mrchaos101
asked on
Hijack This Log Cant remove SmitFraud-C.CoreService and Virtumonde
WIndows XP home with SP2
I have used
Spybot Search and Destroy 1.5
Adaware 2007
AVG Anti Spyware
Superantivirus
I still am geting pop ups and reports that SmiteFraud.C-CoreService and Virtumonde.
I tried a SmiteFraud removea tool but I guess it didnt work.
Here is my Hijack THis log. Please help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:19 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\WINDOWS\eHome\ehRecvr.e xe
C:\WINDOWS\eHome\ehSched.e xe
C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
C:\Program Files\McAfee\MPF\MPFSrv.ex e
C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAS ervice.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Canon\CAL\CALMAIN.ex e
C:\WINDOWS\system32\dllhos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcsysmon .exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\PROGRA~1\McAfee.com\Age nt\MCAGEN~ 1.EXE
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\Program Files\Intel\Wireless\bin\Z CfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
C:\Program Files\Intel\Wireless\bin\Z CfgSvc .exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are .exe
C:\Program Files\Synaptics\SynTP\SynT PEnh .exe
C:\Program Files\Intel\Wireless\Bin\i frmewrk .exe
C:\Program Files\Intel\Wireless\Bin\D ot1XCfg.ex e
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcvsshld .exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\SiteAdvisor\6253\Sit eAdv.exe
C:\Program Files\SiteAdvisor\6253\Sit eAdv .exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\lpcywin p.exe,C:\W INDOWS\sys tem32\user init.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1 7FE6E806AA 0} - C:\Program Files\SiteAdvisor\6253\Sit eAdv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\Z CfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~ 1\MSKDetct .exe /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [0457b3d7] rundll32.exe "C:\WINDOWS\system32\cnhid tfg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - (no file)
O16 - DPF: {14B87622-7E19-4EA8-93B3-9 7215F77A6B C} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-7 6522973D6B 8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3 EE46475B07 2} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-B C89154A8C0 0} - C:\Program Files\RcvSystem\httpdchk.d ll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex e
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc. exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcsysmon .exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex e
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAS ervice.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc. exe
--
End of file - 8935 bytes
I have used
Spybot Search and Destroy 1.5
Adaware 2007
AVG Anti Spyware
Superantivirus
I still am geting pop ups and reports that SmiteFraud.C-CoreService and Virtumonde.
I tried a SmiteFraud removea tool but I guess it didnt work.
Here is my Hijack THis log. Please help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:19 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Intel\Wireless\Bin\W
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\PROGRA~1\McAfee\MSC\mcm
c:\PROGRA~1\COMMON~1\mcafe
c:\PROGRA~1\COMMON~1\mcafe
C:\PROGRA~1\McAfee\VIRUSS~
C:\Program Files\McAfee\MPF\MPFSrv.ex
C:\Program Files\Dell\NICCONFIGSVC\NI
C:\Program Files\Intel\Wireless\Bin\R
C:\Program Files\SiteAdvisor\6253\SAS
C:\WINDOWS\system32\svchos
C:\Program Files\Canon\CAL\CALMAIN.ex
C:\WINDOWS\system32\dllhos
C:\WINDOWS\System32\svchos
C:\PROGRA~1\McAfee\VIRUSS~
C:\WINDOWS\system32\Ati2ev
C:\PROGRA~1\McAfee.com\Age
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Intel\Wireless\bin\Z
C:\Program Files\Intel\Wireless\Bin\i
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\Intel\Wireless\bin\Z
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Intel\Wireless\Bin\i
C:\Program Files\Intel\Wireless\Bin\D
C:\PROGRA~1\McAfee\VIRUSS~
C:\PROGRA~1\McAfee\VIRUSS~
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\SiteAdvisor\6253\Sit
C:\Program Files\SiteAdvisor\6253\Sit
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\Z
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\i
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [0457b3d7] rundll32.exe "C:\WINDOWS\system32\cnhid
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {14B87622-7E19-4EA8-93B3-9
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {BD393C14-72AD-4790-A095-7
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-B
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAS
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.
--
End of file - 8935 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ComboFix 08-01-04.1 - chad.H 2008-01-05 16:17:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. 520 [GMT -6:00]
Running from: C:\Documents and Settings\chad.H\Desktop\Co mboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))) )))))
.
