Link to home
Start Free TrialLog in
Avatar of XBedoya
XBedoya

asked on

System Restore Problem no internet access

This computer is not opening the internet. Tried to restore it to a prior point but is not taking any of them. Then a pop-up from McAfee privacy service appears and doesn't go away, it didn't do this before.
Avatar of PUNKY
PUNKY
Flag of United States of America image
Try disable McAfee see if you can gain internat access?
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Looks like McAfee removes the bad file --> c:/window/system32/fauwcocq.dll
but didn't clean up the relevant registry entry, that's why the error comes up.

Do you have access to a pc with online access? If so, please download hijackthis.
Can you run Hijackthis and show us the log please?
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Avatar of XBedoya
XBedoya

ASKER

I did disable McAfee but still can't go on-line.

I will download the hijackthis from another computer.
Avatar of XBedoya
XBedoya

ASKER

rpggamergirl,

Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:19 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\retadpu572.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Tina Morris\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {1BD6FE72-D35B-4A75-1C86-38D53F2D1462} - C:\Program Files\Windows NT\qufatygyw308.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4650A081-64C9-44E4-9F6F-508F7E4C80BD} - C:\Program Files\Messenger\mesobif83122.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A7DE354A-CACE-43FC-9906-DA22A557A151} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\qomkiij.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\fauwcocq.dll",forkonce
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801MGUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll
O20 - Winlogon Notify: qomkiij - C:\WINDOWS\SYSTEM32\qomkiij.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Your hijackthis log is very much infected with vundo and conhook among other nasties.
You also MUST uninstall this rogue program that you have there --> WinAntiSpyware 2007


1.  Please download VundoFix.exe to your desktop.(run Vundofix twice and show us the log) to check for remaining bad entries.)
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

3.  Show us a fresh hijackthis after please.
Avatar of XBedoya
XBedoya

ASKER

Good Morning,

I did as you said and here are the logs for the 3 applications: (this is gonna be a long one)

I have a question there are two programs running in this computer and I wonder if I should delete them too, Registry Smart and Registry Booty.

1. VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:55:22 AM 8/9/2007

Listing files found while scanning....

C:\windows\system32\dbsdnepv.exe
C:\windows\system32\ddcbxut.dll
C:\windows\system32\efyeijvp.ini
C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak2
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\ehhkj.tmp
C:\WINDOWS\system32\fauwcocq.dll
C:\WINDOWS\system32\hkxyhenc.dll
C:\windows\system32\jdslxyap.exe
C:\WINDOWS\system32\jkhhe.dll
C:\windows\system32\mesmiduw.dll
C:\windows\system32\pvjieyfe.dll
C:\WINDOWS\system32\qcocwuaf.ini
C:\WINDOWS\system32\qomkiij.dll
C:\windows\system32\rwelstax.exe
C:\windows\system32\skuvftnp.exe

Beginning removal...

 Attempting to delete C:\windows\system32\dbsdnepv.exe
C:\windows\system32\dbsdnepv.exe Has been deleted!

 Attempting to delete C:\windows\system32\ddcbxut.dll
C:\windows\system32\ddcbxut.dll Has been deleted!

 Attempting to delete C:\windows\system32\efyeijvp.ini
C:\windows\system32\efyeijvp.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.bak2
C:\WINDOWS\system32\ehhkj.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\ehhkj.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.tmp
C:\WINDOWS\system32\ehhkj.tmp Has been deleted!

 Attempting to delete C:\WINDOWS\system32\fauwcocq.dll
C:\WINDOWS\system32\fauwcocq.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\hkxyhenc.dll
C:\WINDOWS\system32\hkxyhenc.dll Has been deleted!

 Attempting to delete C:\windows\system32\jdslxyap.exe
C:\windows\system32\jdslxyap.exe Has been deleted!

 Attempting to delete C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhe.dll Has been deleted!

 Attempting to delete C:\windows\system32\mesmiduw.dll
C:\windows\system32\mesmiduw.dll Has been deleted!

