Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] kavo.exe, kavo0.dll, tavo.exe and PWS-LegMir.dll


  • This topic is locked This topic is locked
33 replies to this topic

#1 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 29 March 2008 - 06:09 AM

This posting has been moved to the proper section. :thumbup:

I have a problem similar to that reported by Trevuren in a previous thread. When I start my PC, I get the error message that thee files namely kavo.exe and kavo0.dll and tavo.exe have been detected and deleted. McAfee also detected a a0095189.dll trojan which it identified as a PWS-LegMir.dll Trojan.

Edited by Hank55, 01 April 2008 - 01:43 AM.

    Advertisements

Register to Remove


#2 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 31 March 2008 - 11:27 AM

I posted the message below in the wrong forum by mistake and repeat it here in the proper section:

I have a problem similar to that reported by Trevuren in a previous thread. When I start my PC, I get
the error message that thee files namely kavo.exe and kavo0.dll and tavo.exe have been detected and deleted. McAfee also detected a a0095189.dll trojan which it identified as a PWS-LegMir.dll Trojan.
I performed a Hijack This scan, and the results are as follows:


Logfile of HijackThis v1.99.1
Scan saved at 14:01, on 2008-03-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Invention Pilot\Tray Pilot\TrayPlt.exe
C:\WINDOWS\system32\CarryLaunch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microcom ISDN Utilities\ccmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Inetkey\INETKEY.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Data\Download\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sun.ac.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [Tray Pilot] "C:\Program Files\Invention Pilot\Tray Pilot\Starter.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CAPI Tray.lnk = C:\Program Files\Microcom ISDN Utilities\ccmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200463634203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8177B5BE-6FE9-48C1-B23D-703CD11A1051}: NameServer = 146.232.128.1 146.232.128.10
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Carry it Easy Launcher (CarryLaunch) - Unknown owner - C:\WINDOWS\system32\CarryLaunch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

I also ran ComboFix (killall mode) and the log is as follows:

ComboFix 08-03-26.3 - hcv 2008-03-29 14:55:38.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.142 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: /killall
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-29 10:41 . 2007-12-07 04:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-29 10:41 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-29 10:41 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-29 10:41 . 2007-12-07 04:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-29 10:41 . 2007-12-07 04:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-29 10:41 . 2007-12-07 04:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-29 10:41 . 2007-12-07 04:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-29 10:41 . 2007-12-07 04:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-29 10:41 . 2007-12-06 13:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-28 19:59 . 2008-03-28 19:59 <DIR> d-------- C:\Documents and Settings\hcv\Application Data\Uniblue
2008-03-28 17:52 . 2008-03-28 17:52 330 --a------ C:\DrWeb.csv
2008-03-28 17:30 . 2008-03-12 22:29 114,338 -r-hs---- C:\1i.com
2008-03-28 11:02 . 2008-03-28 11:02 1,600,994 --a------ C:\ComboFix.exe
2008-03-17 10:22 . 2008-03-17 10:52 <DIR> d-------- C:\Documents and Settings\hcv\DoctorWeb
2008-03-17 09:40 . 2008-03-17 09:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-17 09:40 . 2008-03-29 14:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 09:40 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-15 13:05 . 2008-03-15 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-14 22:39 . 2008-03-14 22:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-14 22:39 . 2008-03-14 22:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-13 09:15 . 2008-03-29 11:31 <DIR> d-------- C:\QUARANTINE
2008-03-13 07:43 . 2008-03-13 07:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-13 07:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-13 07:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-13 07:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-13 07:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-13 07:28 . 2008-03-13 07:28 <DIR> d-------- C:\Program Files\McAfee
2008-03-13 07:28 . 2008-03-13 07:28 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-12 20:10 . 2008-03-12 20:10 2,762 --a------ C:\WINDOWS\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 12:21 --------- d-----w C:\Program Files\Afrikaanse Speltoetser
2008-07-13 14:12 --------- d-----w C:\Program Files\iolo
2008-03-29 13:24 --------- d-----w C:\Program Files\Plaxo
2008-03-29 12:31 --------- d-----w C:\Documents and Settings\hcv\Application Data\Skype
2008-03-29 09:31 --------- d-----w C:\Documents and Settings\hcv\Application Data\skypePM
2008-03-28 18:08 --------- d-----w C:\Program Files\RealVNC
2008-03-17 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-13 05:44 --------- d-----w C:\Program Files\Network Associates
2008-03-13 05:41 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-01-09 17:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-04 19:27 171448]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 15:06 136768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-04 12:39 282624]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-26 22:23 503808]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-04 19:38 185896]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Tray Pilot"="C:\Program Files\Invention Pilot\Tray Pilot\Starter.exe" [2002-09-23 21:06 1536]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
CAPI Tray.lnk - C:\Program Files\Microcom ISDN Utilities\ccmon.exe [2006-04-02 15:37:56 155648]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-18 09:16:45 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications]
"AllowUserPrefMerge"= 1 (0x1)
"Enabled"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"= C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:146.232.128.87,146.232.128.91:enabled:McAfee ePO Agent Installer
"c:\inetkey\inetkey.exe"= c:\inetkey\inetkey.exe:146.232.128.170,146.232.128.180:enabled:Inetkey
"%WINDIR%\\System32\\dpmw32.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts]
"AllowUserPrefMerge"= 1 (0x1)
"Enabled"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8081:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater"= 8081:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater
"82:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater"= 82:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogDroppedPackets"= 0 (0x0)
"LogSuccessfulConnections"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"= *