2008-01-05 15:43 . 2008-01-05 15:43 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-05 11:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 18:44 . 2008-01-03 18:48 1,938 --a------ C:\WINDOWS\system32\tmp.re g
2008-01-03 18:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSI D.exe
2008-01-03 18:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchST S.exe
2008-01-03 18:43 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix .exe
2008-01-03 18:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphi ve.exe
2008-01-03 18:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix .exe
2008-01-03 10:03 . 2008-01-03 13:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-03 09:37 . 2008-01-03 09:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 08:52 . 2008-01-03 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 16:05 . 2008-01-02 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-02 16:04 . 2008-01-05 11:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-02 16:04 . 2008-01-02 16:04 <DIR> d-------- C:\Documents and Settings\chad.H\Applicatio n Data\SUPERAntiSpyware.com
2008-01-02 16:03 . 2008-01-02 16:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 15:35 . 2008-01-02 15:35 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-27 23:44 . 2008-01-05 11:49 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-27 19:18 . 2007-12-27 19:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 13:14 . 2007-12-27 13:14 348,160 --a------ C:\WINDOWS\system32\RCX2D4 .tmp
2007-12-27 00:25 . 2008-01-05 16:18 11,505 --a------ C:\WINDOWS\system32\Config .MPF
2007-12-27 00:23 . 2007-12-28 10:53 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-27 00:23 . 2007-12-28 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Appl ication Data\SiteAdvisor
2007-12-27 00:23 . 2007-12-27 00:48 <DIR> d-------- C:\Documents and Settings\chad.H\Applicatio n Data\SiteAdvisor
2007-12-27 00:23 . 2007-12-27 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-27 00:19 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\driver s\mferkdk. sys
2007-12-27 00:18 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\driver s\mfehidk. sys
2007-12-27 00:18 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\driver s\Mpfp.sys
2007-12-27 00:18 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\driver s\mfeavfk. sys
2007-12-27 00:18 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\driver s\mfesmfk. sys
2007-12-27 00:18 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\driver s\mfebopk. sys
2007-12-27 00:15 . 2007-12-27 00:16 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-27 00:15 . 2007-12-27 00:18 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-26 23:39 . 2007-12-26 23:39 40,734 --a------ C:\WINDOWS\system32\superi orads-unin st.exe
2007-12-26 23:23 . 2007-12-28 10:50 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-26 20:05 . 2007-12-26 20:05 4,286 --a------ C:\WINDOWS\system32\Mobile Sidewalk.i co
2007-12-26 19:47 . 2008-01-03 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-26 19:47 . 2007-12-26 19:47 4 --a------ C:\WINDOWS\system32\jpewoc mz.ini
2007-12-26 19:45 . 2008-01-02 16:15 <DIR> d--hs---- C:\WINDOWS\Y2hhZC5I
2007-12-26 19:45 . 2008-01-02 15:59 39,936 --a------ C:\WINDOWS\mrofinu77.exe.t mp
2007-12-26 19:44 . 2008-01-02 16:59 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-26 19:44 . 2008-01-02 17:24 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-26 19:44 . 2007-12-26 23:19 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-26 19:44 . 2008-01-02 16:53 <DIR> d-------- C:\WINDOWS\system32\ardCo0 2
2007-12-26 19:44 . 2007-12-26 19:45 <DIR> d-------- C:\Temp\cEeer12
2007-12-21 19:20 . 2007-12-21 19:20 <DIR> d--h----- C:\Temp\pt8q3khslw
2007-12-21 19:19 . 2007-12-21 19:19 <DIR> d-------- C:\Program Files\Verizon Wireless
2007-12-21 19:19 . 2007-12-21 19:19 <DIR> d-------- C:\Program Files\LG Electronics
2007-12-21 19:19 . 2007-12-27 13:20 2,691,072 --a------ C:\WINDOWS\MEDB.mdb
2007-12-21 19:19 . 2007-05-01 16:23 528,384 --a------ C:\WINDOWS\system32\VZWDow nManager.e xe
2007-12-21 19:19 . 2007-05-01 16:23 49,152 --a------ C:\WINDOWS\system32\VZWDLM anager.dll
2007-12-21 19:19 . 2007-04-09 09:55 22,912 --a------ C:\WINDOWS\system32\driver s\lgusbmod em.sys
2007-12-21 19:19 . 2007-04-09 09:56 21,248 --a------ C:\WINDOWS\system32\driver s\lgusbdia g.sys
2007-12-21 19:19 . 2007-04-09 09:53 12,672 --a------ C:\WINDOWS\system32\driver s\lgusbbus .sys
