[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

System Restore Problem no internet access

Posted on 2007-08-07
22
Medium Priority
?
487 Views
Last Modified: 2013-11-05
This computer is not opening the internet. Tried to restore it to a prior point but is not taking any of them. Then a pop-up from McAfee privacy service appears and doesn't go away, it didn't do this before.
0
Comment
Question by:XBedoya
  • 9
  • 8
  • 4
  • +1
22 Comments
 
LVL 39

Expert Comment

by:PUNKY
ID: 19650721
Try disable McAfee see if you can gain internat access?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19650991
Looks like McAfee removes the bad file --> c:/window/system32/fauwcocq.dll
but didn't clean up the relevant registry entry, that's why the error comes up.

Do you have access to a pc with online access? If so, please download hijackthis.
Can you run Hijackthis and show us the log please?
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
0
 

Author Comment

by:XBedoya
ID: 19651237
I did disable McAfee but still can't go on-line.

I will download the hijackthis from another computer.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:XBedoya
ID: 19651288
rpggamergirl,

Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:19 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\retadpu572.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Tina Morris\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {1BD6FE72-D35B-4A75-1C86-38D53F2D1462} - C:\Program Files\Windows NT\qufatygyw308.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {4650A081-64C9-44E4-9F6F-508F7E4C80BD} - C:\Program Files\Messenger\mesobif83122.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A7DE354A-CACE-43FC-9906-DA22A557A151} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\qomkiij.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\fauwcocq.dll",forkonce
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801MGUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll
O20 - Winlogon Notify: qomkiij - C:\WINDOWS\SYSTEM32\qomkiij.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19661070
Your hijackthis log is very much infected with vundo and conhook among other nasties.
You also MUST uninstall this rogue program that you have there --> WinAntiSpyware 2007


1.  Please download VundoFix.exe to your desktop.(run Vundofix twice and show us the log) to check for remaining bad entries.)
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.


2.  Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

3.  Show us a fresh hijackthis after please.
0
 

Author Comment

by:XBedoya
ID: 19661975
Good Morning,

I did as you said and here are the logs for the 3 applications: (this is gonna be a long one)

I have a question there are two programs running in this computer and I wonder if I should delete them too, Registry Smart and Registry Booty.

1. VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 8:55:22 AM 8/9/2007

Listing files found while scanning....

C:\windows\system32\dbsdnepv.exe
C:\windows\system32\ddcbxut.dll
C:\windows\system32\efyeijvp.ini
C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak2
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\ehhkj.tmp
C:\WINDOWS\system32\fauwcocq.dll
C:\WINDOWS\system32\hkxyhenc.dll
C:\windows\system32\jdslxyap.exe
C:\WINDOWS\system32\jkhhe.dll
C:\windows\system32\mesmiduw.dll
C:\windows\system32\pvjieyfe.dll
C:\WINDOWS\system32\qcocwuaf.ini
C:\WINDOWS\system32\qomkiij.dll
C:\windows\system32\rwelstax.exe
C:\windows\system32\skuvftnp.exe

Beginning removal...

 Attempting to delete C:\windows\system32\dbsdnepv.exe
C:\windows\system32\dbsdnepv.exe Has been deleted!

 Attempting to delete C:\windows\system32\ddcbxut.dll
C:\windows\system32\ddcbxut.dll Has been deleted!

 Attempting to delete C:\windows\system32\efyeijvp.ini
C:\windows\system32\efyeijvp.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.bak2
C:\WINDOWS\system32\ehhkj.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\ehhkj.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ehhkj.tmp
C:\WINDOWS\system32\ehhkj.tmp Has been deleted!

 Attempting to delete C:\WINDOWS\system32\fauwcocq.dll
C:\WINDOWS\system32\fauwcocq.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\hkxyhenc.dll
C:\WINDOWS\system32\hkxyhenc.dll Has been deleted!

 Attempting to delete C:\windows\system32\jdslxyap.exe
C:\windows\system32\jdslxyap.exe Has been deleted!

 Attempting to delete C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhe.dll Has been deleted!

 Attempting to delete C:\windows\system32\mesmiduw.dll
C:\windows\system32\mesmiduw.dll Has been deleted!

 Attempting to delete C:\windows\system32\pvjieyfe.dll
C:\windows\system32\pvjieyfe.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qcocwuaf.ini
C:\WINDOWS\system32\qcocwuaf.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\qomkiij.dll
C:\WINDOWS\system32\qomkiij.dll Has been deleted!