R2 CAPI;CAPI 2.0 Service;C:\WINDOWS\system32\DRIVERS\capi.sys [2003-10-23 17:01]
R2 CarryLaunch;Carry it Easy Launcher;C:\WINDOWS\system32\CarryLaunch.exe [2007-02-26 15:36]
R2 NDISCAPI;NDIS CAPI Service;C:\WINDOWS\system32\DRIVERS\ndiscapi.sys [2003-10-23 17:15]
R3 colmpa;Microcom ISDN Porte Internal - IS 1840 NDIS WAN Driver;C:\WINDOWS\system32\DRIVERS\colmpa.sys [2005-01-13 12:55]
R3 vmdmc;Microcom VComm+ Port Driver;C:\WINDOWS\system32\DRIVERS\vmdmc.sys [2004-01-15 13:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 13:24:10 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-27 06:13:55 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 15:25:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Invention Pilot\Tray Pilot\TrayPlt.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-03-29 15:30:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 13:29:57
ComboFix2.txt 2008-03-28 09:25:48
ComboFix3.txt 2008-03-15 11:53:46
Pre-Run: 1,228,828,672 bytes free
Post-Run: 1,217,994,752 bytes free
.
2008-03-24 21:17:55 --- E O F ---

Could you please assist me to resolve this problem?
Kind regards
Hank55

#3 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 02 April 2008 - 06:11 AM

Can I PLEASE get some assistance with my problem above? Regards Hank55 :pullhair:

Edited by Hank55, 03 April 2008 - 10:42 AM.


#4 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 04 April 2008 - 06:23 AM

Hello Hank55

Welcome to the Whatthetech Malware Removal Forum, Lets go over a few things. We literally have 100s of people posting everyday with infected computers, the turn around time sometimes can be 4 or 5 days. If you would have read through the forum you would have seen that you can post here if your log has not been answered in 5 days.
http://forums.whatth...931#entry406931

All our helpers look for logs to work that have Zero replies, with you replying to your own thread you took yourself out of that category so it looked like you were being helped,

You should read this also, running tools like Combofix without supervision can bork your system .
http://forums.whatth...ING_t86364.html

Your running an outdated version of HJT, drag it to the trash and download and install the latest version by Trendmicro.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.



Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#5 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 04 April 2008 - 09:29 PM

Sorry for misbehaving!
The Hijackthis scan report is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:51, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CarryLaunch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Invention Pilot\Tray Pilot\TrayPlt.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microcom ISDN Utilities\ccmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Inetkey\INETKEY.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sun.ac.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [Tray Pilot] "C:\Program Files\Invention Pilot\Tray Pilot\Starter.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAPI Tray.lnk = C:\Program Files\Microcom ISDN Utilities\ccmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200463634203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8177B5BE-6FE9-48C1-B23D-703CD11A1051}: NameServer = 146.232.128.1 146.232.128.10
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Carry it Easy Launcher (CarryLaunch) - Unknown owner - C:\WINDOWS\system32\CarryLaunch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7389 bytes

The Kaspersky Online Scanner log is as follows:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 4:56:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/04/2008
Kaspersky Anti-Virus database records: 612376
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 53342
Number of viruses found: 8
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 05:04:10

Infected Object Name / Virus Name / Last Action
C:\1i.com Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_HCV.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_HCV.log Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\call256.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\callmember256.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\chat512.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\index2.dat Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\profile4096.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\user1024.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\user16384.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\user4096.dbb Object is locked skipped
C:\Documents and Settings\hcv\Application Data\Skype\hc.viljoen\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\hcv\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0090654.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0090680.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0090709.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091702.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091740.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091770.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091821.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091852.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091875.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091893.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0091956.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0092091.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0092387.dll Infected: Trojan-PSW.Win32.OnLineGames.toc skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0092726.exe Infected: Packed.Win32.PolyCrypt.h skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0092888.exe Infected: Packed.Win32.PolyCrypt.h skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\A0093074.cmd Infected: Trojan-PSW.Win32.OnLineGames.thf skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\smkjd.cmd Infected: Trojan-PSW.Win32.OnLineGames.thf skipped
C:\Documents and Settings\hcv\DoctorWeb\Quarantine\smkjd.cmd.vir Infected: Trojan-PSW.Win32.OnLineGames.thf skipped
C:\Documents and Settings\hcv\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Temp\NAILogs\UpdaterUI_HCV.log Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Temp\~DFC7EC.tmp Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Temporary Internet Files\Content.IE5\CHU9657Y\AU3RXWRCAPFVTPFCA6G527RCAHNVYXICAZG42QRCALN505FCAO88O6JCAPC8XQ5CAQQGVLPCAIR
72C9CAAME7M5CA8KAAPYCAT4EL26CAS37W24CAZF7LQICAAEQEXLCAPZ3PI4CANBO6LRCAQX97GDCAH5R
WLK.jpg Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\hcv\Local Settings\Temporary Internet Files\Content.IE5\YH5UMRV9\comic[2].htm Object is locked skipped
C:\Documents and Settings\hcv\My Documents\Image.nrg/AVGspyware/cgg0410a.exe;1/run.exe Infected: Email-Worm.Win32.Zhelatin.ba skipped
C:\Documents and Settings\hcv\My Documents\Image.nrg/AVGspyware/cgg0410a.exe;1 Infected: Email-Worm.Win32.Zhelatin.ba skipped
C:\Documents and Settings\hcv\My Documents\Image.nrg ISOimage: infected - 2 skipped
C:\Documents and Settings\hcv\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\hcv\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\1i.com.vir Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
C:\QooBox\Quarantine\C\1wod1.com.vir Infected: Trojan-PSW.Win32.OnLineGames.tob skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
C:\QooBox\Quarantine\C\cfv90h.com.vir Infected: Trojan-PSW.Win32.OnLineGames.ssa skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tavo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.xjj skipped
C:\System Volume Information\_restore{1D8711EC-EF30-4FC6-B839-35583D21EA07}\RP523\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Askey 56K Data Fax Voice Modem PnP.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
F:\1i.com Infected: Trojan-PSW.Win32.OnLineGames.ufb skipped
F:\cfv90h.com Infected: Trojan-PSW.Win32.OnLineGames.ssa skipped
F:\1wod1.com Infected: Trojan-PSW.Win32.OnLineGames.tob skipped

Scan process completed.