2007-12-21 19:19 . 2007-05-02 02:34 375 --a------ C:\WINDOWS\system32\VZWDLM anager.inf
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-01-05 21:43 --------- d-----w C:\Program Files\McAfee
2008-01-05 17:49 --------- d-----w C:\Program Files\QuickTime
2008-01-05 17:49 --------- d-----w C:\Program Files\NetWaiting
2008-01-05 17:49 --------- d-----w C:\Program Files\iTunes
2008-01-05 17:49 --------- d-----w C:\Program Files\DellSupport
2007-12-27 07:14 62 ----a-w C:\Program Files\uninstall.log
2007-12-27 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-27 06:18 246 ----a-w C:\Program Files\Common Files\xukad
2007-12-26 23:16 --------- d-----w C:\Documents and Settings\chad.H\Applicatio n Data\LimeWire
2007-12-22 01:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 21:38 --------- d-----w C:\Program Files\Modem Helper
2007-12-04 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-04 03:38 --------- d-----w C:\Program Files\AIM6
2007-12-04 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-04 03:12 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-28 06:21 --------- d-----w C:\Documents and Settings\chad.H\Applicatio n Data\acccore
2007-11-28 06:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-28 06:19 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-28 05:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-26 17:51 --------- d-----w C:\Documents and Settings\chad.H\Applicatio n Data\AdobeUM
2007-11-20 20:38 --------- d-----w C:\Program Files\Photo Pos Pro
2007-11-16 19:16 --------- d-----w C:\Program Files\iPod
2007-11-16 19:09 --------- d-----w C:\Program Files\Apple Software Update
2007-11-16 19:08 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-16 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\driver s\secdrv.s ys
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcac he\mshtml. dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz .dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcac he\quartz. dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf. dll
2007-10-27 23:40 222,720 ------w C:\WINDOWS\system32\dllcac he\wmasf.d ll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcac he\shell32 .dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisC L.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcac he\wininet .dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcac he\webchec k.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcac he\urlmon. dll
2007-10-10 23:55 671,232 ------w C:\WINDOWS\system32\dllcac he\mstime. dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcac he\icardie .dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcac he\ieframe .dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcac he\msfeeds bs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcac he\mshtmle d.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcac he\msfeeds .dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcac he\iernonc e.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcac he\iedkcs3 2.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcac he\ieapflt r.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcac he\jsproxy .dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcac he\iertuti l.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcac he\ieaksie .dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcac he\dxtrans .dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcac he\msratin g.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcac he\ieakeng .dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcac he\extmgr. dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcac he\advpack .dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcac he\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcac he\occache .dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcac he\ie4uini t.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcac he\iexplor e.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcac he\ieudini t.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcac he\ieakui. dll
2007-07-12 06:11 88 --sh--r C:\WINDOWS\system32\4AA31C 5FF2.sys
2007-08-07 16:44 56 -csh--r C:\WINDOWS\system32\F25F1C A34A.sys
2007-08-07 16:44 6,580 -csha-w C:\WINDOWS\system32\KGyGaA vL.sys
.
[code]<pre>
----a-w 1,694,208 2007-12-27 05:23:59 C:\Program Files\Messenger\msmsgs .exe
----a-w 212,992 2007-12-28 16:50:53 C:\WINDOWS\troy44 .exe
</pre>[/code]
(((((((((((((((((((((((((( ((( snapshot@2008-01-05_11.53. 11.46 )))))))))))))))))))))))))) )))))))))) )))))
.