 Attempting to delete C:\windows\system32\rwelstax.exe
C:\windows\system32\rwelstax.exe Has been deleted!

 Attempting to delete C:\windows\system32\skuvftnp.exe
C:\windows\system32\skuvftnp.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 9:04:25 AM 8/9/2007

Listing files found while scanning....

No infected files were found.

2.  ComboFix 07-08-09.3 - "Tina Morris" 2007-08-09  9:13:50.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.159 [GMT -4:00]
 * Created a new restore point


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware316\contexts\travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Reference.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\ReferenceHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencehotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\referencexp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\Weather.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherhotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\buttons\weatherxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware316\contexts\travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\JUSTIN~1\APPLIC~1\..\err.log
C:\DOCUME~1\JUSTIN~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\JUSTIN~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\MIKEMO~1\APPLIC~1\..\err.log
C:\DOCUME~1\MIKEMO~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\MIKEMO~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\TINAMO~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\TINAMO~1\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\TINAMO~1\APPLIC~1\..\err.log
C:\DOCUME~1\TINAMO~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\0033B676.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00A5B004.urr
C:\Program Files\FunWebProducts\Shared\06E84DBA.dat
C:\Program Files\Messenger\mesobif83122.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\Windows NT\qufatygyw.dll
C:\Program Files\Windows NT\qufatygyw15.dll
C:\Program Files\Windows NT\qufatygyw191.dll
C:\Program Files\Windows NT\qufatygyw211.dll
C:\Program Files\Windows NT\qufatygyw252.dll
C:\Program Files\Windows NT\qufatygyw281.dll
C:\Program Files\Windows NT\qufatygyw308.dll
C:\Program Files\Windows NT\qufatygyw434.dll
C:\Program Files\Windows NT\qufatygyw620.dll
C:\Program Files\Windows NT\qufatygyw681.dll
C:\temp\0c2
C:\temp\0c2\tmpRC.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\system32\awlqpulq.exe
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\B0\mwspasrt83122.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B1\wr73.exe
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B2\st2.exe
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\cxstjpri.exe
C:\WINDOWS\system32\dpdkprlx.exe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\gokgsavp.exe
C:\WINDOWS\system32\gsjeioch.exe
C:\WINDOWS\system32\jiytdxbx.exe
C:\WINDOWS\system32\kbjaoabk.exe
C:\WINDOWS\system32\vmpyxqbg.exe
C:\WINDOWS\system32\vsytyykh.exe
C:\WINDOWS\system32\widxnvvp.exe
C:\WINDOWS\system32\wuivvtbm.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\wr.txt


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\ApiMon
-------\core


(((((((((((((((((((((((((   Files Created from 2007-07-09 to 2007-08-09  )))))))))))))))))))))))))))))))


2007-08-09 09:10      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-09 08:58      24,576      --a------      C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-09 08:55      <DIR>      d--------      C:\VundoFix Backups
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\mclsphlr
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\appmgmt
2007-08-05 23:26      <DIR>      d--------      C:\WINDOWS\system32\LogFiles
2007-08-05 22:19      <DIR>      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Corel
2007-07-25 18:08      66,112      --a------      C:\WINDOWS\system32\fendpjsl.exe
2007-07-25 18:02      66,112      --a------      C:\WINDOWS\system32\kjjhgbvs.exe
2007-07-24 19:06      <DIR>      d--------      C:\Program Files\AIM6
2007-07-24 19:06      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-23 16:12      4,672      --a------      C:\WINDOWS\system32\vvkttcre.exe
2007-07-23 16:11      66,112      --a------      C:\WINDOWS\system32\qlgkknyo.exe
2007-07-22 11:40      94,208      --a------      C:\WINDOWS\system32\mclsp.dll
2007-07-22 11:40      90,112      --a------      C:\WINDOWS\system32\mcrtl32.dll
2007-07-22 11:40      32,768      --a------      C:\WINDOWS\system32\instlsp.exe
2007-07-22 11:40      11,264      --a------      C:\WINDOWS\system32\sporder.dll
2007-07-22 11:03      66,112      --a------      C:\WINDOWS\system32\vjqarnmp.exe
2007-07-21 18:50      <DIR>      d--------      C:\Program Files\iPod
2007-07-16 14:16      66,624      --a------      C:\WINDOWS\system32\jcykrkvl.dll
2007-07-16 14:11      128,576      --a------      C:\WINDOWS\system32\nggkfgns.dll
2007-07-16 14:08      66,112      --a------      C:\WINDOWS\system32\hidymscx.exe
2007-07-13 23:50      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Corel Photo Album
2007-07-13 19:26      <DIR>      d--------      C:\Temp
2007-07-11 10:20      <DIR>      d--------      C:\Program Files\Uniblue
2007-07-11 10:20      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Uniblue
2007-07-11 09:53      <DIR>      d--------      C:\Program Files\RegCure
2007-07-09 17:57      <DIR>      d--------      C:\WINDOWS\.file_store_32
2007-07-09 17:25      <DIR>      d--------      C:\WINDOWS\.jagex_cache_34