#6 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 05 April 2008 - 05:32 AM

Good Morning Hank,

Sorry for misbehaving! <-- Not a problem , if your not used to the forums they can be a bit confusing, but where on the same page now . I do not see those bad files that where deleted so they may be gone. Lets do a few things/

You need to enable windows to show all files and folders, instructions Here

Delete these files
C:\Documents and Settings\hcv\DoctorWeb\Quarantine <-- Open the quarantine folder and remove it all
C:\Documents and Settings\hcv\My Documents\Image.nrg
C:\1i.com
F:\autorun.inf
F:\1i.com
F:\cfv90h.com




Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.



Post the Malwarebytes log and a New HJT log please

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#7 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 April 2008 - 07:18 AM

Thanks for your assistance. I performed the necessary cleanup and the HTJ log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CarryLaunch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Invention Pilot\Tray Pilot\TrayPlt.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microcom ISDN Utilities\ccmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Inetkey\INETKEY.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sun.ac.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [Tray Pilot] "C:\Program Files\Invention Pilot\Tray Pilot\Starter.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAPI Tray.lnk = C:\Program Files\Microcom ISDN Utilities\ccmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200463634203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8177B5BE-6FE9-48C1-B23D-703CD11A1051}: NameServer = 146.232.128.1 146.232.128.10
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Carry it Easy Launcher (CarryLaunch) - Unknown owner - C:\WINDOWS\system32\CarryLaunch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7453 bytes

Likewise the Malwarebytes log is as follows:

Malwarebytes' Anti-Malware 1.10
Database version: 592

Scan type: Quick Scan
Objects scanned: 31450
Time elapsed: 13 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I hope my problem(s) have been solved! Thanks for your assistance.

#8 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 05 April 2008 - 08:50 AM

Hank,

Your HJT log looks fine. Malwarebytes removed some registry entries for Zlob but there were no files detected . To be on the safeside, run this quick scan, just run Option 1 and post the report.

Download SmitfraudFix to your desktop.
Posted Image

Extract the content (a folder named SmitfraudFix) to your Desktop.
Posted Image


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Posted Image

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#9 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 April 2008 - 09:14 AM

I downloaded SmitfraudFix but when I unzipped the file McAfee identified a virus (!) reboot.exe and deleted it, identifying it as a Generic PUP.g file which is "potentially dangerous". When clicking on smitfraudfix.cmd it would not run, giving an error message that reboot.exe is missing.
What now?

#10 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 05 April 2008 - 09:22 AM

Reboot.exe is part of Smitfraud fix, close down Mcafee and download it again.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#11 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 April 2008 - 09:52 AM

I downloaded Smitfraud.zip on my hard disc, but I simply cannot extract reboot.exe after trying everything (closing McAfee as well as Spywareblaster).

#12 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 05 April 2008 - 10:28 AM

Sorry Hank, I have to many irons in the fire. What's happened here is that Mcafee deleted reboot.exe so the program won't run. Just drag Smitfraud to the trash and redownload it and make sure you disable Mcafee before you run it and it should run. Here are all the files that should be present for smitfraud to run


Posted Image

Edited by ken545, 05 April 2008 - 11:24 AM.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#13 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 06 April 2008 - 04:41 AM

Hi Ken, Many thanks for your patience and help. However, I now throw in the towel: I downloaded a new version of Smitfraud, but my PC simply refuses me to download reboot.exe and (even after shutting down McAfee completely) still identifies it as a "Potentially Unwanted Program." I tried to rename reboot.exe inside the Zipped file before extraction, but WINZIP would not allow this to happen. I will just have to live with it and use my PC as it is at present; at least all the problemmatic Trojans have been removed. I realise that I cannot take up any more of your time with this problem. However, I cleaned my register using Regcure and by chance looked at the "Manage Startup" section; to my horror I see that both kavo.exe and tavo.exe appear as "enabled" files in the register which indicates them in the C:/WINDOWS/system32/ section. I looked inside C:/WINDOWS/system32/ but could not find either the kavo.exe or tavo.exe files located there. Perhaps the registry entry is a leftover, but why did Regcure not remove it? Should I disable the two references? Do you need another Hijackthis symstem scan log? Regards Hank

Edited by Hank55, 06 April 2008 - 05:35 AM.