- 2008-01-02 23:52:58 32,768 -c--a-w C:\WINDOWS\system32\config \systempro file\Cooki es\index.d at
+ 2008-01-05 21:42:52 32,768 -c--a-w C:\WINDOWS\system32\config \systempro file\Cooki es\index.d at
- 2008-01-02 23:52:58 32,768 -c--a-w C:\WINDOWS\system32\config \systempro file\Local Settings\History\History.I E5\index.d at
+ 2008-01-05 21:42:52 32,768 -c--a-w C:\WINDOWS\system32\config \systempro file\Local Settings\History\History.I E5\index.d at
- 2008-01-02 23:52:58 32,768 -c--a-w C:\WINDOWS\system32\config \systempro file\Local Settings\Temporary Internet Files\Content.IE5\index.da t
+ 2008-01-05 21:42:52 32,768 -c--a-w C:\WINDOWS\system32\config \systempro file\Local Settings\Temporary Internet Files\Content.IE5\index.da t
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-10 04:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [2008-01-05 11:16 761947]
"IntelZeroConfig"="C:\Prog ram Files\Intel\Wireless\bin\Z CfgSvc.exe " [2008-01-05 11:16 802816]
"IntelWireless"="C:\Progra m Files\Intel\Wireless\Bin\i frmewrk.ex e" [2008-01-05 11:16 696320]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-05 11:16 866584]
"RegistryMechanic"="" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mca gent.exe" [2007-08-03 22:33 582992]
C:\Documents and Settings\chad.H\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-12-21 19:19:14]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Theme s\Royale\R oyale.msst yles
"InstallTheme"= C:\WINDOWS\Resources\Theme s\Royale.t heme
[hkey_local_machine\softwa re\microso ft\windows \currentve rsion\expl orer\shell executehoo ks]
"{5AE067D3-9AFB-48E0-853A- EBB7F4A000 DA}"= C:\Program Files\SUPERAntiSpyware\SAS SEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\!S ASWinLogon ]
C:\Program Files\SUPERAntiSpyware\SAS WINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SAS WINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\mcmscs vc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupfold er\C:^Docu ments and Settings^All Users^Start Menu^Programs^Startup^Digi tal Line Detect.lnk]
backup=C:\WINDOWS\pss\Digi tal Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupfold er\C:^Docu ments and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupfold er\C:^Docu ments and Settings^All Users^Start Menu^Programs^Startup^Snap Detect.lnk ]
backup=C:\WINDOWS\pss\Snap Detect.lnk Common Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Aim6]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe runtime -Delay
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ctfmon.exe ]
2004-08-10 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon .exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Dell QuickSet]
2005-12-06 09:45 839680 --a------ C:\Program Files\Dell\QuickSet\quicks et.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DellSuppor t]
C:\Program Files\DellSupport\DSAgnt.e xe /startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ dla]
2008-01-02 15:30 127035 --a------ C:\WINDOWS\system32\dla\tf swctrl.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DVDLaunche r]
2008-01-02 15:30 49152 --a------ C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ehTray]
C:\WINDOWS\ehome\ehtray.ex e
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HostManage r]
2008-01-02 15:30 50792 --a------ C:\Program Files\Common Files\AOL\1196230799\ee\AO LSoftware. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ HP Software Update]
2005-12-15 11:18 49152 --a--c--- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ IPHSend]
2008-01-02 15:30 124520 --a------ C:\Program Files\Common Files\AOL\IPHSend\IPHSend. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\Update Service\is uspm .exe -startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSSchedu ler]
C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe -start
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ iTunesHelp er]
2008-01-02 15:30 267048 --a------ C:\Program Files\iTunes\iTunesHelper. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Load]
C:\WINDOWS\system32\gebya. exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ mcagent_ex e]
C:\Program Files\McAfee.com\Agent\mca gent.exe /runkey
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ McENUI]
C:\PROGRA~1\McAfee\MHN\McE NUI.exe /hide
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ModemOnHol d]
C:\Program Files\NetWaiting\netWaitin g .exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSKDetecto rExe]
C:\PROGRA~1\McAfee\SPAMKI~ 1\MSKDetct .exe /startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MSMSGS]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QdrPack11]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe -atboottime
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ShowLOMCon trol]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SigmatelSy sTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SiteAdviso r]
2008-01-05 11:18 36640 --a------ C:\Program Files\SiteAdvisor\6253\Sit eAdv.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
2005-04-13 03:48 36975 --a--c--- C:\Program Files\Java\jre1.5.0_03\bin \jusched.e xe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SUPERAntiS pyware]
2008-01-05 11:16 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Uniblue RegistryBooster 2]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide
S2 0058031199569456mcinstclea nup;McAfee Application Installer Cleanup (0058031199569456);C:\WIND OWS\TEMP\[ u]0[/u]058 03~1.EXE C:\PROGRA~1\COMMON~1\McAfe e\INSTAL~1 \cleanup.i ni -cleanup -nolog []
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{36 1ac05d-0e0 d-11da-9aa 9-806d6172 696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{38 abfdc4-11d c-11db-914 8-00038a00 0015}]
\Shell\AutoRun\command - E:\SafeGuard\Windows\SafeG uard20.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 03:53:01 C:\WINDOWS\Tasks\AppleSoft wareUpdate .job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 06:17:04 C:\WINDOWS\Tasks\McDefragT ask.job"
- c:\PROGRA~1\mcafee\mqc\QcC onsol.exe'
"2007-12-27 06:17:03 C:\WINDOWS\Tasks\McQcTask. job"
- c:\PROGRA~1\mcafee\mqc\QcC onsol.exe
"2008-01-05 17:59:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 16:21:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2008-01-05 16:22:06
ComboFix-quarantined-files .txt 2008-01-05 22:22:04
ComboFix2.txt 2008-01-05 17:53:34
.
