Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Vundo Removal Help


  • Please log in to reply
36 replies to this topic

#16 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 12 May 2008 - 02:49 PM

The computer does seem to be running well. When booting I get a message reading RUNDLL - Error Loading F:/Windows/System32/smuqsuiw.dll.

ComboFix 08-05-01.3 - Owner 2008-05-12 16:27:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT -4:00]
Running from: F:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
F:\WINDOWS\b2new.exe
F:\WINDOWS\system32\efcDVpMg.dll
F:\WINDOWS\system32\egpqgarc.dll
F:\WINDOWS\SYSTEM32\ljJbBSIy.dll
F:\WINDOWS\system32\ljJbBSIy.dll
F:\WINDOWS\system32\lvxjuonp.dll
F:\WINDOWS\system32\mtkbudex.dll
F:\WINDOWS\system32\nnnnNGVp.dll
F:\WINDOWS\system32\smuqsuiw.dll
F:\WINDOWS\system32\sockins32.dll
F:\WINDOWS\system32\wiusqums.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\All Users\Application Data\rezgdwhm
F:\WINDOWS\b2new.exe
F:\WINDOWS\system32\efcDVpMg.dll
F:\WINDOWS\system32\egpqgarc.dll
F:\WINDOWS\system32\ljJbBSIy.dll
F:\WINDOWS\system32\lvxjuonp.dll
F:\WINDOWS\system32\mtkbudex.dll
F:\WINDOWS\system32\nnnnNGVp.dll
F:\WINDOWS\system32\smuqsuiw.dll
F:\WINDOWS\system32\sockins32.dll
F:\WINDOWS\system32\wiusqums.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-11 10:40 . 2008-05-11 10:40 41,724 ---hs---- F:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-10 23:28 . 2008-05-10 23:28 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-05-10 23:28 . 2008-05-10 23:28 1,409 --a------ F:\WINDOWS\QTFont.for
2008-05-10 20:34 . 2008-05-10 20:34 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2008-05-10 20:34 . 2008-05-10 20:34 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-09 16:14 . 2008-05-09 16:14 250 --a------ F:\WINDOWS\gmer.ini
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-09 09:22 . 2008-05-05 20:46 27,048 --a------ F:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 09:22 . 2008-05-05 20:46 15,864 --a------ F:\WINDOWS\system32\drivers\mbam.sys
2008-05-01 23:01 . 2008-05-01 23:01 24,576 --a------ F:\WINDOWS\system32\VundoFixSVC.exe
2008-05-01 21:57 . 2008-05-01 21:57 8 --a------ F:\WINDOWS\system32\0000fdec
2008-04-26 11:41 . 2008-04-26 11:41 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Motive
2008-04-26 11:35 . 2008-04-26 11:35 <DIR> d-------- F:\WINDOWS\system32\LogFiles
2008-04-26 08:33 . 2003-07-16 16:24 4,224 --a------ F:\WINDOWS\system32\beep.sys
2008-04-26 08:31 . 2008-04-26 08:31 <DIR> d-------- F:\WINDOWS\system32\xcsDd06
2008-04-26 08:31 . 2008-05-11 10:54 1,906 --a------ F:\WINDOWS\index.html
2008-04-24 17:12 . 2008-02-22 02:33 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-24 15:43 . 2007-09-06 00:22 289,144 --a------ F:\WINDOWS\system32\VCCLSID.exe
2008-04-24 15:43 . 2006-04-27 17:49 288,417 --a------ F:\WINDOWS\system32\SrchSTS.exe
2008-04-24 15:43 . 2008-04-24 08:10 86,528 --a------ F:\WINDOWS\system32\VACFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\IEDFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\404Fix.exe
2008-04-24 15:43 . 2004-07-31 18:50 51,200 --a------ F:\WINDOWS\system32\dumphive.exe
2008-04-24 15:43 . 2007-10-04 00:36 25,600 --a------ F:\WINDOWS\system32\WS2Fix.exe
2008-04-24 15:40 . 2008-04-24 15:40 3,798 --a------ F:\WINDOWS\system32\tmp.reg
2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- F:\Documents and Settings\Administrator
2008-04-24 15:23 . 2008-05-12 16:25 1,024 --ah----- F:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 19:15 . 2008-05-09 11:54 <DIR> d-------- F:\VundoFix Backups
2008-04-23 14:04 . 2008-04-23 14:04 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-04-21 01:25 . 2008-05-11 14:26 109,709 --a------ F:\WINDOWS\BMcf339d83.xml
2008-04-20 14:36 . 2008-03-01 09:06 6,066,176 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-20 14:36 . 2007-06-30 23:31 2,455,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-20 14:36 . 2007-06-30 23:36 991,232 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-20 14:36 . 2008-03-01 09:06 459,264 -----c--- F:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-20 14:36 . 2008-03-01 09:06 383,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-20 14:36 . 2008-03-01 09:06 267,776 -----c--- F:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-20 14:36 . 2008-03-01 09:06 63,488 -----c--- F:\WINDOWS\system32\dllcache\icardie.dll
2008-04-20 14:36 . 2008-03-01 09:06 52,224 -----c--- F:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-20 14:36 . 2008-02-22 06:00 13,824 -----c--- F:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 14:32 . 2007-08-13 18:54 33,792 --a--c--- F:\WINDOWS\system32\dllcache\custsat.dll
2008-04-20 13:09 . 2008-05-06 16:59 1,061 --a------ F:\WINDOWS\wininit.ini
2008-04-20 12:14 . 2008-04-20 12:13 691,545 --a------ F:\WINDOWS\unins000.exe