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 09:15      ---------      d--------      C:\Program Files\Windows NT
2007-08-09 09:15      ---------      d--------      C:\Program Files\Messenger
2007-08-06 21:57      ---------      d--------      C:\Program Files\QuickTime
2007-08-06 21:57      ---------      d--------      C:\Program Files\MySpace
2007-08-06 21:57      ---------      d--------      C:\Program Files\iTunes
2007-08-06 21:57      ---------      d--------      C:\Program Files\Common Files\aolshare
2007-08-06 21:57      ---------      d--------      C:\Program Files\Apple Software Update
2007-08-06 21:54      ---------      d--------      C:\Program Files\Dell
2007-08-06 21:54      ---------      d--------      C:\Program Files\Common Files\AOL
2007-08-06 21:54      ---------      d--------      C:\Program Files\America Online 9.0
2007-08-06 21:51      ---------      d--------      C:\Program Files\AIM
2007-08-06 21:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-05 22:19      56      -r-hs----      C:\WINDOWS\system32\3367DA2490.sys
2007-08-05 22:19      4184      --ahs----      C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-05 21:56      ---------      d--------      C:\Program Files\Dl_cats
2007-07-24 20:55      88      -r-hs----      C:\WINDOWS\system32\9024DA6733.sys
2007-07-22 11:40      ---------      d--------      C:\Program Files\McAfee.com
2007-07-21 17:21      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-16 14:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Google
2007-07-16 14:49      ---------      d--------      C:\Program Files\MUSICMATCH
2007-07-06 00:07      ---------      d--------      C:\Program Files\Common Files\Apple
2007-07-05 09:31      ---------      d--------      C:\Program Files\Common Files\Roxio Shared
2007-07-05 09:30      ---------      d--------      C:\Program Files\Roxio
2007-06-21 13:12      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Apple Computer
2007-06-20 03:31      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\RegistrySmart
2007-06-19 21:59      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\MySpace
2007-06-18 19:37      ---------      d--------      C:\Program Files\RegistrySmart
2007-06-15 18:33      ---------      d--------      C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-06-12 19:07      ---------      d--------      C:\Program Files\MSECache
2007-06-05 20:29      386      --a------      C:\WINDOWS\tmpcpyis.bat
2007-06-05 20:29      122      --a------      C:\WINDOWS\tmpdelis.bat
2007-06-05 20:28      26      --a------      C:\WINDOWS\winstart.bat
2007-05-16 11:12      86528      ---------      C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12      85504      ---------      C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12      683520      --a------      C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12      683520      ---------      C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12      510976      ---------      C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12      1314816      ---------      C:\WINDOWS\system32\dllcache\msoe.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7DE354A-CACE-43FC-9906-DA22A557A151}]
                  C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 14:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-21 13:49]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 12:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 17:52]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:05]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 05:40]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 08:47]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"RegistrySmart"="C:\Program Files\RegistrySmart\RegistrySmart.exe" [2007-06-15 10:36]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-06-09 09:51]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" []
"NBInstall"="C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe" [2007-07-13 19:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 08:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-21 13:36:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\tni23.tmp


Contents of the 'Scheduled Tasks' folder
2007-07-21 22:36:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-09 13:19:24 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 09:18:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-09  9:20:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 09:20
      --- E O F ---

and the new

3. Logfile of HijackThis v1.99.1
Scan saved at 9:23:12 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Documents and Settings\Tina Morris\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {A7DE354A-CACE-43FC-9906-DA22A557A151} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801MGUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Let me know how this looks.

