Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:51 AM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareStop\SpywareStop.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ErrorKiller\ErrorKiller.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {ff0277a2-a8d8-51c8-5184-9907c063c8e3} - {3e8c360c-7099-4815-8c15-8d8a2a7720ff} - C:\WINDOWS\system32\sujwcorc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {DEA3F205-1844-418E-B3A9-19BF4F30AB2F} - C:\WINDOWS\system32\gebyv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ErrorKiller] C:\Program Files\ErrorKiller\ErrorKiller.exe
O4 - HKLM\..\Run: [880dad0a] rundll32.exe "C:\WINDOWS\system32\bijfpagx.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: qomkhef - qomkhef.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10707 bytes
I know that I need some help. When I get on the internet the computer will automatically open new internet explorer windows and take me to various places. A common theme is a malware program that wants to scan my coputer and tell me how infected I am, then wants me to purchase their product. I am currently running McAfee Security Suite that I got through Comcast, and I also purchased sbybot program that I thought would help, but it finds the "vundo" or "conhook" viruses each time I run it. I select "clean infections" and it appears to clean them, but if I run the program again it finds the same errors. Most of them are "hkey"'s. I had the online helper at spybot attempt to help me and they ran some fixes, but to no avail I still get the same "infections" when I run "spyware stop". A coworker in my computer department recomended I try this forum for help. Any ideas are appreciated.
Firstly, in order for our Experts to help you. You need to update 2 programs that are seriously OUT OF DATE! And VERY vulnerable. You must first go to Add/Remove Programs and remove your version of Sun Java! Also Adobe is seriously old! The easiest way to accomplish this is to go to Secunia.com here is the link http://secunia.com/software_inspector/and run the scan here. I also suspect that you think you have downloaded SpywareStop but it indeed SpywareBot and this is another can of worms, but I will let this to our experts. You need to make certain you computer is up to date, this scan will allow you to know that all patches, fixes and updates are needed or complete. Then you need to empty all unnecessary files and the best way to to do this is to download ATF Cleaner from Atribune.org.,this is the link http://www.atribune.org/content/view/25/2/ choosing select all, then restart your computer and post a FRESH HJT log file. Then I am sure the Experts will take it from there. BTW since you already use some McAfee products you should also use McAfee Site Advisor then you would know when you are downloading from a genuine site unlike the one you loaded, that SpywareStop thing, and ErrorKiller is a suspect also. Download here http://www.siteadvisor.com/ You may also take a look at this program http://www.winpatrol.com/download.html as it will keep your computer safe in real time, and BEST of all, the programs are all FREE!!!!
1. Remove OLD Sun Java Console
2. Go to Secunia and update
3. atribune.org and clean files
4. Restart
5. Run HJT and post a fresh log file
And wait patiently, as help is on the way!
:welcome: to Landzdown, you have come to the right place!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:14 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareStop\SpywareStop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ErrorKiller\ErrorKiller.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {ff0277a2-a8d8-51c8-5184-9907c063c8e3} - {3e8c360c-7099-4815-8c15-8d8a2a7720ff} - C:\WINDOWS\system32\sujwcorc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {DEA3F205-1844-418E-B3A9-19BF4F30AB2F} - C:\WINDOWS\system32\gebyv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ErrorKiller] C:\Program Files\ErrorKiller\ErrorKiller.exe
O4 - HKLM\..\Run: [880dad0a] rundll32.exe "C:\WINDOWS\system32\bijfpagx.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: qomkhef - qomkhef.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 11030 bytes
Here is my new log file. Thanks for the detailed instructions, they worked great.
Hi, trouble. Welcome to LandzDown Forum! Tell your co-worker thank you for recommending us to help. As you have already seen, from the help from Niecarrah that the members of LzD all chip in.
With regard to ErrorKiller, it is a so-called registry cleaner with other options. Registry cleaners often do more damage than harm. One false removal and you end up re-installing your system. This particular software has been seen frequently recommended on sites together with various rogue antispyware cleaners. In addition, Ben Edelman, a highly respected member of the security community, had this to report at McAfee Site Advisor (http://siteadvisor.pl/sites/errorkiller.com):
QuoteIn http://www.benedelman.org/news/021408-1.html , I present a variety of false and deceptive advertising practices, and other troubling behaviors, by (and on behalf of) C-NetMedia, operator of this site.
Although the decision is yours, I would not have it on my computer.