2008-04-20 12:14 . 2008-04-20 12:14 2,542 --a------ F:\WINDOWS\unins000.dat
2008-04-20 11:11 . 2008-04-20 11:11 <DIR> d-------- F:\WINDOWS\mgwwgmke
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE5C0.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE504.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE3BC.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE310.tmp
2008-04-16 17:55 . 2004-08-04 03:56 159,232 --a------ F:\WINDOWS\system32\ptpusd.dll
2008-04-16 17:55 . 2004-08-04 01:58 15,104 --a------ F:\WINDOWS\system32\drivers\usbscan.sys
2008-04-16 17:55 . 2004-08-04 01:58 15,104 --a--c--- F:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-16 17:55 . 2001-08-17 22:36 5,632 --a------ F:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 20:25 --------- d-----w F:\Documents and Settings\Owner\Application Data\SlimBrowser
2008-05-06 12:51 --------- d-----w F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-06 12:50 9,344 ----a-w F:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-06 12:50 8,320 ----a-w F:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-06 11:06 --------- d-----w F:\Program Files\AIMTunes
2008-04-28 01:31 61,328 ----a-w F:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 17:28 --------- d-----w F:\Documents and Settings\All Users\Application Data\Motive
2008-04-24 21:12 --------- d-----w F:\Program Files\Java
2008-04-20 17:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 16:42 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-05 14:40 --------- d-----w F:\Documents and Settings\LocalService\Application Data\SlimBrowser
2008-03-22 17:38 --------- d-----w F:\Documents and Settings\Owner\Application Data\Apple Computer
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_19.20.06.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:39:43 110,080 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatq.dll
+ 2005-07-26 04:20:23 110,080 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2005-07-26 04:30:38 110,080 -c----w F:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
+ 2005-07-26 04:30:41 497,152 -c----w F:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
+ 2004-08-04 07:56:41 110,080 -c----w F:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 -c----w F:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
+ 2003-07-16 20:25:27 100,864 -c----w F:\WINDOWS\$NtUninstallKB902400_0$\clbcatex.dll
+ 2003-07-16 20:25:28 468,480 -c----w F:\WINDOWS\$NtUninstallKB902400_0$\clbcatq.dll
- 2008-05-07 23:15:08 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-12 20:33:03 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-09 20:14:16 819,200 ----a-w F:\WINDOWS\gmer.dll
+ 2008-05-09 20:14:01 761,856 ----a-w F:\WINDOWS\gmer.exe
+ 2004-08-04 07:56:41 110,080 ------w F:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 ------w F:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
+ 2003-07-16 20:25:27 10,752 ----a-w F:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w F:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w F:\WINDOWS\system32\clbcatq.dll
+ 2003-07-16 20:25:27 10,752 -c--a-w F:\WINDOWS\system32\dllcache\clb.dll
+ 2008-05-09 20:14:16 86,097 ----a-w F:\WINDOWS\system32\drivers\gmer.sys
+ 2005-05-24 16:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-05-11 14:54:48 2,048 ----a-w F:\WINDOWS\system32\pdfostrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="F:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22 50528]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="F:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="f:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"PDUiP6000DMon"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 13:26 57344]
"PDUiP6000DTskbr"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 09:29 69632]
"Microsoft Works Update Detection"="F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"QuickTime Task"="F:\PROGRA~1\QUICKT~1\qttask.exe" [2006-09-01 15:57 282624]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Verizon_McciTrayApp"="F:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"000000af"="F:\WINDOWS\system32\smuqsuiw.dll" [ ]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"F:\\Program Files\\AIM6\\aim6.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"F:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 13:14:00 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 16:33:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\McAfee.com\Agent\Mcdetect.exe
F:\PROGRA~1\McAfee.com\VSO\McShield.exe
F:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
F:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-12 16:40:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 20:40:33
ComboFix2.txt 2008-05-11 18:42:12
ComboFix3.txt 2008-05-11 18:26:02
ComboFix4.txt 2008-05-07 23:20:26