 Attempting to delete C:\windows\system32\pvjieyfe.dll
C:\windows\system32\pvjieyfe.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qcocwuaf.ini
C:\WINDOWS\system32\qcocwuaf.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qomkiij.dll
C:\WINDOWS\system32\qomkiij.dll Has been deleted!

 Attempting to delete C:\windows\system32\rwelstax.exe
C:\windows\system32\rwelstax.exe Has been deleted!

 Attempting to delete C:\windows\system32\skuvftnp.exe
C:\windows\system32\skuvftnp.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 9:04:25 AM 8/9/2007

Listing files found while scanning....

No infected files were found.

2.  ComboFix 07-08-09.3 - "Tina Morris" 2007-08-09  9:13:50.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.159 [GMT -4:00]
 * Created a new restore point


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\JUSTIN~1\APPLIC~1\..\err.log
C:\DOCUME~1\JUSTIN~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\JUSTIN~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\MIKEMO~1\APPLIC~1\..\err.log
C:\DOCUME~1\MIKEMO~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\MIKEMO~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\TINAMO~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\TINAMO~1\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\TINAMO~1\APPLIC~1\..\err.log
C:\DOCUME~1\TINAMO~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\0033B676.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00A5B004.urr
C:\Program Files\FunWebProducts\Shared\06E84DBA.dat
C:\Program Files\Messenger\mesobif83122.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\Windows NT\qufatygyw.dll
C:\Program Files\Windows NT\qufatygyw15.dll
C:\Program Files\Windows NT\qufatygyw191.dll
C:\Program Files\Windows NT\qufatygyw211.dll
C:\Program Files\Windows NT\qufatygyw252.dll
C:\Program Files\Windows NT\qufatygyw281.dll
C:\Program Files\Windows NT\qufatygyw308.dll
C:\Program Files\Windows NT\qufatygyw434.dll
C:\Program Files\Windows NT\qufatygyw620.dll
C:\Program Files\Windows NT\qufatygyw681.dll
C:\temp\0c2
C:\temp\0c2\tmpRC.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\system32\awlqpulq.exe
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\B0\mwspasrt83122.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B1\wr73.exe
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B2\st2.exe
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\cxstjpri.exe
C:\WINDOWS\system32\dpdkprlx.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\gokgsavp.exe
C:\WINDOWS\system32\gsjeioch.exe
C:\WINDOWS\system32\jiytdxbx.exe
C:\WINDOWS\system32\kbjaoabk.exe
C:\WINDOWS\system32\vmpyxqbg.exe
C:\WINDOWS\system32\vsytyykh.exe
C:\WINDOWS\system32\widxnvvp.exe
C:\WINDOWS\system32\wuivvtbm.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\wr.txt


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\ApiMon
-------\core


(((((((((((((((((((((((((   Files Created from 2007-07-09 to 2007-08-09  )))))))))))))))))))))))))))))))


2007-08-09 09:10      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-09 08:58      24,576      --a------      C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-09 08:55      <DIR>      d--------      C:\VundoFix Backups
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\mclsphlr
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\appmgmt
2007-08-05 23:26      <DIR>      d--------      C:\WINDOWS\system32\LogFiles
2007-08-05 22:19      <DIR>      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Corel
2007-07-25 18:08      66,112      --a------      C:\WINDOWS\system32\fendpjsl.exe
2007-07-25 18:02      66,112      --a------      C:\WINDOWS\system32\kjjhgbvs.exe
2007-07-24 19:06      <DIR>      d--------      C:\Program Files\AIM6
2007-07-24 19:06      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-23 16:12      4,672      --a------      C:\WINDOWS\system32\vvkttcre.exe
2007-07-23 16:11      66,112      --a------      C:\WINDOWS\system32\qlgkknyo.exe
2007-07-22 11:40      94,208      --a------      C:\WINDOWS\system32\mclsp.dll
2007-07-22 11:40      90,112      --a------      C:\WINDOWS\system32\mcrtl32.dll
2007-07-22 11:40      32,768      --a------      C:\WINDOWS\system32\instlsp.exe
2007-07-22 11:40      11,264      --a------      C:\WINDOWS\system32\sporder.dll
2007-07-22 11:03      66,112      --a------      C:\WINDOWS\system32\vjqarnmp.exe
2007-07-21 18:50      <DIR>      d--------      C:\Program Files\iPod
2007-07-16 14:16      66,624      --a------      C:\WINDOWS\system32\jcykrkvl.dll
2007-07-16 14:11      128,576      --a------      C:\WINDOWS\system32\nggkfgns.dll
2007-07-16 14:08      66,112      --a------      C:\WINDOWS\system32\hidymscx.exe
2007-07-13 23:50      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Corel Photo Album
2007-07-13 19:26      <DIR>      d--------      C:\Temp
2007-07-11 10:20      <DIR>      d--------      C:\Program Files\Uniblue
2007-07-11 10:20      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Uniblue
2007-07-11 09:53      <DIR>      d--------      C:\Program Files\RegCure
2007-07-09 17:57      <DIR>      d--------      C:\WINDOWS\.file_store_32
2007-07-09 17:25      <DIR>      d--------      C:\WINDOWS\.jagex_cache_34


