Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Something, I'm not sure what


  • This topic is locked This topic is locked
20 replies to this topic

#16 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 10 June 2008 - 06:21 PM

I tried it right after I rebooted, but it didn't work.

Posted Image

Here's a combofix log

ComboFix 08-06-06.6 - Hank 2008-06-10 17:09:38.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1698 [GMT -7:00]
Running from: C:\Documents and Settings\Hank\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hank\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-08 18:24 . 2008-06-08 18:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\Nexon
2008-06-07 09:42 . 2008-06-07 09:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-07 09:42 . 2008-06-07 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 03:24 . 2008-06-09 16:47 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-07 03:24 . 2008-06-07 09:28 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-07 03:24 . 2008-06-07 03:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\SiteAdvisor
2008-06-07 03:23 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-07 03:23 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-07 03:23 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-07 03:23 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-07 03:23 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-07 03:23 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-07 03:21 . 2008-06-07 03:22 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-07 03:21 . 2008-06-07 03:22 <DIR> d-------- C:\Program Files\McAfee
2008-06-07 03:21 . 2008-06-07 03:23 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-07 03:20 . 2008-06-07 03:21 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\DAEMON Tools
2008-06-07 03:05 . 2008-06-07 03:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 23:26 . 2008-06-06 23:26 <DIR> d-------- C:\WINDOWS\RaidTool
2008-06-06 23:26 . 2008-06-06 23:26 <DIR> d-------- C:\RaidTool
2008-06-06 23:26 . 2007-11-19 11:28 1,966,080 --a------ C:\WINDOWS\system32\xRaidSetup.exe
2008-06-06 23:26 . 2008-03-19 10:54 151,552 --a------ C:\WINDOWS\system32\xRaidAPI.dll
2008-06-06 23:26 . 2008-05-08 14:21 77,200 --a------ C:\WINDOWS\system32\drivers\jraid.sys
2008-06-05 21:08 . 2008-06-05 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-05 19:23 . 2008-06-05 19:23 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-05 19:22 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-05 19:22 . 2007-03-29 05:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-05 19:03 . 2008-06-05 19:03 <DIR> d-------- C:\Documents and Settings\Hank\Contacts
2008-06-04 22:03 . 2008-06-04 22:13 <DIR> d-------- C:\Documents and Settings\Randy\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 17:23 --------- d-----w C:\Program Files\Steam
2008-06-10 17:20 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-10 05:26 --------- d-----w C:\Documents and Settings\Hank\Application Data\Canon
2008-06-09 05:06 --------- d-----w C:\Program Files\OGPlanet
2008-06-07 16:17 --------- d-----w C:\Program Files\Viewpoint
2008-06-07 16:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-07 10:23 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-07 10:23 --------- d-----w C:\Program Files\VideoLAN
2008-06-07 06:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-07 02:41 --------- d-----w C:\Documents and Settings\Randy\Application Data\SiteAdvisor
2008-06-06 02:06 --------- d-----w C:\Program Files\Java
2008-05-30 03:31 --------- d-----w C:\Documents and Settings\Randy\Application Data\Azureus
2008-05-29 04:45 --------- d-----w C:\Documents and Settings\Randy\Application Data\Canon
2008-05-29 04:20 --------- d-----w C:\Program Files\Conquer 2.0
2008-05-27 01:19 106 ----a-w C:\Program Files\path.ini
2008-05-18 06:38 53,096 -c--a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 23:58 222 ----a-w C:\Program Files\pink.bmp
2008-05-03 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-02 05:00 --------- d-----w C:\Documents and Settings\Randy\Application Data\LimeWire
2008-04-30 22:05 --------- d-----w C:\Program Files\Starcraft
2008-04-27 19:36 --------- d-----w C:\Documents and Settings\Randy\Application Data\Xfire
2008-04-25 04:18 --------- d-----w C:\Program Files\Azureus
2008-04-20 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Valve
2008-04-19 02:15 --------- d-----w C:\Program Files\Xfire
2008-04-18 03:24 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 05:40 --------- d-----w C:\Program Files\QuickTime
2008-04-16 06:04 --------- d-----w C:\Program Files\Winamp
2008-04-16 03:45 --------- d-----w C:\Program Files\Windows Live
2008-04-16 03:41 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-16 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-14 06:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-02-01 19:25 52,312 -c--a-w C:\Documents and Settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2007-12-07 09:18 19,636 ----a-w C:\Program Files\th_07.jpg
2007-12-07 09:05 680 ----a-w C:\Program Files\bl_07.jpg
2007-12-05 13:15 23,446 ----a-w C:\Program Files\bk2.jpg
2007-12-05 01:06 10,528 ----a-w C:\Program Files\else.gif
.