Pre-Run: 67,437,780,992 bytes free
Post-Run: 67,428,511,744 bytes free

212 --- E O F --- 2008-04-21 07:01:15


Logfile of HijackThis v1.99.1
Scan saved at 4:41:27 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
f:\program files\mcafee.com\vso\mcvsshld.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\AIM6\aim6.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [000000af] rundll32.exe "F:\WINDOWS\system32\smuqsuiw.dll",b
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

    Advertisements

Register to Remove


#17 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 12 May 2008 - 03:23 PM

Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O4 - HKLM\..\Run: [000000af] rundll32.exe "F:\WINDOWS\system32\smuqsuiw.dll",b

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

Run the PC for 24 hours throwing in at least one reboot and then post one final HJT log and tell me how the PC is behaving - I think that's the last of it.
Death to the salad eaters!

#18 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 13 May 2008 - 03:00 PM

Ok, here;s the latest HijackThis log. The computer has been running for 24 hours and has been rebooted at least 6 times. All seems well.


Logfile of HijackThis v1.99.1
Scan saved at 4:57:11 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\AIM6\aim6.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

#19 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 14 May 2008 - 01:12 PM

I think that means you're done - better late than never!

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: combofix /u
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point - this will give a clean one should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available.
Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingc...tutorial60.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Adobe Reader is out of date - you can get the latest, and free, version here. If you don't want the media player, just uncheck the box.
Death to the salad eaters!

#20 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 18 May 2008 - 09:41 AM

OK, I waited until a free day (Sunday) to finish up and as of this morning we are screwed up again. I just had to run mbam to gain access to the internet. here is the Hijack This list before mbam and the mbam log after running and repairing:

One question I have is whether it's possible that my daughter's Canon camera or ipod can hold the virus or pup or trojan or whatever and then load it back when synced, just a thought. Also, many problems seem to boot IE although up until we were fixing the system we never used it. We prefer Slimbrowser.


Run beforeMbam:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:23 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
f:\program files\mcafee.com\vso\mcvsshld.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\AIM6\aim6.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\QdrModule\QdrModule16.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Full Scan (F:\|)
Objects scanned: 79183
Time elapsed: 25 minute(s), 35 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 29

Memory Processes Infected:
F:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
F:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
F:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
F:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
F:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.