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 09:15      ---------      d--------      C:\Program Files\Windows NT
2007-08-09 09:15      ---------      d--------      C:\Program Files\Messenger
2007-08-06 21:57      ---------      d--------      C:\Program Files\QuickTime
2007-08-06 21:57      ---------      d--------      C:\Program Files\MySpace
2007-08-06 21:57      ---------      d--------      C:\Program Files\iTunes
2007-08-06 21:57      ---------      d--------      C:\Program Files\Common Files\aolshare
2007-08-06 21:57      ---------      d--------      C:\Program Files\Apple Software Update
2007-08-06 21:54      ---------      d--------      C:\Program Files\Dell
2007-08-06 21:54      ---------      d--------      C:\Program Files\Common Files\AOL
2007-08-06 21:54      ---------      d--------      C:\Program Files\America Online 9.0
2007-08-06 21:51      ---------      d--------      C:\Program Files\AIM
2007-08-06 21:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-05 22:19      56      -r-hs----      C:\WINDOWS\system32\3367DA2490.sys
2007-08-05 22:19      4184      --ahs----      C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-05 21:56      ---------      d--------      C:\Program Files\Dl_cats
2007-07-24 20:55      88      -r-hs----      C:\WINDOWS\system32\9024DA6733.sys
2007-07-22 11:40      ---------      d--------      C:\Program Files\McAfee.com
2007-07-21 17:21      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-16 14:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Google
2007-07-16 14:49      ---------      d--------      C:\Program Files\MUSICMATCH
2007-07-06 00:07      ---------      d--------      C:\Program Files\Common Files\Apple
2007-07-05 09:31      ---------      d--------      C:\Program Files\Common Files\Roxio Shared
2007-07-05 09:30      ---------      d--------      C:\Program Files\Roxio
2007-06-21 13:12      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Apple Computer
2007-06-20 03:31      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\RegistrySmart
2007-06-19 21:59      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\MySpace
2007-06-18 19:37      ---------      d--------      C:\Program Files\RegistrySmart
2007-06-15 18:33      ---------      d--------      C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-06-12 19:07      ---------      d--------      C:\Program Files\MSECache
2007-06-05 20:29      386      --a------      C:\WINDOWS\tmpcpyis.bat
2007-06-05 20:29      122      --a------      C:\WINDOWS\tmpdelis.bat
2007-06-05 20:28      26      --a------      C:\WINDOWS\winstart.bat
2007-05-16 11:12      86528      ---------      C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12      85504      ---------      C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12      683520      --a------      C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12      683520      ---------      C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12      510976      ---------      C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12      1314816      ---------      C:\WINDOWS\system32\dllcache\msoe.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7DE354A-CACE-43FC-9906-DA22A557A151}]
                  C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 14:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-21 13:49]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 12:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 17:52]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:05]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 05:40]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 08:47]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"RegistrySmart"="C:\Program Files\RegistrySmart\RegistrySmart.exe" [2007-06-15 10:36]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-06-09 09:51]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" []
"NBInstall"="C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe" [2007-07-13 19:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 08:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-21 13:36:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\tni23.tmp


Contents of the 'Scheduled Tasks' folder
2007-07-21 22:36:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-09 13:19:24 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 09:18:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-09  9:20:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 09:20
      --- E O F ---

and the new

3. Logfile of HijackThis v1.99.1
Scan saved at 9:23:12 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Documents and Settings\Tina Morris\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A7DE354A-CACE-43FC-9906-DA22A557A151} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801MGUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Let me know how this looks.