#14 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 06 April 2008 - 05:34 AM

Good Morning Hank,

Why don't you run Combofix, post the log along with a new HJT log. There may just be left over reg entries for those bad files. Lets see what combofix finds and removes. Take your time Hank as I will be offline until this evening.

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#15 Hank55

Hank55

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 06 April 2008 - 09:36 AM

Hi Ken,
I admire your perseverance and patience, which surpasses mine. I deactivated McAfee and AdAware according to the instructions at bleepingcomuter.com/forums/topic114351.html (although i see that ComboFix still shows AV active; how I do not know).
I ran ComboFix and the log is as follows:

ComboFix 08-04-04.1 - hcv 2008-04-06 17:05:59.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.104 [GMT 2:00]
Running from: C:\Documents and Settings\hcv\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe

----- BITS: Possible infected sites -----

hxxp://wsus.sun.ac.za
.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-05 15:28 . 2008-04-05 15:28 115,976 -r-hs---- C:\pnc.exe
2008-04-05 15:26 . 2008-04-06 17:06 81,408 -r-hs---- C:\WINDOWS\system32\tavo0.dll
2008-04-05 15:25 . 2008-04-05 15:28 115,976 -r-hs---- C:\1i.com
2008-04-05 14:51 . 2008-04-05 14:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 14:51 . 2008-04-05 14:51 <DIR> d-------- C:\Documents and Settings\hcv\Application Data\Malwarebytes
2008-04-05 14:51 . 2008-04-05 14:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 14:47 . 2008-04-05 14:47 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-04 15:50 . 2008-04-04 15:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 10:03 . 2008-04-03 10:03 <DIR> d-------- C:\kav
2008-04-02 16:09 . 2008-04-02 16:57 <DIR> d-------- C:\Program Files\Quick StartUp
2008-03-29 10:41 . 2007-12-07 04:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-29 10:41 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-29 10:41 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-29 10:41 . 2007-12-07 04:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-29 10:41 . 2007-12-07 04:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-29 10:41 . 2007-12-07 04:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-29 10:41 . 2007-12-07 04:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-29 10:41 . 2007-12-07 04:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-29 10:41 . 2007-12-06 13:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-28 19:59 . 2008-03-28 19:59 <DIR> d-------- C:\Documents and Settings\hcv\Application Data\Uniblue
2008-03-28 11:02 . 2008-03-28 11:02 1,600,994 --a------ C:\ComboFix.exe
2008-03-17 10:22 . 2008-04-01 09:57 <DIR> d-------- C:\Documents and Settings\hcv\DoctorWeb
2008-03-17 09:40 . 2008-03-17 09:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-17 09:40 . 2008-04-06 17:00 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 09:40 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-03-15 13:05 . 2008-03-15 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-14 22:39 . 2008-04-01 08:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-14 22:39 . 2008-03-14 22:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-13 09:15 . 2008-04-06 17:01 <DIR> d-------- C:\QUARANTINE
2008-03-13 07:43 . 2008-03-13 07:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-13 07:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-13 07:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-13 07:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-13 07:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-13 07:28 . 2008-03-13 07:28 <DIR> d-------- C:\Program Files\McAfee
2008-03-13 07:28 . 2008-03-13 07:28 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-12 20:10 . 2008-03-12 20:10 2,762 --a------ C:\WINDOWS\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 12:21 --------- d-----w C:\Program Files\Afrikaanse Speltoetser
2008-07-13 14:12 --------- d-----w C:\Program Files\iolo
2008-04-06 15:09 --------- d-----w C:\Documents and Settings\hcv\Application Data\Skype
2008-04-06 15:06 --------- d-----w C:\Program Files\Plaxo
2008-04-06 14:06 --------- d-----w C:\Documents and Settings\hcv\Application Data\skypePM
2008-04-01 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-28 18:08 --------- d-----w C:\Program Files\RealVNC
2008-03-13 05:44 --------- d-----w C:\Program Files\Network Associates
2008-03-13 05:41 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-01-23 16:35 95,064 ----a-w C:\WINDOWS\system32\cdm.dll
2008-01-23 16:35 556,376 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-01-23 16:35 325,464 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-01-23 16:35 204,120 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-01-23 16:35 1,743,704 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-01-23 16:34 53,592 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-01-23 16:34 44,888 ----a-w C:\WINDOWS\system32\wups2.dll
2008-01-23 16:34 36,184 ----a-w C:\WINDOWS\system32\wups.dll
2008-01-09 17:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-04 19:27 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 15:06 136768]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-26 22:23 503808]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
CAPI Tray.lnk - C:\Program Files\Microcom ISDN Utilities\ccmon.exe [2006-04-02 15:37:56 155648]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-18 09:16:45 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications]
"AllowUserPrefMerge"= 1 (0x1)
"Enabled"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"= C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:146.232.128.87,146.232.128.91:enabled:McAfee ePO Agent Installer
"c:\inetkey\inetkey.exe"= c:\inetkey\inetkey.exe:146.232.128.170,146.232.128.180:enabled:Inetkey
"%WINDIR%\\System32\\dpmw32.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts]
"AllowUserPrefMerge"= 1 (0x1)
"Enabled"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8081:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater"= 8081:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater
"82:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater"= 82:TCP:146.232.128.87, 146.232.128.91:enabled:McAfee ePO Agent Updater