Files Infected:
F:\Documents and Settings\Owner\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
F:\Program Files\ISM\ism.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
F:\QooBox\Quarantine\F\WINDOWS\lfn.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\QooBox\Quarantine\F\WINDOWS\system32\sockins32.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
F:\QooBox\Quarantine\F\WINDOWS\system32\wmsdkns.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
F:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
F:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> Quarantined and deleted successfully.
F:\Program Files\QdrModule\kwdy.gz (Adware.ISM) -> Quarantined and deleted successfully.
F:\Program Files\QdrModule\pckr.dat (Adware.ISM) -> Quarantined and deleted successfully.
F:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Quarantined and deleted successfully.
F:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
F:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
F:\WINDOWS\homepage.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promo1.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promo2.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promo3.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promo4.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promo5.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promo6.html (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promogif1.gif (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promogif2.gif (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\promogif3.gif (Malware.Trace) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
F:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\Owner\Local Settings\Temp\ie.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\Owner\Local Settings\Temp\ismtpa16.exe (Adware.ISM) -> Quarantined and deleted successfully.


I will try to get a new hijackthis log now and poist it in the next box.

#21 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 18 May 2008 - 09:43 AM

Most recent, run after Mbam:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:23 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\AIM6\aim6.exe
F:\WINDOWS\system32\ctfmon.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

#22 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 18 May 2008 - 01:20 PM

It's possible that a USB device is reinfecting the PC, or it could just be bad surfing habits - at least one of the detections is in the Temp Internet Files folder.
Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingc...to-use-combofix
  • Please Note: This tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.

Death to the salad eaters!

#23 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 18 May 2008 - 03:21 PM

Here is a new combofix log followed by the HJT log. At this moment the computer seems to be operating fine.