Thank you,

XBedoya

Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
>> have a question there are two programs running in this computer and I wonder if I should delete them too, Registry Smart and Registry Booty.<<

Yes, uninstall them, and use the Add/Remove programs to uninstall them.
RegCure <-- also uninstall this one.

When it's about the registry you need to only use a known reliable program.
These are the registry cleaners that I've used and trusted:
TuneUp utilities <-- still using it.
Registry Mechanic
JVC16


C:\Program Files\Windows NT <--can you check the properties of this folder??? there were so many nasties inside this folder, do you know anything about this folder, did you install it yourself?

Run Hijackthis again and put a check next to these entries and while all browsers and other windows are closed, click "Fix Checked".
O2 - BHO: (no name) - {A7DE354A-CACE-43FC-9906-DA22A557A151} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801MGUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab


Vundofix and Combofix have removed heaps of bad files but there are still some bad files that needs to be removed.

Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------------------------
File::
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\WINDOWS\system32\fendpjsl.exe
C:\WINDOWS\system32\kjjhgbvs.exe
C:\WINDOWS\system32\vvkttcre.exe
C:\WINDOWS\system32\qlgkknyo.exe
C:\WINDOWS\system32\vjqarnmp.exe
C:\WINDOWS\system32\jcykrkvl.dll
C:\WINDOWS\system32\nggkfgns.dll
C:\WINDOWS\system32\hidymscx.exe

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

You have 2 versions of java there, I suggest uninstalling this version -->j2re1.4.2_03 because that's very vulnerable to vundo/conhook infections. I would suggest using the later or latest version.


Avatar of XBedoya
XBedoya

ASKER

I looked at the Windows NT folder, I don't know anything about it it says read-only file and it contains the following files:

dialer, hyperterm, rtenejuziv, htm_jis.dll, qufatygyw308. Two folders:
-Accesories: mswrd6.wpc, mswrd8.wpc, wordpad, write.wpc
-PinBall

I will unistall the java application next. I just try the internet but still can't go on-line.

Here is the Log:

ComboFix 07-08-09.3 - "Tina Morris" 2007-08-09 22:12:07.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.191 [GMT -4:00]
Command switches used ::  C:\Documents and Settings\Tina Morris\Desktop\CFScript.txt
 * Created a new restore point

FILE::
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\WINDOWS\system32\fendpjsl.exe
C:\WINDOWS\system32\kjjhgbvs.exe
C:\WINDOWS\system32\vvkttcre.exe
C:\WINDOWS\system32\qlgkknyo.exe
C:\WINDOWS\system32\vjqarnmp.exe
C:\WINDOWS\system32\jcykrkvl.dll
C:\WINDOWS\system32\nggkfgns.dll
C:\WINDOWS\system32\hidymscx.exe


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\WINDOWS\system32\fendpjsl.exe
C:\WINDOWS\system32\hidymscx.exe
C:\WINDOWS\system32\jcykrkvl.dll
C:\WINDOWS\system32\kjjhgbvs.exe
C:\WINDOWS\system32\nggkfgns.dll
C:\WINDOWS\system32\qlgkknyo.exe
C:\WINDOWS\system32\vjqarnmp.exe
C:\WINDOWS\system32\vvkttcre.exe


(((((((((((((((((((((((((   Files Created from 2007-07-10 to 2007-08-10  )))))))))))))))))))))))))))))))