((((((((((((((((((((((((((((( snapshot_2008-06-09_16.49.24.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 23:37:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 00:12:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-09 23:04:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-10 23:46:17 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-09 23:04:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-10 23:46:17 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-09 23:04:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-10 23:46:17 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 05:00 455168]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 01:56 16261632 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 14:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-11-19 11:28 1966080]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-28 13:07 36640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-10-17 18:43:08 49254]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\SteamApps\\bongbongboi\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
S2 0034681212834166mcinstcleanup;McAfee Application Installer Cleanup (0034681212834166);C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 ms6823;IEEE802.11b Wireless USB Adapter;C:\WINDOWS\system32\DRIVERS\ms6823.sys [2004-06-10 11:47]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 18:53]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 11:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 19:16:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 10:22:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-07 10:22:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 17:13:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-06-10 17:17:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 00:17:50
ComboFix2.txt 2008-06-09 23:49:41
ComboFix3.txt 2008-06-07 16:30:53
ComboFix4.txt 2008-06-07 02:07:27

Pre-Run: 6,727,356,416 bytes free
Post-Run: 6,715,691,008 bytes free

196 --- E O F --- 2008-06-10 23:49:02







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:59 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://walkthrough/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: McAfee Application Installer Cleanup (0034681212834166) (0034681212834166mcinstcleanup) - Unknown owner - C:\DOCUME~1\Hank\LOCALS~1\Temp\003468~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8788 bytes

    Advertisements

Register to Remove


#17 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 11 June 2008 - 07:54 AM

Mr. Panda,

Only a couple more thing to do :)

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@Echo off
sc stop 0034681212834166mcinstcleanup
sc delete 0034681212834166mcinstcleanup
del delete.bat


3. Save the file as "delete.bat". Make sure to save it with the quotes. It should look like this on your desktop: Posted Image

4. Double click delete.bat.

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

With that done, your log looks clean :thumbup:

Some Recommendations:

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Keep Microsoft Windows Updated - This will ensure your computer has always the latest security updates available installed on your computer. The easiest way to do this is to turn on Automatic Updates. Do this by:
  • From your desktop, right-click on My Computer,
  • click on Properties
  • Select the Automatic Updates tab
  • Click on Automatic
  • Click on Apply button
  • Click on OK to exit.
If there are new updates to install, install them immediately, until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Using IE-SPYAD to help block unwanted sites and activities

Winpatrol


Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.


Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

Please respond back that you understand the above. At that point, if you have no questions, we'll close this thread Resolved.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#18 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 11 June 2008 - 09:06 PM

Thank you so much TomK, I understand the above, but I did notice all these programs were for IE. I use firefox, so should I/ would it work if i downloaded them?

#19 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,144 posts

Posted 11 June 2008 - 09:15 PM

Mr Panda, Even though you do your browsing with Firefox, your computer will still use IE for things like updates etc. You still need to protect Internet Explorer. Some of the protection recommended was designed specifically for IE but most can be considered general computer protection regardless of browser choice. Good Luck and be Well :D

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#20 Mr Panda

Mr Panda

    New Member

  • New Member
  • Pip
  • 11 posts

Posted 12 June 2008 - 12:19 AM

You are fantastic TomK. I don't know how to thank you other than these mere words of gratitude. Thank you, -MrPanda

#21 teacup61

teacup61

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPip
  • 475 posts

Posted 12 June 2008 - 02:30 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Error reading poptart in Drive A: Delete kids y/n?
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users