ComboFix 08-05-15.3 - Owner 2008-05-18 17:06:56.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.196 [GMT -4:00]
Running from: F:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
F:\WINDOWS\system32\clbinit.dll
F:\WINDOWS\system32\MSINET.oca
F:\WINDOWS\system32\pdfostrl.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 09:47 . 2008-05-18 09:47 <DIR> d-------- F:\Program Files\uTorrent
2008-05-18 09:47 . 2008-05-18 10:37 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-18 09:46 . 2008-05-18 09:46 87,513 --a------ F:\WINDOWS\system32\xwusuhzh.exe
2008-05-18 09:46 . 2008-05-18 09:46 4 --a------ F:\WINDOWS\system32\hljwugsf.bin
2008-05-15 21:44 . 2008-05-17 13:35 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2008-05-15 21:44 . 2008-05-15 21:44 1,409 --a------ F:\WINDOWS\QTFont.for
2008-05-10 20:34 . 2008-05-10 20:34 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2008-05-10 20:34 . 2008-05-10 20:34 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-09 16:14 . 2008-05-09 16:14 250 --a------ F:\WINDOWS\gmer.ini
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-09 09:22 . 2008-05-09 09:22 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-09 09:22 . 2008-05-05 20:46 27,048 --a------ F:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 09:22 . 2008-05-05 20:46 15,864 --a------ F:\WINDOWS\system32\drivers\mbam.sys
2008-05-01 23:01 . 2008-05-01 23:01 24,576 --a------ F:\WINDOWS\system32\VundoFixSVC.exe
2008-05-01 21:57 . 2008-05-01 21:57 8 --a------ F:\WINDOWS\system32\0000fdec
2008-04-26 11:41 . 2008-04-26 11:41 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\Motive
2008-04-26 11:35 . 2008-04-26 11:35 <DIR> d-------- F:\WINDOWS\system32\LogFiles
2008-04-26 08:33 . 2003-07-16 16:24 4,224 --a------ F:\WINDOWS\system32\beep.sys
2008-04-26 08:31 . 2008-04-26 08:31 <DIR> d-------- F:\WINDOWS\system32\xcsDd06
2008-04-26 08:31 . 2008-05-11 10:54 1,906 --a------ F:\WINDOWS\index.html
2008-04-24 17:12 . 2008-02-22 02:33 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-04-24 15:43 . 2007-09-06 00:22 289,144 --a------ F:\WINDOWS\system32\VCCLSID.exe
2008-04-24 15:43 . 2006-04-27 17:49 288,417 --a------ F:\WINDOWS\system32\SrchSTS.exe
2008-04-24 15:43 . 2008-04-24 08:10 86,528 --a------ F:\WINDOWS\system32\VACFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\IEDFix.exe
2008-04-24 15:43 . 2008-04-23 22:14 82,944 --a------ F:\WINDOWS\system32\404Fix.exe
2008-04-24 15:43 . 2004-07-31 18:50 51,200 --a------ F:\WINDOWS\system32\dumphive.exe
2008-04-24 15:43 . 2007-10-04 00:36 25,600 --a------ F:\WINDOWS\system32\WS2Fix.exe
2008-04-24 15:40 . 2008-04-24 15:40 3,798 --a------ F:\WINDOWS\system32\tmp.reg
2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- F:\Documents and Settings\Administrator
2008-04-24 15:23 . 2008-05-18 17:06 1,024 --ah----- F:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-23 19:15 . 2008-05-09 11:54 <DIR> d-------- F:\VundoFix Backups
2008-04-23 14:04 . 2008-04-23 14:04 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-04-21 01:25 . 2008-05-11 14:26 109,709 --a------ F:\WINDOWS\BMcf339d83.xml
2008-04-20 14:36 . 2008-03-01 09:06 6,066,176 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-20 14:36 . 2007-06-30 23:31 2,455,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-20 14:36 . 2007-06-30 23:36 991,232 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-20 14:36 . 2008-03-01 09:06 459,264 -----c--- F:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-20 14:36 . 2008-03-01 09:06 383,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-20 14:36 . 2008-03-01 09:06 267,776 -----c--- F:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-20 14:36 . 2008-03-01 09:06 63,488 -----c--- F:\WINDOWS\system32\dllcache\icardie.dll
2008-04-20 14:36 . 2008-03-01 09:06 52,224 -----c--- F:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-20 14:36 . 2008-02-22 06:00 13,824 -----c--- F:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 14:32 . 2007-08-13 18:54 33,792 --a--c--- F:\WINDOWS\system32\dllcache\custsat.dll
2008-04-20 13:09 . 2008-05-06 16:59 1,061 --a------ F:\WINDOWS\wininit.ini
2008-04-20 12:14 . 2008-04-20 12:13 691,545 --a------ F:\WINDOWS\unins000.exe
2008-04-20 12:14 . 2008-04-20 12:14 2,542 --a------ F:\WINDOWS\unins000.dat
2008-04-20 11:11 . 2008-04-20 11:11 <DIR> d-------- F:\WINDOWS\mgwwgmke
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE5C0.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE504.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE3BC.tmp
2008-04-20 11:10 . 2008-04-20 11:10 398 --a------ F:\WINDOWS\system32\LE310.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 21:05 --------- d-----w F:\Documents and Settings\Owner\Application Data\SlimBrowser
2008-05-06 12:51 --------- d-----w F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-06 12:50 9,344 ----a-w F:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-06 12:50 8,320 ----a-w F:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-06 11:06 --------- d-----w F:\Program Files\AIMTunes
2008-04-28 01:31 61,328 ----a-w F:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-27 17:28 --------- d-----w F:\Documents and Settings\All Users\Application Data\Motive
2008-04-24 21:12 --------- d-----w F:\Program Files\Java
2008-04-20 17:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 16:42 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-05 14:40 --------- d-----w F:\Documents and Settings\LocalService\Application Data\SlimBrowser
2008-03-22 17:38 --------- d-----w F:\Documents and Settings\Owner\Application Data\Apple Computer
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_19.20.06.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:39:43 110,080 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2GDR\clbcatq.dll
+ 2005-07-26 04:20:23 110,080 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w F:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2008-01-23 04:56:21 554,008 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w F:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w F:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w F:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w F:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w F:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w F:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
+ 2005-07-26 04:30:38 110,080 -c----w F:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