2007-08-09 09:10      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-09 08:58      24,576      --a------      C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-09 08:55      <DIR>      d--------      C:\VundoFix Backups
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\mclsphlr
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\appmgmt
2007-08-05 23:26      <DIR>      d--------      C:\WINDOWS\system32\LogFiles
2007-08-05 22:19      <DIR>      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Corel
2007-07-24 19:06      <DIR>      d--------      C:\Program Files\AIM6
2007-07-24 19:06      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-22 11:40      94,208      --a------      C:\WINDOWS\system32\mclsp.dll
2007-07-22 11:40      90,112      --a------      C:\WINDOWS\system32\mcrtl32.dll
2007-07-22 11:40      32,768      --a------      C:\WINDOWS\system32\instlsp.exe
2007-07-22 11:40      11,264      --a------      C:\WINDOWS\system32\sporder.dll
2007-07-21 18:50      <DIR>      d--------      C:\Program Files\iPod
2007-07-13 23:50      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Corel Photo Album
2007-07-13 19:26      <DIR>      d--------      C:\Temp
2007-07-11 10:20      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Uniblue
2007-07-11 09:53      <DIR>      d--------      C:\Program Files\RegCure
2007-07-09 17:57      <DIR>      d--------      C:\WINDOWS\.file_store_32
2007-07-09 17:25      <DIR>      d--------      C:\WINDOWS\.jagex_cache_34


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 09:15      ---------      d--------      C:\Program Files\Windows NT
2007-08-09 09:15      ---------      d--------      C:\Program Files\Messenger
2007-08-06 21:57      ---------      d--------      C:\Program Files\QuickTime
2007-08-06 21:57      ---------      d--------      C:\Program Files\MySpace
2007-08-06 21:57      ---------      d--------      C:\Program Files\iTunes
2007-08-06 21:57      ---------      d--------      C:\Program Files\Common Files\aolshare
2007-08-06 21:57      ---------      d--------      C:\Program Files\Apple Software Update
2007-08-06 21:54      ---------      d--------      C:\Program Files\Dell
2007-08-06 21:54      ---------      d--------      C:\Program Files\Common Files\AOL
2007-08-06 21:54      ---------      d--------      C:\Program Files\America Online 9.0
2007-08-06 21:51      ---------      d--------      C:\Program Files\AIM
2007-08-06 21:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-05 22:19      56      -r-hs----      C:\WINDOWS\system32\3367DA2490.sys
2007-08-05 22:19      4184      --ahs----      C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-05 21:56      ---------      d--------      C:\Program Files\Dl_cats
2007-07-24 20:55      88      -r-hs----      C:\WINDOWS\system32\9024DA6733.sys
2007-07-22 11:40      ---------      d--------      C:\Program Files\McAfee.com
2007-07-21 17:21      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-16 14:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Google
2007-07-16 14:49      ---------      d--------      C:\Program Files\MUSICMATCH
2007-07-06 00:07      ---------      d--------      C:\Program Files\Common Files\Apple
2007-07-05 09:31      ---------      d--------      C:\Program Files\Common Files\Roxio Shared
2007-07-05 09:30      ---------      d--------      C:\Program Files\Roxio
2007-06-21 13:12      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Apple Computer
2007-06-20 03:31      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\RegistrySmart
2007-06-19 21:59      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\MySpace
2007-06-15 18:33      ---------      d--------      C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-06-12 19:07      ---------      d--------      C:\Program Files\MSECache
2007-06-05 20:29      386      --a------      C:\WINDOWS\tmpcpyis.bat
2007-06-05 20:29      122      --a------      C:\WINDOWS\tmpdelis.bat
2007-06-05 20:28      26      --a------      C:\WINDOWS\winstart.bat
2007-05-16 11:12      86528      ---------      C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12      85504      ---------      C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12      683520      --a------      C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12      683520      ---------      C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12      510976      ---------      C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12      1314816      ---------      C:\WINDOWS\system32\dllcache\msoe.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-21 13:49]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 12:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 17:52]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:05]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 05:40]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 08:47]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-06-09 09:51]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 08:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-21 13:36:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\tni23.tmp