Thank you,

XBedoya

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19667056
>> have a question there are two programs running in this computer and I wonder if I should delete them too, Registry Smart and Registry Booty.<<

Yes, uninstall them, and use the Add/Remove programs to uninstall them.
RegCure <-- also uninstall this one.

When it's about the registry you need to only use a known reliable program.
These are the registry cleaners that I've used and trusted:
TuneUp utilities <-- still using it.
Registry Mechanic
JVC16


C:\Program Files\Windows NT <--can you check the properties of this folder??? there were so many nasties inside this folder, do you know anything about this folder, did you install it yourself?

Run Hijackthis again and put a check next to these entries and while all browsers and other windows are closed, click "Fix Checked".
O2 - BHO: (no name) - {A7DE354A-CACE-43FC-9906-DA22A557A151} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801MGUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab


Vundofix and Combofix have removed heaps of bad files but there are still some bad files that needs to be removed.

Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------------------------
File::
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\WINDOWS\system32\fendpjsl.exe
C:\WINDOWS\system32\kjjhgbvs.exe
C:\WINDOWS\system32\vvkttcre.exe
C:\WINDOWS\system32\qlgkknyo.exe
C:\WINDOWS\system32\vjqarnmp.exe
C:\WINDOWS\system32\jcykrkvl.dll
C:\WINDOWS\system32\nggkfgns.dll
C:\WINDOWS\system32\hidymscx.exe

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

You have 2 versions of java there, I suggest uninstalling this version -->j2re1.4.2_03 because that's very vulnerable to vundo/conhook infections. I would suggest using the later or latest version.


0
 

Author Comment

by:XBedoya
ID: 19667370
I looked at the Windows NT folder, I don't know anything about it it says read-only file and it contains the following files:

dialer, hyperterm, rtenejuziv, htm_jis.dll, qufatygyw308. Two folders:
-Accesories: mswrd6.wpc, mswrd8.wpc, wordpad, write.wpc
-PinBall

I will unistall the java application next. I just try the internet but still can't go on-line.

Here is the Log:

ComboFix 07-08-09.3 - "Tina Morris" 2007-08-09 22:12:07.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.191 [GMT -4:00]
Command switches used ::  C:\Documents and Settings\Tina Morris\Desktop\CFScript.txt
 * Created a new restore point

FILE::
C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\WINDOWS\system32\fendpjsl.exe
C:\WINDOWS\system32\kjjhgbvs.exe
C:\WINDOWS\system32\vvkttcre.exe
C:\WINDOWS\system32\qlgkknyo.exe
C:\WINDOWS\system32\vjqarnmp.exe
C:\WINDOWS\system32\jcykrkvl.dll
C:\WINDOWS\system32\nggkfgns.dll
C:\WINDOWS\system32\hidymscx.exe


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\WINDOWS\system32\fendpjsl.exe
C:\WINDOWS\system32\hidymscx.exe
C:\WINDOWS\system32\jcykrkvl.dll
C:\WINDOWS\system32\kjjhgbvs.exe
C:\WINDOWS\system32\nggkfgns.dll
C:\WINDOWS\system32\qlgkknyo.exe
C:\WINDOWS\system32\vjqarnmp.exe
C:\WINDOWS\system32\vvkttcre.exe


(((((((((((((((((((((((((   Files Created from 2007-07-10 to 2007-08-10  )))))))))))))))))))))))))))))))


2007-08-09 09:10      51,200      --a------      C:\WINDOWS\nircmd.exe
2007-08-09 08:58      24,576      --a------      C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-09 08:55      <DIR>      d--------      C:\VundoFix Backups
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\mclsphlr
2007-08-06 21:57      <DIR>      d--------      C:\WINDOWS\system32\appmgmt
2007-08-05 23:26      <DIR>      d--------      C:\WINDOWS\system32\LogFiles
2007-08-05 22:19      <DIR>      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Corel
2007-07-24 19:06      <DIR>      d--------      C:\Program Files\AIM6
2007-07-24 19:06      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-22 11:40      94,208      --a------      C:\WINDOWS\system32\mclsp.dll
2007-07-22 11:40      90,112      --a------      C:\WINDOWS\system32\mcrtl32.dll
2007-07-22 11:40      32,768      --a------      C:\WINDOWS\system32\instlsp.exe
2007-07-22 11:40      11,264      --a------      C:\WINDOWS\system32\sporder.dll
2007-07-21 18:50      <DIR>      d--------      C:\Program Files\iPod
2007-07-13 23:50      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Corel Photo Album
2007-07-13 19:26      <DIR>      d--------      C:\Temp
2007-07-11 10:20      <DIR>      d--------      C:\DOCUME~1\JUSTIN~1\APPLIC~1\Uniblue
2007-07-11 09:53      <DIR>      d--------      C:\Program Files\RegCure
2007-07-09 17:57      <DIR>      d--------      C:\WINDOWS\.file_store_32
2007-07-09 17:25      <DIR>      d--------      C:\WINDOWS\.jagex_cache_34