+ 2005-07-26 04:30:41 497,152 -c----w F:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
+ 2004-08-04 07:56:41 110,080 -c----w F:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 -c----w F:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
+ 2003-07-16 20:25:27 100,864 -c----w F:\WINDOWS\$NtUninstallKB902400_0$\clbcatex.dll
+ 2003-07-16 20:25:28 468,480 -c----w F:\WINDOWS\$NtUninstallKB902400_0$\clbcatq.dll
- 2008-05-07 23:15:08 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-18 21:09:47 2,048 --s-a-w F:\WINDOWS\bootstat.dat
+ 2008-05-09 20:14:16 819,200 ----a-w F:\WINDOWS\gmer.dll
+ 2008-05-09 20:14:01 761,856 ----a-w F:\WINDOWS\gmer.exe
+ 2004-08-04 07:56:41 110,080 ------w F:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
+ 2004-08-04 07:56:41 501,248 ------w F:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
+ 2003-07-16 20:25:27 10,752 ----a-w F:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w F:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w F:\WINDOWS\system32\clbcatq.dll
- 2008-05-02 03:03:04 16,384 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-18 14:47:11 16,384 ----a-w F:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-02 03:03:04 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-18 14:47:11 32,768 ----a-w F:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2003-07-16 20:25:27 10,752 -c--a-w F:\WINDOWS\system32\dllcache\clb.dll
+ 2008-03-25 04:50:25 554,008 -c----w F:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:28 518,944 -c----w F:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30 326,432 -c----w F:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:34 1,516,568 -c----w F:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40 355,112 -c----w F:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54 151,583 -c----w F:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42 60,192 -c----w F:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 248,608 -c----w F:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44 219,936 -c----w F:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45 355,104 -c----w F:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:47 432,928 -c----w F:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49 322,336 -c----w F:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52 559,904 -c----w F:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55 264,992 -c----w F:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:57 838,432 -c----w F:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58 621,344 -c----w F:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 355,104 -c----w F:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-05-09 20:14:16 86,097 ----a-w F:\WINDOWS\system32\drivers\gmer.sys
+ 2005-05-24 16:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-06 05:56:20 19,836,024 ----a-w F:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w F:\WINDOWS\system32\MRT.exe
- 2004-08-04 07:56:43 512,029 ----a-w F:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w F:\WINDOWS\system32\msexch40.dll
- 2004-08-04 07:56:43 319,517 ----a-w F:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w F:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 07:56:43 1,507,356 ----a-w F:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w F:\WINDOWS\system32\msjet40.dll
- 2004-07-17 18:34:46 358,976 ----a-w F:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w F:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 07:56:43 151,583 ----a-w F:\WINDOWS\system32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w F:\WINDOWS\system32\msjint40.dll
- 2004-08-04 07:56:43 53,279 ----a-w F:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w F:\WINDOWS\system32\msjter40.dll
- 2004-08-04 07:56:43 241,693 ----a-w F:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w F:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 07:56:43 213,023 ----a-w F:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w F:\WINDOWS\system32\msltus40.dll
- 2004-08-04 07:56:43 348,189 ----a-w F:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w F:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 07:56:43 421,919 ----a-w F:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w F:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 07:56:43 315,423 ----a-w F:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w F:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 07:56:43 552,989 ----a-w F:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w F:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 07:56:43 258,077 ----a-w F:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w F:\WINDOWS\system32\mstext40.dll
- 2004-08-04 07:56:44 831,519 ----a-w F:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w F:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 07:56:44 614,429 ----a-w F:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w F:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 07:56:44 348,189 ----a-w F:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w F:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="F:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22 50528]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="F:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"PDUiP6000DMon"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 13:26 57344]
"PDUiP6000DTskbr"="F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 09:29 69632]
"Microsoft Works Update Detection"="F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"QuickTime Task"="F:\PROGRA~1\QUICKT~1\qttask.exe" [2006-09-01 15:57 282624]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Verizon_McciTrayApp"="F:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Inr62.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"F:\\Program Files\\AIM6\\aim6.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"F:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 13:14:00 F:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- F:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 17:10:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\McAfee.com\Agent\Mcdetect.exe
F:\PROGRA~1\McAfee.com\VSO\McShield.exe
F:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
F:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-18 17:15:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 21:15:35
ComboFix2.txt 2008-05-12 20:40:37
ComboFix3.txt 2008-05-11 18:42:12
ComboFix4.txt 2008-05-11 18:26:02
ComboFix5.txt 2008-05-07 23:20:26

