStartUp-SiteAdvisor - C:\Program Files\SiteAdvisor\6066\SiteAdv.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Frank\Application Data\Mozilla\Firefox\Profiles\i1f923xq.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://webmail.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-1717680945 ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-11 11:31:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\McAfee\MSC\mcuimgr.exe C:\WINDOWS\system32\dllhost.exe . ********************************************************************** . Completion time: 2008-08-11 11:40:32 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-11 15:40:18 Pre-Run: 64,989,356,032 bytes free Post-Run: 66,524,037,120 bytes free 273 --- E O F --- 2008-07-27 04:13:20 New HiJack This log** Logfile of HijackThis v1.99.1 Scan saved at 11:45, on 2008-08-11 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe C:\Program Files\Dell Photo AIO Printer 942\memcard.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\program files\mcafee\msc\mcuimgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\DllHost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antivir--2008.com/buy.php?aff=1001 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Cyrillic Keyboard] C:\CYR2000\CYRKBD32.EXE O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: *.errorprotector.com O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe Thank you once again for your assistance!

Tomk View Member Profile	Aug 11 2008, 10:49 AM Post #4
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	st72646, Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. In the pull down menu next to Platform select Windows Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement" Click Continue Click on the link to download Windows Offline Installation and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version. Now to Clean out the Java cache: Go into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Settings... button click the Delete Files button. There are three options in the window to clear the cache - Leave all 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Settings Click OK to leave the Java Control Panel. Disable your protection programs as we did before. Please open HijackThis and run Do a system scan only Check the boxes next to ONLY the entries listed below(if present): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antivir--2008.com/buy.php?aff=1001 R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O15 - Trusted Zone: .errorprotector.com Close all programs except for HijackThis. Click on Fix checked* A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Next COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: CODE KILLALL:: File:: C:\WINDOWS\CYKA7.tmp C:\WINDOWS\CYK95.tmp C:\WINDOWS\CYK86.tmp C:\WINDOWS\CYK94.tmp C:\WINDOWS\CYK85.tmp C:\WINDOWS\CYK93.tmp C:\WINDOWS\CYK90.tmp C:\WINDOWS\CYK92.tmp C:\WINDOWS\CYK8F.tmp C:\WINDOWS\CYK91.tmp C:\WINDOWS\CYK8E.tmp C:\WINDOWS\CYKB9.tmp C:\WINDOWS\CYK8D.tmp C:\WINDOWS\CYK8C.tmp C:\WINDOWS\CYK8B.tmp C:\WINDOWS\CYKA5.tmp C:\WINDOWS\CYKA6.tmp C:\WINDOWS\CYK8A.tmp C:\WINDOWS\CYK9B.tmp C:\WINDOWS\CYK89.tmp C:\WINDOWS\CYK87.tmp C:\WINDOWS\CYK46.tmp C:\WINDOWS\CYK84.tmp C:\WINDOWS\CYK7D.tmp C:\WINDOWS\CYK83.tmp C:\WINDOWS\CYK82.tmp C:\WINDOWS\CYK88.tmp C:\WINDOWS\CYK81.tmp C:\WINDOWS\CYK7F.tmp C:\WINDOWS\CYK7E.tmp C:\WINDOWS\CYK80.tmp C:\WINDOWS\CYK7C.tmp C:\WINDOWS\CYK7B.tmp C:\WINDOWS\CYK7A.tmp C:\WINDOWS\CYK79.tmp C:\WINDOWS\CYK78.tmp C:\WINDOWS\CYK77.tmp C:\WINDOWS\CYK76.tmp C:\WINDOWS\CYK75.tmp C:\WINDOWS\CYK73.tmp C:\WINDOWS\CYK74.tmp C:\WINDOWS\CYK72.tmp C:\WINDOWS\CYK71.tmp C:\WINDOWS\CYK70.tmp C:\WINDOWS\CYK6F.tmp C:\WINDOWS\CYK6E.tmp C:\WINDOWS\CYK6D.tmp C:\WINDOWS\CYK6C.tmp C:\WINDOWS\CYK6B.tmp C:\WINDOWS\CYK6A.tmp C:\WINDOWS\CYK69.tmp C:\WINDOWS\CYK68.tmp C:\WINDOWS\CYK67.tmp C:\WINDOWS\CYK66.tmp Folder:: C:\Documents and Settings\All Users\Application Data\zibwhahc Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Then Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. In your next reply please provide: ComboFix.txt Kaspersky report New HijackThis log taken after everything else completed

Tomk View Member Profile	Aug 14 2008, 08:49 AM Post #5
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	st72646, Are you still with me? How are things going?

st72646 View Member Profile	Aug 14 2008, 02:48 PM Post #6
New Member Group: New Member Posts: 10 Joined: 9-December 07 From: Philadelphia, PA Member No.: 75,065 Operating System: Windows XP Pro	Yes, I'm still with you. Unfortunately, it's not my computer that needs repair, so I don't have access to it often. I'm running through the steps in your last post, and will post the logs for you shortly. I notice a huge difference already. Thanks again for all of your help. This post has been edited by st72646: Aug 14 2008, 02:51 PM

Tomk View Member Profile	Aug 14 2008, 03:04 PM Post #7
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	st72646, OK. I'll await your reply.

st72646

Aug 14 2008, 05:46 PM

Post #8

New Member

Group: New Member
Posts: 10
Joined: 9-December 07
From: Philadelphia, PA
Member No.: 75,065
Operating System: Windows XP Pro