Please follow these instructions carefully:
Download
Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1 (http://"http://download.bleepingcomputer.com/sUBs/ComboFix.exe")
Link 2 (http://"http://www.forospyware.com/sUBs/ComboFix.exe")
Link 3 (http://"http://subs.geekstogo.com/ComboFix.exe")
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on
combofix.exe & follow the prompts.
When finished, it will produce a report for you. - Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. ONLY run ComboFix one time.
I removed error killer, thanks. I thought it was helping me. When I went to the bleeping comuter site to read the instructions for combofix it tells me to go to microsoft support and download a recovery console. I have the windows xp media edition 2002 that I received as a free upgrade from Dell when I purchased the computer. I cannot find the recovery console for this edition. Can I load the Home edition?
With xp media edition use the XP professional recovery console.
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:37 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareStop\SpywareStop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: qomkhef - qomkhef.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10255 bytes
the next one is the combofix log
ComboFix 08-03-04.2 - Mark Neary 2008-03-05 22:22:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -8:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM8b3e9e96.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\beipunwv.dll
C:\WINDOWS\system32\bijfpagx.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cdlpbnvv.dll
C:\WINDOWS\system32\cigrmgww.dll
C:\WINDOWS\system32\cvjmquxs.dll
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\elydsdny.dll
C:\WINDOWS\system32\eqdwxsco.dll
C:\WINDOWS\system32\fbabqyvm.ini
C:\WINDOWS\system32\inekuhqt.ini
C:\WINDOWS\system32\innuuuar.dll
C:\WINDOWS\system32\iswdmomq.dll
C:\WINDOWS\system32\kimcfocd.ini
C:\WINDOWS\system32\kqiunjfo.dll
C:\WINDOWS\system32\linyfgix.dll
C:\WINDOWS\system32\llebouhl.dll
C:\WINDOWS\system32\mbdwfnve.dll
C:\WINDOWS\system32\mbefvoml.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mehvbwsy.dll
C:\WINDOWS\system32\ocsxwdqe.ini
C:\WINDOWS\system32\osbxvved.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppppiphf.dll
C:\WINDOWS\system32\rauuunni.ini
C:\WINDOWS\system32\rrneefsu.dll
C:\WINDOWS\system32\spqdxpek.dll
C:\WINDOWS\system32\suhgrfqb.dll
C:\WINDOWS\system32\sujwcorc.dll
C:\WINDOWS\system32\sxuqmjvc.ini
C:\WINDOWS\system32\tnrnsime.dll
C:\WINDOWS\system32\tqhukeni.dll
C:\WINDOWS\system32\vybeg.bak1
C:\WINDOWS\system32\vybeg.bak2
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\xgapfjib.ini
C:\WINDOWS\system32\xuvbilek.dll
C:\WINDOWS\system32\yaddrhwl.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.
2008-03-02 23:16 . 2008-03-02 23:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-02 23:15 . 2008-03-02 23:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-02 23:15 . 2008-03-02 23:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 23:08 . 2008-03-02 23:09 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-03-02 22:58 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 22:57 . 2008-03-02 22:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 07:58 . 2008-03-02 07:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 21:58 . 2008-03-03 20:31 <DIR> d-------- C:\Program Files\SpywareStop
2008-02-27 21:58 . 2008-03-03 20:31 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:58 . 2008-02-21 12:10 19,696 --a------ C:\WINDOWS\system32\drivers\spywarestop.sys
2008-02-27 20:52 . 2008-02-27 20:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 20:45 . 2008-02-27 20:45 3,632 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-27 20:27 . 2008-02-28 15:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
2008-02-27 20:11 . 2008-02-28 19:42 2,617,194 ---hs---- C:\WINDOWS\system32\ebiggsnr.ini
2008-02-27 19:26 . 2008-02-27 19:26 0 --a------ C:\WINDOWS\system32\wsiwevjh.tmp
2008-02-26 20:12 . 2008-02-27 19:25 2,613,179 ---hs---- C:\WINDOWS\system32\wsiwevjh.ini
2008-02-24 20:08 . 2008-02-25 17:41 2,214 ---hs---- C:\WINDOWS\system32\nuapoaxr.ini
2008-02-21 19:59 . 2008-02-24 20:08 2,949,786 ---hs---- C:\WINDOWS\system32\kqbonsod.ini
2008-02-20 19:54 . 2008-02-21 17:33 2,230,313 ---hs---- C:\WINDOWS\system32\vmovleua.ini
2008-02-18 19:53 . 2008-02-19 21:35 1,973,204 ---hs---- C:\WINDOWS\system32\pjwujcjk.ini