Pre-Run: 67,122,405,376 bytes free
Post-Run: 67,153,018,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
F:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

286 --- E O F --- 2008-05-16 07:01:52


Logfile of HijackThis v1.99.1
Scan saved at 5:17:00 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
f:\PROGRA~1\mcafee.com\vso\OasClnt.exe
f:\program files\mcafee.com\vso\mcvsshld.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\System32\hkcmd.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
F:\PROGRA~1\QUICKT~1\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Verizon\VSP\VerizonServicepoint.exe
F:\Program Files\AIM6\aim6.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\AIM6\aolsoftware.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eihs.eischools.org/home.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] F:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] F:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "F:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [Aim6] "F:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://F:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - F:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - F:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

#24 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 19 May 2008 - 01:43 PM

One interesting thing I notice from your CF log is the following:

2008-05-18 09:47 . 2008-05-18 09:47 <DIR> d-------- F:\Program Files\uTorrent
2008-05-18 09:47 . 2008-05-18 10:37 <DIR> d-------- F:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-18 09:46 . 2008-05-18 09:46 87,513 --a------ F:\WINDOWS\system32\xwusuhzh.exe
2008-05-18 09:46 . 2008-05-18 09:46 4 --a------ F:\WINDOWS\system32\hljwugsf.bin


The first two entries are folders and the second two are files - they appear to be randomly named which makes me think malware straight away. Take a look at the creation times of the two folders and the two files - 2008-05-18 09:47 and 2008-05-18 09:46. I find it hard to believe that two files and two folders get created one minute apart and that's a coincidence, although if there was no such thing as a coincidence, there would be no such word.
Given that I think it's fair to connect the two, i'd say we have found your source of infection, or at least one of them. Have you installed uTorrent, which Google tells me is a file sharing application?
Death to the salad eaters!

#25 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 19 May 2008 - 04:38 PM

We don't know what utorrent is so it was not actively installed by us.

    Advertisements

Register to Remove


#26 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 20 May 2008 - 12:38 PM

2008-05-18 09:46 - what was whoever was on the computer doing? The files and folders were created by something and it could help to know if the PC was online and if anything else was being installed at the time.
Death to the salad eaters!

#27 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 20 May 2008 - 12:42 PM

It's my daughter's computer. She says all she was doing was chatting on AIM and checking her MySpace. The night before she hooked up her Canon camera to download pictures onto her computer.

#28 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 20 May 2008 - 12:58 PM

Can you tell me what the contents of F:\Program Files\uTorrent and F:\Documents and Settings\Owner\Application Data\uTorrent are - if there are just a few files or if they are full to brimming.
Death to the salad eaters!

#29 sagiter

sagiter

    Authentic Member

  • Authentic Member
  • PipPip
  • 36 posts

Posted 20 May 2008 - 03:17 PM

F:\Program Files\uTorrent -- has the file utTorrent.exe F:\Documents and Settings\Owner\Application Data\uTorrent -- has three files: settings.dat resume.dat resume.dat.old

#30 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 21 May 2008 - 01:20 PM

Please go to Jotti's and click on the Browse... button at the top and navigate to the following file and then click on Submit:

F:\Program Files\uTorrent\utTorrent.exe

When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.
Death to the salad eaters!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users