2008-01-04 19:56:16 --- E O F ---
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\chad.H\Desktop\Co
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 ))))))))))))))))))))))))))
.
2008-01-05 15:43 . 2008-01-05 15:43 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-05 11:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 18:44 . 2008-01-03 18:48 1,938 --a------ C:\WINDOWS\system32\tmp.re
2008-01-03 18:43 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSI
2008-01-03 18:43 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchST
2008-01-03 18:43 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix
2008-01-03 18:43 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphi
2008-01-03 18:43 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix
2008-01-03 10:03 . 2008-01-03 13:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-03 09:37 . 2008-01-03 09:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 08:52 . 2008-01-03 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 16:05 . 2008-01-02 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-02 16:04 . 2008-01-05 11:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-02 16:04 . 2008-01-02 16:04 <DIR> d-------- C:\Documents and Settings\chad.H\Applicatio
2008-01-02 16:03 . 2008-01-02 16:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 15:35 . 2008-01-02 15:35 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-27 23:44 . 2008-01-05 11:49 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-27 19:18 . 2007-12-27 19:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-27 13:14 . 2007-12-27 13:14 348,160 --a------ C:\WINDOWS\system32\RCX2D4
2007-12-27 00:25 . 2008-01-05 16:18 11,505 --a------ C:\WINDOWS\system32\Config
2007-12-27 00:23 . 2007-12-28 10:53 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-27 00:23 . 2007-12-28 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Appl
2007-12-27 00:23 . 2007-12-27 00:48 <DIR> d-------- C:\Documents and Settings\chad.H\Applicatio
2007-12-27 00:23 . 2007-12-27 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-27 00:19 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\driver
2007-12-27 00:18 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\driver
2007-12-27 00:18 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\driver
2007-12-27 00:18 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\driver
2007-12-27 00:18 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\driver
2007-12-27 00:18 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\driver
2007-12-27 00:15 . 2007-12-27 00:16 <DIR> d-------- C:\Program Files\McAfee.com
2007-12-27 00:15 . 2007-12-27 00:18 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-26 23:39 . 2007-12-26 23:39 40,734 --a------ C:\WINDOWS\system32\superi
2007-12-26 23:23 . 2007-12-28 10:50 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-26 20:05 . 2007-12-26 20:05 4,286 --a------ C:\WINDOWS\system32\Mobile
2007-12-26 19:47 . 2008-01-03 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-26 19:47 . 2007-12-26 19:47 4 --a------ C:\WINDOWS\system32\jpewoc
2007-12-26 19:45 . 2008-01-02 16:15 <DIR> d--hs---- C:\WINDOWS\Y2hhZC5I
2007-12-26 19:45 . 2008-01-02 15:59 39,936 --a------ C:\WINDOWS\mrofinu77.exe.t
2007-12-26 19:44 . 2008-01-02 16:59 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-26 19:44 . 2008-01-02 17:24 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-26 19:44 . 2007-12-26 23:19 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-26 19:44 . 2008-01-02 16:53 <DIR> d-------- C:\WINDOWS\system32\ardCo0
2007-12-26 19:44 . 2007-12-26 19:45 <DIR> d-------- C:\Temp\cEeer12
2007-12-21 19:20 . 2007-12-21 19:20 <DIR> d--h----- C:\Temp\pt8q3khslw
2007-12-21 19:19 . 2007-12-21 19:19 <DIR> d-------- C:\Program Files\Verizon Wireless
2007-12-21 19:19 . 2007-12-21 19:19 <DIR> d-------- C:\Program Files\LG Electronics
2007-12-21 19:19 . 2007-12-27 13:20 2,691,072 --a------ C:\WINDOWS\MEDB.mdb
2007-12-21 19:19 . 2007-05-01 16:23 528,384 --a------ C:\WINDOWS\system32\VZWDow
2007-12-21 19:19 . 2007-05-01 16:23 49,152 --a------ C:\WINDOWS\system32\VZWDLM
2007-12-21 19:19 . 2007-04-09 09:55 22,912 --a------ C:\WINDOWS\system32\driver
2007-12-21 19:19 . 2007-04-09 09:56 21,248 --a------ C:\WINDOWS\system32\driver
2007-12-21 19:19 . 2007-04-09 09:53 12,672 --a------ C:\WINDOWS\system32\driver
2007-12-21 19:19 . 2007-05-02 02:34 375 --a------ C:\WINDOWS\system32\VZWDLM
.