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogDroppedPackets"= 0 (0x0)
"LogSuccessfulConnections"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)
"RemoteAddresses"= *

R2 CAPI;CAPI 2.0 Service;C:\WINDOWS\system32\DRIVERS\capi.sys [2003-10-23 17:01]
R2 CarryLaunch;Carry it Easy Launcher;C:\WINDOWS\system32\CarryLaunch.exe [2007-02-26 15:36]
R2 NDISCAPI;NDIS CAPI Service;C:\WINDOWS\system32\DRIVERS\ndiscapi.sys [2003-10-23 17:15]
R3 colmpa;Microcom ISDN Porte Internal - IS 1840 NDIS WAN Driver;C:\WINDOWS\system32\DRIVERS\colmpa.sys [2005-01-13 12:55]
R3 vmdmc;Microcom VComm+ Port Driver;C:\WINDOWS\system32\DRIVERS\vmdmc.sys [2004-01-15 13:11]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\87.tmp []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 15:00:04 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-03 06:07:56 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 17:11:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\87.tmp"
.
Completion time: 2008-04-06 17:13:36
ComboFix-quarantined-files.txt 2008-04-06 15:13:00
ComboFix2.txt 2008-03-28 09:25:48
ComboFix3.txt 2008-03-15 11:53:46
Pre-Run: 1,908,867,072 bytes free
Post-Run: 1,897,611,264 bytes free
.
2008-03-31 12:12:12 --- E O F ---

The HijackThis log is as follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26, on 2008-04-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Invention Pilot\Tray Pilot\TrayPlt.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microcom ISDN Utilities\ccmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CarryLaunch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Data\Download\HijackThis\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sun.ac.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.sun.ac.za/sunproxy.pac
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\RunOnce: [Tray Pilot] "C:\Program Files\Invention Pilot\Tray Pilot\Starter.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAPI Tray.lnk = C:\Program Files\Microcom ISDN Utilities\ccmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200463634203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Carry it Easy Launcher (CarryLaunch) - Unknown owner - C:\WINDOWS\system32\CarryLaunch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7073 bytes

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users