Contents of the 'Scheduled Tasks' folder
2007-07-21 22:36:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-09 13:19:24 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 22:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 22:17:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 22:17
C:\ComboFix2.txt ... 2007-08-09 09:20

      --- E O F ---
Avatar of Jonvee
Jonvee
>I will unistall the java application next. I just try the internet but still can't go on-line<
XBedoya,
Your core DLL files may require registering following possible(or probable) damage during the cleanup of the virus infection.  
IEFix - is a general purpose repair utility for Internet Explorer which repairs Internet Explorer by registering it's core DLL files and reinstalls using the IE.INF file.
More Information is given below >>
"IEFix - General purpose fix for Internet Explorer":
http://windowsxp.mvps.org/IEFIX.htm
Avatar of Jonvee
Jonvee
If the IEFix doesn't resolve your problem, take a look at this previous E_E thread and note the excellent comments, in particular by war1.
Initially IE7 was running but it was replaced by IE6.  You could use the appropriate recommendations here, to "cleanup & repair" possible IE damage >>

https://www.experts-exchange.com/questions/22318333/Internet-Explorer-hang.html
Avatar of XBedoya
XBedoya

ASKER

Hi Jonvee, I did run the IEFix but nothing happened. I read the comments that you suggested but couldn't do what it says, first of all I can't go on-line at all and as soon as I open the IE nothing else works I can't call on any menu and I wanted to try the other thing but it says that I need the WinXP CD so I got to find  it first.

I am increasing the points since I believe that the level of difficulty on this matter is greater than I thought.

Avatar of Jonvee
Jonvee
Perhaps you can download the "IEFix" and save to CD, then insert the CD in your problematic PC, and run.

You could also try >    Start > Run
Then in the 'Open' field, type sfc /scannow (note the space between c and /)
But again you may be asked for that WinXP CD.
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
You haven't uninstall RegistrySmart yet? It's still showing there and it's still having a scheduled task.

Still have more files to delete, delete the CFScript that you created before, and create a new one below:

Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------
File::
C:\WINDOWS\system32\3367DA2490.sys
C:\WINDOWS\system32\9024DA6733.sys
C:\DOCUME~1\TINAMO~1\APPLIC~1\RegistrySmart

--------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts




then run SDFix, even if it doesn't find any, it will fix registry entries that were modified by some nasties.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Also clean your temp folders:

Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/
Avatar of XBedoya
XBedoya

ASKER

Good Morning,

Sorry I was away for the weekend. Tonight after work I will sepnd more time in this project.

Thank you for the new comments.

Avatar of XBedoya
XBedoya

ASKER

I am still looking for the Windows CD. Following are the results of the SDFix tool but I am still unable to go on-line.

SDFix: Version 1.98

Run by Tina Morris on Mon 08/13/2007 at 09:41 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp
C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
C:\WINDOWS\system32\config\SYSTEM.tmp.LOG

                                 Finished
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Still no internet access?
Run this tool winsockfix see if it helps, and also show us a fresh hijackthis log please.
http://www.majorgeeks.com/download4372.html


McAfee hasn't protected you since a lot of nasties were showing in those logs, I would suggest uninstalling McAfee and see if it's also causing those lost of connection. MacAfee's spam filter can be very aggressive.
Avatar of Jonvee
Jonvee
XBedoya,
Are you connected directly to the internet, or Networking via a Router ?  
If the latter, try rebooting the Router.

Presume you are still unsuccessful downloading the "IEFix" to CD as suggested on 08.11 ?  
Let's hope that WinXP CD soon reappears :)
Avatar of XBedoya
XBedoya

ASKER

Here it is the most recent HIjackThis after running the winsockfix. I have internet conecction now. Should I still try the IEFix?

Logfile of HijackThis v1.99.1
Scan saved at 10:07:43 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tina Morris\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of XBedoya
XBedoya

ASKER

rpggamergirl,

Thank you very much. Job well done.

XBedoya
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
XBedoya,

You're welcome!
Glad to be of assistance. Thank you for using Experts-Exchange.

Best wishes!

~rpggamergirl