2008-02-14 17:22 . 2008-02-14 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-12 17:30 . 2008-02-13 07:32 1,853,495 ---hs---- C:\WINDOWS\system32\djalfxlc.ini
2008-02-12 17:24 . 2008-02-12 17:24 53,312 --a------ C:\WINDOWS\system32\gvbbmmsd.exe
2008-02-09 15:57 . 2008-02-12 17:25 2,088,007 ---hs---- C:\WINDOWS\system32\llnbfitw.ini
2008-02-09 15:51 . 2008-02-09 15:51 53,312 --a------ C:\WINDOWS\system32\dvsqyjfv.exe
2008-02-08 15:50 . 2008-02-08 15:50 53,312 --a------ C:\WINDOWS\system32\uuxwpqne.exe
2008-02-06 15:49 . 2008-02-08 15:48 1,704,439 ---hs---- C:\WINDOWS\system32\ovgnwxmf.ini
2008-02-06 15:49 . 2008-02-06 15:49 53,312 --a------ C:\WINDOWS\system32\qeyocycp.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 13:47 --------- d-----w C:\Program Files\ErrorKiller
2008-03-04 04:31 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\ErrorKiller
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-03-03 06:58 --------- d-----w C:\Program Files\Java
2008-03-03 06:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-28 02:44 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\SpywareBot
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-25 19:13 --------- d-----w C:\Documents and Settings\Michelle Neary\Application Data\ErrorKiller
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-14 16:32 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 16:32 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\Lavasoft
2008-01-14 16:30 --------- d-----w C:\Program Files\PopupRadar
2008-01-13 17:58 --------- d-----w C:\Documents and Settings\Michelle Neary\Application Data\SpywareBot
2007-12-24 00:17 581,488 ----a-w C:\MCPR.exe
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 17:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [2008-02-25 12:54 6792432]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 05:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 14:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 23:14 185896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkhef]
qomkhef.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R0 spywarestop;spywarestop;C:\WINDOWS\system32\DRIVERS\spywarestop.sys [2008-02-21 12:10]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 23:36:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-04 11:30:01 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job"
- C:\Program Files\ErrorKiller\ErrorKiller.ex
- C:\Program Files\ErrorKiller
"2007-12-24 00:34:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-04 11:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2008-03-06 06:27:56 C:\WINDOWS\Tasks\SpywareStop Scheduled Scan.job"
- C:\Program Files\SpywareStop\SpywareStop.ex
- C:\Program Files\SpywareStop
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 22:27:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-05 22:30:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 06:30:07
.
2007-12-13 07:23:01 --- E O F ---
Thanks again for the detailed instructions.
:gwave:
I ran the spybot software and it did not detect the vundo or the conhook viruses. Does this mean I am fixed? If so I sure appreciate your help.
Ah, no, your nickname is still most suitable as you still have plenty of trouble on that machine. We won't be finished here until you're given the "all clean" message.
In the meantime, I am researching your log and putting together the next steps for you to follow.
Hi, trouble.
Please note that it is extremely important that you follow the instructions carefully and in the order presented. There will be additional steps after this, so be sure to post your logs and await further instructions.
Custom CFScript
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Quote
File::
C:\WINDOWS\imsins.BAK
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
C:\WINDOWS\system32\drivers\spywarestop.sys
C:\WINDOWS\LMI38.tmp
C:\WINDOWS\system32\ebiggsnr.ini
C:\WINDOWS\system32\wsiwevjh.tmp
C:\WINDOWS\system32\wsiwevjh.ini
C:\WINDOWS\system32\nuapoaxr.ini
C:\WINDOWS\system32\kqbonsod.ini
C:\WINDOWS\system32\vmovleua.ini
C:\WINDOWS\system32\pjwujcjk.ini
C:\WINDOWS\system32\djalfxlc.ini
C:\WINDOWS\system32\gvbbmmsd.exe
C:\WINDOWS\system32\llnbfitw.ini
C:\WINDOWS\system32\dvsqyjfv.exe
C:\WINDOWS\system32\uuxwpqne.exe
C:\WINDOWS\system32\ovgnwxmf.ini
C:\WINDOWS\system32\qeyocycp.exe
C:\WINDOWS\system32\qomkhef.dll
C:\MCPR.exe
C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
C:\WINDOWS\Tasks\SpywareStop Scheduled Scan.job
Folder::
C:\Program Files\SpywareStop
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkhef]