((((((((((((((((((((((((((
.
2008-01-05 21:43 --------- d-----w C:\Program Files\McAfee
2008-01-05 17:49 --------- d-----w C:\Program Files\QuickTime
2008-01-05 17:49 --------- d-----w C:\Program Files\NetWaiting
2008-01-05 17:49 --------- d-----w C:\Program Files\iTunes
2008-01-05 17:49 --------- d-----w C:\Program Files\DellSupport
2007-12-27 07:14 62 ----a-w C:\Program Files\uninstall.log
2007-12-27 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-27 06:18 246 ----a-w C:\Program Files\Common Files\xukad
2007-12-26 23:16 --------- d-----w C:\Documents and Settings\chad.H\Applicatio
2007-12-22 01:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 21:38 --------- d-----w C:\Program Files\Modem Helper
2007-12-04 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-04 03:38 --------- d-----w C:\Program Files\AIM6
2007-12-04 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-04 03:12 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-28 06:21 --------- d-----w C:\Documents and Settings\chad.H\Applicatio
2007-11-28 06:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-28 06:19 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-28 05:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-26 17:51 --------- d-----w C:\Documents and Settings\chad.H\Applicatio
2007-11-20 20:38 --------- d-----w C:\Program Files\Photo Pos Pro
2007-11-16 19:16 --------- d-----w C:\Program Files\iPod
2007-11-16 19:09 --------- d-----w C:\Program Files\Apple Software Update
2007-11-16 19:08 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-16 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\driver
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcac
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcac
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.
2007-10-27 23:40 222,720 ------w C:\WINDOWS\system32\dllcac
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcac
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisC
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 671,232 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcac
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcac
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcac
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcac
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcac
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcac
2007-07-12 06:11 88 --sh--r C:\WINDOWS\system32\4AA31C
2007-08-07 16:44 56 -csh--r C:\WINDOWS\system32\F25F1C
2007-08-07 16:44 6,580 -csha-w C:\WINDOWS\system32\KGyGaA
.
[code]<pre>
----a-w 1,694,208 2007-12-27 05:23:59 C:\Program Files\Messenger\msmsgs .exe
----a-w 212,992 2007-12-28 16:50:53 C:\WINDOWS\troy44 .exe
</pre>[/code]
((((((((((((((((((((((((((
.
- 2008-01-02 23:52:58 32,768 -c--a-w C:\WINDOWS\system32\config
+ 2008-01-05 21:42:52 32,768 -c--a-w C:\WINDOWS\system32\config
- 2008-01-02 23:52:58 32,768 -c--a-w C:\WINDOWS\system32\config
+ 2008-01-05 21:42:52 32,768 -c--a-w C:\WINDOWS\system32\config
- 2008-01-02 23:52:58 32,768 -c--a-w C:\WINDOWS\system32\config
+ 2008-01-05 21:42:52 32,768 -c--a-w C:\WINDOWS\system32\config
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
[HKEY_LOCAL_MACHINE\SOFTWA
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT
"IntelZeroConfig"="C:\Prog
"IntelWireless"="C:\Progra
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-05 11:16 866584]
"RegistryMechanic"="" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mca
C:\Documents and Settings\chad.H\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-12-21 19:19:14]
[HKEY_LOCAL_MACHINE\softwa
"InstallVisualStyle"= C:\WINDOWS\Resources\Theme
"InstallTheme"= C:\WINDOWS\Resources\Theme
[hkey_local_machine\softwa
"{5AE067D3-9AFB-48E0-853A-
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\SUPERAntiSpyware\SAS
[HKEY_LOCAL_MACHINE\SYSTEM
@=""
[HKEY_LOCAL_MACHINE\SYSTEM
@=""
[HKEY_LOCAL_MACHINE\softwa
backup=C:\WINDOWS\pss\Digi
[HKEY_LOCAL_MACHINE\softwa
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa
backup=C:\WINDOWS\pss\Snap
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
[HKEY_LOCAL_MACHINE\softwa
2004-08-10 04:00 15360 --a------ C:\WINDOWS\system32\ctfmon
[HKEY_LOCAL_MACHINE\softwa
2005-12-06 09:45 839680 --a------ C:\Program Files\Dell\QuickSet\quicks
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\DellSupport\DSAgnt.e
[HKEY_LOCAL_MACHINE\softwa
2008-01-02 15:30 127035 --a------ C:\WINDOWS\system32\dla\tf
[HKEY_LOCAL_MACHINE\softwa
2008-01-02 15:30 49152 --a------ C:\Program Files\CyberLink\PowerDVD\D
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\ehome\ehtray.ex
[HKEY_LOCAL_MACHINE\softwa
2008-01-02 15:30 50792 --a------ C:\Program Files\Common Files\AOL\1196230799\ee\AO
[HKEY_LOCAL_MACHINE\softwa
2005-12-15 11:18 49152 --a--c--- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\softwa
2008-01-02 15:30 124520 --a------ C:\Program Files\Common Files\AOL\IPHSend\IPHSend.