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 09:15      ---------      d--------      C:\Program Files\Windows NT
2007-08-09 09:15      ---------      d--------      C:\Program Files\Messenger
2007-08-06 21:57      ---------      d--------      C:\Program Files\QuickTime
2007-08-06 21:57      ---------      d--------      C:\Program Files\MySpace
2007-08-06 21:57      ---------      d--------      C:\Program Files\iTunes
2007-08-06 21:57      ---------      d--------      C:\Program Files\Common Files\aolshare
2007-08-06 21:57      ---------      d--------      C:\Program Files\Apple Software Update
2007-08-06 21:54      ---------      d--------      C:\Program Files\Dell
2007-08-06 21:54      ---------      d--------      C:\Program Files\Common Files\AOL
2007-08-06 21:54      ---------      d--------      C:\Program Files\America Online 9.0
2007-08-06 21:51      ---------      d--------      C:\Program Files\AIM
2007-08-06 21:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\McAfee.com Personal Firewall
2007-08-05 22:19      56      -r-hs----      C:\WINDOWS\system32\3367DA2490.sys
2007-08-05 22:19      4184      --ahs----      C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-05 21:56      ---------      d--------      C:\Program Files\Dl_cats
2007-07-24 20:55      88      -r-hs----      C:\WINDOWS\system32\9024DA6733.sys
2007-07-22 11:40      ---------      d--------      C:\Program Files\McAfee.com
2007-07-21 17:21      ---------      d--h-----      C:\Program Files\InstallShield Installation Information
2007-07-16 14:51      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Google
2007-07-16 14:49      ---------      d--------      C:\Program Files\MUSICMATCH
2007-07-06 00:07      ---------      d--------      C:\Program Files\Common Files\Apple
2007-07-05 09:31      ---------      d--------      C:\Program Files\Common Files\Roxio Shared
2007-07-05 09:30      ---------      d--------      C:\Program Files\Roxio
2007-06-21 13:12      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\Apple Computer
2007-06-20 03:31      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\RegistrySmart
2007-06-19 21:59      ---------      d--------      C:\DOCUME~1\TINAMO~1\APPLIC~1\MySpace
2007-06-15 18:33      ---------      d--------      C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-06-12 19:07      ---------      d--------      C:\Program Files\MSECache
2007-06-05 20:29      386      --a------      C:\WINDOWS\tmpcpyis.bat
2007-06-05 20:29      122      --a------      C:\WINDOWS\tmpdelis.bat
2007-06-05 20:28      26      --a------      C:\WINDOWS\winstart.bat
2007-05-16 11:12      86528      ---------      C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12      85504      ---------      C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12      683520      --a------      C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12      683520      ---------      C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12      510976      ---------      C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12      1314816      ---------      C:\WINDOWS\system32\dllcache\msoe.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 19:22]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 14:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-12 19:05]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-06-21 13:49]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 18:06]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 12:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 17:52]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe" [2005-06-01 14:05]
"DLCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 05:40]
"dlcjmon.exe"="C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 08:47]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-06-09 09:51]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-07-26 14:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 08:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-21 13:36:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 MPFIREWL;MPFIREWL;C:\WINDOWS\system32\Drivers\MpFirewall.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\JUSTIN~1\LOCALS~1\Temp\tni23.tmp


Contents of the 'Scheduled Tasks' folder
2007-07-21 22:36:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-09 13:19:24 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job - C:\Program Files\RegistrySmart\RegistrySmart.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 22:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 22:17:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 22:17
C:\ComboFix2.txt ... 2007-08-09 09:20