Thank you once again for your patience. Since I had to leave the computer and come back to it later, I'm not sure if I can find the Kaspersky log. Attached at the Combofix log and the new HJT log:

ComboFix log
ComboFix 08-08-10.04 - Frank 2008-08-14 16:21:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.301 [GMT -4:00]
Running from: C:\Documents and Settings\Frank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Frank\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\CYK46.tmp
C:\WINDOWS\CYK66.tmp
C:\WINDOWS\CYK67.tmp
C:\WINDOWS\CYK68.tmp
C:\WINDOWS\CYK69.tmp
C:\WINDOWS\CYK6A.tmp
C:\WINDOWS\CYK6B.tmp
C:\WINDOWS\CYK6C.tmp
C:\WINDOWS\CYK6D.tmp
C:\WINDOWS\CYK6E.tmp
C:\WINDOWS\CYK6F.tmp
C:\WINDOWS\CYK70.tmp
C:\WINDOWS\CYK71.tmp
C:\WINDOWS\CYK72.tmp
C:\WINDOWS\CYK73.tmp
C:\WINDOWS\CYK74.tmp
C:\WINDOWS\CYK75.tmp
C:\WINDOWS\CYK76.tmp
C:\WINDOWS\CYK77.tmp
C:\WINDOWS\CYK78.tmp
C:\WINDOWS\CYK79.tmp
C:\WINDOWS\CYK7A.tmp
C:\WINDOWS\CYK7B.tmp
C:\WINDOWS\CYK7C.tmp
C:\WINDOWS\CYK7D.tmp
C:\WINDOWS\CYK7E.tmp
C:\WINDOWS\CYK7F.tmp
C:\WINDOWS\CYK80.tmp
C:\WINDOWS\CYK81.tmp
C:\WINDOWS\CYK82.tmp
C:\WINDOWS\CYK83.tmp
C:\WINDOWS\CYK84.tmp
C:\WINDOWS\CYK85.tmp
C:\WINDOWS\CYK86.tmp
C:\WINDOWS\CYK87.tmp
C:\WINDOWS\CYK88.tmp
C:\WINDOWS\CYK89.tmp
C:\WINDOWS\CYK8A.tmp
C:\WINDOWS\CYK8B.tmp
C:\WINDOWS\CYK8C.tmp
C:\WINDOWS\CYK8D.tmp
C:\WINDOWS\CYK8E.tmp
C:\WINDOWS\CYK8F.tmp
C:\WINDOWS\CYK90.tmp
C:\WINDOWS\CYK91.tmp
C:\WINDOWS\CYK92.tmp
C:\WINDOWS\CYK93.tmp
C:\WINDOWS\CYK94.tmp
C:\WINDOWS\CYK95.tmp
C:\WINDOWS\CYK9B.tmp
C:\WINDOWS\CYKA5.tmp
C:\WINDOWS\CYKA6.tmp
C:\WINDOWS\CYKA7.tmp
C:\WINDOWS\CYKB9.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\zibwhahc
C:\WINDOWS\CYK46.tmp
C:\WINDOWS\CYK66.tmp
C:\WINDOWS\CYK67.tmp
C:\WINDOWS\CYK68.tmp
C:\WINDOWS\CYK69.tmp
C:\WINDOWS\CYK6A.tmp
C:\WINDOWS\CYK6B.tmp
C:\WINDOWS\CYK6C.tmp
C:\WINDOWS\CYK6D.tmp
C:\WINDOWS\CYK6E.tmp
C:\WINDOWS\CYK6F.tmp
C:\WINDOWS\CYK70.tmp
C:\WINDOWS\CYK71.tmp
C:\WINDOWS\CYK72.tmp
C:\WINDOWS\CYK73.tmp
C:\WINDOWS\CYK74.tmp
C:\WINDOWS\CYK75.tmp
C:\WINDOWS\CYK76.tmp
C:\WINDOWS\CYK77.tmp
C:\WINDOWS\CYK78.tmp
C:\WINDOWS\CYK79.tmp
C:\WINDOWS\CYK7A.tmp
C:\WINDOWS\CYK7B.tmp
C:\WINDOWS\CYK7C.tmp
C:\WINDOWS\CYK7D.tmp
C:\WINDOWS\CYK7E.tmp
C:\WINDOWS\CYK7F.tmp
C:\WINDOWS\CYK80.tmp
C:\WINDOWS\CYK81.tmp
C:\WINDOWS\CYK82.tmp
C:\WINDOWS\CYK83.tmp
C:\WINDOWS\CYK84.tmp
C:\WINDOWS\CYK85.tmp
C:\WINDOWS\CYK86.tmp
C:\WINDOWS\CYK87.tmp
C:\WINDOWS\CYK88.tmp
C:\WINDOWS\CYK89.tmp
C:\WINDOWS\CYK8A.tmp
C:\WINDOWS\CYK8B.tmp
C:\WINDOWS\CYK8C.tmp
C:\WINDOWS\CYK8D.tmp
C:\WINDOWS\CYK8E.tmp
C:\WINDOWS\CYK8F.tmp
C:\WINDOWS\CYK90.tmp
C:\WINDOWS\CYK91.tmp
C:\WINDOWS\CYK92.tmp
C:\WINDOWS\CYK93.tmp
C:\WINDOWS\CYK94.tmp
C:\WINDOWS\CYK95.tmp
C:\W