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Common Files\InstallShield\Update
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Common Files\InstallShield\Update
[HKEY_LOCAL_MACHINE\softwa
2008-01-02 15:30 267048 --a------ C:\Program Files\iTunes\iTunesHelper.
[HKEY_LOCAL_MACHINE\softwa
C:\WINDOWS\system32\gebya.
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\McAfee.com\Agent\mca
[HKEY_LOCAL_MACHINE\softwa
C:\PROGRA~1\McAfee\MHN\McE
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\NetWaiting\netWaitin
[HKEY_LOCAL_MACHINE\softwa
C:\PROGRA~1\McAfee\SPAMKI~
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\QuickTime\QTTask .exe -atboottime
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
stsystra.exe
[HKEY_LOCAL_MACHINE\softwa
2008-01-05 11:18 36640 --a------ C:\Program Files\SiteAdvisor\6253\Sit
[HKEY_LOCAL_MACHINE\softwa
2005-04-13 03:48 36975 --a--c--- C:\Program Files\Java\jre1.5.0_03\bin
[HKEY_LOCAL_MACHINE\softwa
2008-01-05 11:16 1318912 --a------ C:\Program Files\SUPERAntiSpyware\SUP
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Windows Defender\MSASCui.exe -hide
S2 0058031199569456mcinstclea
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - E:\SafeGuard\Windows\SafeG
.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 03:53:01 C:\WINDOWS\Tasks\AppleSoft
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 06:17:04 C:\WINDOWS\Tasks\McDefragT
- c:\PROGRA~1\mcafee\mqc\QcC
"2007-12-27 06:17:03 C:\WINDOWS\Tasks\McQcTask.
- c:\PROGRA~1\mcafee\mqc\QcC
"2008-01-05 17:59:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 16:21:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2008-01-05 16:22:06
ComboFix-quarantined-files
ComboFix2.txt 2008-01-05 17:53:34
.
2008-01-04 19:56:16 --- E O F ---
ASKER
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:48 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\WINDOWS\eHome\ehRecvr.e xe
C:\WINDOWS\eHome\ehSched.e xe
C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
C:\Program Files\McAfee\MPF\MPFSrv.ex e
C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
C:\WINDOWS\system32\HPZipm 12.exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAS ervice.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Canon\CAL\CALMAIN.ex e
C:\WINDOWS\system32\dllhos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\McAfee\VIRUSS~ 1\mcsysmon .exe
c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\PROGRA~1\McAfee.com\Age nt\mcagent .exe
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\Program Files\Intel\Wireless\bin\Z CfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Intel\Wireless\Bin\D ot1XCfg.ex e
C:\Program Files\McAfee\MSC\mcuimgr.e xe
C:\WINDOWS\system32\wscntf y.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6253\Sit eAdv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0 048AE11321 5} - C:\Program Files\SiteAdvisor\6253\Sit eAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6 309F01C523 1} - C:\Program Files\McAfee\VirusScan\scr iptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1 7FE6E806AA 0} - C:\Program Files\SiteAdvisor\6253\Sit eAdv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\Z CfgSvc.exe "
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mca gent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - (no file)
O16 - DPF: {14B87622-7E19-4EA8-93B3-9 7215F77A6B C} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-7 6522973D6B 8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3 EE46475B07 2} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS WINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0058031199569456) (0058031199569456mcinstcle anup) - Unknown owner - C:\WINDOWS\TEMP\005803~1.E XE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex e
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc. exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcsysmon .exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex e
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAS ervice.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc. exe
--
End of file - 8660 bytes
Scan saved at 4:24:48 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Intel\Wireless\Bin\W