      --- E O F ---
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 19673530
>I will unistall the java application next. I just try the internet but still can't go on-line<
XBedoya,
Your core DLL files may require registering following possible(or probable) damage during the cleanup of the virus infection.  
IEFix - is a general purpose repair utility for Internet Explorer which repairs Internet Explorer by registering it's core DLL files and reinstalls using the IE.INF file.
More Information is given below >>
"IEFix - General purpose fix for Internet Explorer":
http://windowsxp.mvps.org/IEFIX.htm
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 19673662
If the IEFix doesn't resolve your problem, take a look at this previous E_E thread and note the excellent comments, in particular by war1.
Initially IE7 was running but it was replaced by IE6.  You could use the appropriate recommendations here, to "cleanup & repair" possible IE damage >>

http://www.experts-exchange.com/Other/Miscellaneous/Q_22318333.html
0
 

Author Comment

by:XBedoya
ID: 19674592
Hi Jonvee, I did run the IEFix but nothing happened. I read the comments that you suggested but couldn't do what it says, first of all I can't go on-line at all and as soon as I open the IE nothing else works I can't call on any menu and I wanted to try the other thing but it says that I need the WinXP CD so I got to find  it first.

I am increasing the points since I believe that the level of difficulty on this matter is greater than I thought.

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 19675390
Perhaps you can download the "IEFix" and save to CD, then insert the CD in your problematic PC, and run.

You could also try >    Start > Run
Then in the 'Open' field, type sfc /scannow (note the space between c and /)
But again you may be asked for that WinXP CD.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19675548
You haven't uninstall RegistrySmart yet? It's still showing there and it's still having a scheduled task.

Still have more files to delete, delete the CFScript that you created before, and create a new one below:

Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------
File::
C:\WINDOWS\system32\3367DA2490.sys
C:\WINDOWS\system32\9024DA6733.sys
C:\DOCUME~1\TINAMO~1\APPLIC~1\RegistrySmart

--------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts




then run SDFix, even if it doesn't find any, it will fix registry entries that were modified by some nasties.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19675565
Also clean your temp folders:

Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/
0
 

Author Comment

by:XBedoya
ID: 19684294
Good Morning,

Sorry I was away for the weekend. Tonight after work I will sepnd more time in this project.

Thank you for the new comments.

0
 

Author Comment

by:XBedoya
ID: 19688938
I am still looking for the Windows CD. Following are the results of the SDFix tool but I am still unable to go on-line.

SDFix: Version 1.98

Run by Tina Morris on Mon 08/13/2007 at 09:41 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp
C:\Documents and Settings\Mike Morris\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp
C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
C:\WINDOWS\system32\config\SYSTEM.tmp.LOG

                                 Finished
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19689444
Still no internet access?
Run this tool winsockfix see if it helps, and also show us a fresh hijackthis log please.
http://www.majorgeeks.com/download4372.html


McAfee hasn't protected you since a lot of nasties were showing in those logs, I would suggest uninstalling McAfee and see if it's also causing those lost of connection. MacAfee's spam filter can be very aggressive.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 19689928
XBedoya,
Are you connected directly to the internet, or Networking via a Router ?  
If the latter, try rebooting the Router.

Presume you are still unsuccessful downloading the "IEFix" to CD as suggested on 08.11 ?  
Let's hope that WinXP CD soon reappears :)
0
 

Author Comment

by:XBedoya
ID: 19696864
Here it is the most recent HIjackThis after running the winsockfix. I have internet conecction now. Should I still try the IEFix?

Logfile of HijackThis v1.99.1
Scan saved at 10:07:43 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tina Morris\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 800 total points
ID: 19696945
I don't see anything suspicious entries in the hijackthis log.

Your connection is back, so is there any other problem?
If not then this is the time to flush down system restore points so any viruses that are in the system restore will be deleted.
You can do that by turning off System Restore, Reboot, and turn it back on and immediately create a new restore point.


Alternatively, you can do it this way(which is more or like the same)
1.  Create a new Restore Point:
- Go to Start -> All Programs -> Accessories -> System Tools -> System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or something easy to remember.
- Click Create.

2.  Delete the old Restore Points:
- Go to Start -> All Programs -> Accessories -> System Tools -> Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.


>>Should I still try the IEFix?<<
If IE is working okay, I wouldn't do anything yet but that's up to you of course.
0
 

Author Comment

by:XBedoya
ID: 19697037
rpggamergirl,

Thank you very much. Job well done.

XBedoya
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 19698473
XBedoya,

You're welcome!
Glad to be of assistance. Thank you for using Experts-Exchange.

Best wishes!

~rpggamergirl
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question