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\PROGRA~1\McAfee\MSC\mcm
c:\PROGRA~1\COMMON~1\mcafe
C:\PROGRA~1\McAfee\VIRUSS~
C:\Program Files\McAfee\MPF\MPFSrv.ex
C:\Program Files\Dell\NICCONFIGSVC\NI
C:\WINDOWS\system32\HPZipm
C:\Program Files\Intel\Wireless\Bin\R
C:\Program Files\SiteAdvisor\6253\SAS
C:\WINDOWS\system32\svchos
C:\Program Files\Canon\CAL\CALMAIN.ex
C:\WINDOWS\system32\dllhos
C:\WINDOWS\System32\svchos
C:\PROGRA~1\McAfee\VIRUSS~
c:\PROGRA~1\COMMON~1\mcafe
C:\WINDOWS\system32\Ati2ev
C:\PROGRA~1\McAfee.com\Age
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Intel\Wireless\bin\Z
C:\Program Files\Intel\Wireless\Bin\i
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Intel\Wireless\Bin\D
C:\Program Files\McAfee\MSC\mcuimgr.e
C:\WINDOWS\system32\wscntf
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6253\Sit
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\Z
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\i
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mca
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {14B87622-7E19-4EA8-93B3-9
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {BD393C14-72AD-4790-A095-7
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: McAfee Application Installer Cleanup (0058031199569456) (0058031199569456mcinstcle
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.ex
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAS
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.
--
End of file - 8660 bytes
It looked like you run Combofix twice, did you?
You had the vundo file infector that infects legit files, the first CF log would've shown what was infected and what was replaced, the log you posted it seems combofix was not able to replace C:\Program Files\Messenger\msmsgs.exe .
After running the CFScript and if Messenger still not working just reinstall it.
Combofix should neutralize the infection but if there are other programs not working properly just reinstall them.
Open notepad and copy/paste the text inside the lines below into it.
-------------------------- ---------- ---------- ---------- ------
File::
C:\WINDOWS\system32\RCX2D4 .tmp
C:\WINDOWS\system32\superi orads-unin st.exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\system32\jpewoc mz.ini
C:\WINDOWS\mrofinu77.exe.t mp
Folder::
C:\WINDOWS\Y2hhZC5I
C:\WINDOWS\system32\bbc9
C:\WINDOWS\system32\ardCo0 2
C:\Temp\cEeer12
C:\Temp\pt8q3khslw
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\dj2
RENV::
C:\Program Files\Messenger\msmsgs .exe
Registry::
[-HKEY_LOCAL_MACHINE\softw are\micros oft\shared tools\msconfig\startupreg\ Load]
-------------------------- ---------- ---------- ---------- ------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
You can fix these entries in Hijackthis:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
You had the vundo file infector that infects legit files, the first CF log would've shown what was infected and what was replaced, the log you posted it seems combofix was not able to replace C:\Program Files\Messenger\msmsgs.exe
After running the CFScript and if Messenger still not working just reinstall it.
Combofix should neutralize the infection but if there are other programs not working properly just reinstall them.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------
File::
C:\WINDOWS\system32\RCX2D4
C:\WINDOWS\system32\superi
C:\WINDOWS\troy44 .exe
C:\WINDOWS\system32\jpewoc
C:\WINDOWS\mrofinu77.exe.t
Folder::
C:\WINDOWS\Y2hhZC5I
C:\WINDOWS\system32\bbc9
C:\WINDOWS\system32\ardCo0
C:\Temp\cEeer12
C:\Temp\pt8q3khslw
C:\WINDOWS\system32\to9
C:\WINDOWS\system32\dj2
RENV::
C:\Program Files\Messenger\msmsgs .exe
Registry::
[-HKEY_LOCAL_MACHINE\softw
--------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
You can fix these entries in Hijackthis:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
You closed the question, so I assume the problem is solved?
Thanks!
Thanks!
http://www.kaspersky.com/anti-virus_trial
Activate your trial license, update the detection database and run a full scan of your system. Most likely KAV will be able to quickly identify and remove Virtumonde
Let me know if this works for you.