Driver::
spywarestop
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi266.photobucket.com%2Falbums%2Fii277%2FsUBs_%2FCFScript.gif&hash=e717b6d6f30949c01276451bd9201cb4202ba3db)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply along with a fresh HijackThis log.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
combo fix log is as follows
ComboFix 08-03-04.2 - Mark Neary 2008-03-07 21:42:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.181 [GMT -8:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
C:\MCPR.exe
C:\WINDOWS\imsins.BAK
C:\WINDOWS\LMI38.tmp
C:\WINDOWS\system32\djalfxlc.ini
C:\WINDOWS\system32\drivers\spywarestop.sys
C:\WINDOWS\system32\dvsqyjfv.exe
C:\WINDOWS\system32\ebiggsnr.ini
C:\WINDOWS\system32\gvbbmmsd.exe
C:\WINDOWS\system32\kqbonsod.ini
C:\WINDOWS\system32\llnbfitw.ini
C:\WINDOWS\system32\nuapoaxr.ini
C:\WINDOWS\system32\ovgnwxmf.ini
C:\WINDOWS\system32\pjwujcjk.ini
C:\WINDOWS\system32\qeyocycp.exe
C:\WINDOWS\system32\qomkhef.dll
C:\WINDOWS\system32\uuxwpqne.exe
C:\WINDOWS\system32\vmovleua.ini
C:\WINDOWS\system32\wsiwevjh.ini
C:\WINDOWS\system32\wsiwevjh.tmp
C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
C:\WINDOWS\Tasks\SpywareStop Scheduled Scan.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\MCPR.exe
C:\Program Files\SpywareStop
C:\Program Files\SpywareStop\DataBase.ref
C:\Program Files\SpywareStop\Difxapi.dll
C:\Program Files\SpywareStop\FilterDrv\SpywareBot.cat
C:\Program Files\SpywareStop\FilterDrv\SpywareBot.inf
C:\Program Files\SpywareStop\FilterDrv\SpywareStop.amd64.sys
C:\Program Files\SpywareStop\FilterDrv\SpywareStop.cat
C:\Program Files\SpywareStop\FilterDrv\SpywareStop.inf
C:\Program Files\SpywareStop\FilterDrv\SpywareStop.x86.sys
C:\Program Files\SpywareStop\Launcher.exe
C:\Program Files\SpywareStop\SpyCleaner.dll
C:\Program Files\SpywareStop\SpywareStop.exe
C:\Program Files\SpywareStop\SpywareStop.url
C:\Program Files\SpywareStop\TCL.dll
C:\Program Files\SpywareStop\vistaCPtasks.xml
C:\Program Files\SpywareStop\zlib.dll
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\djalfxlc.ini
C:\WINDOWS\system32\drivers\spywarestop.sys
C:\WINDOWS\system32\dvsqyjfv.exe
C:\WINDOWS\system32\ebiggsnr.ini
C:\WINDOWS\system32\gvbbmmsd.exe
C:\WINDOWS\system32\kqbonsod.ini
C:\WINDOWS\system32\llnbfitw.ini
C:\WINDOWS\system32\nuapoaxr.ini
C:\WINDOWS\system32\ovgnwxmf.ini
C:\WINDOWS\system32\pjwujcjk.ini
C:\WINDOWS\system32\qeyocycp.exe
C:\WINDOWS\system32\uuxwpqne.exe
C:\WINDOWS\system32\vmovleua.ini
C:\WINDOWS\system32\wsiwevjh.ini
C:\WINDOWS\system32\wsiwevjh.tmp
C:\WINDOWS\system32\zmmfqvpd.dllbox
C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job
C:\WINDOWS\Tasks\SpywareStop Scheduled Scan.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SPYWARESTOP
-------\spywarestop
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-02 23:16 . 2008-03-02 23:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-02 23:15 . 2008-03-02 23:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-02 23:15 . 2008-03-02 23:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 22:58 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 22:57 . 2008-03-02 22:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 07:58 . 2008-03-02 07:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 21:58 . 2008-03-03 20:31 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 20:52 . 2008-02-27 20:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 20:45 . 2008-02-27 20:45 3,632 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-27 20:27 . 2008-02-28 15:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
2008-02-14 17:22 . 2008-02-14 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 13:47 --------- d-----w C:\Program Files\ErrorKiller
2008-03-04 04:31 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\ErrorKiller
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-03-03 06:58 --------- d-----w C:\Program Files\Java
2008-03-03 06:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-28 02:44 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\SpywareBot
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-25 19:13 --------- d-----w C:\Documents and Settings\Michelle Neary\Application Data\ErrorKiller
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-14 16:32 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 16:32 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\Lavasoft
2008-01-14 16:30 --------- d-----w C:\Program Files\PopupRadar
2008-01-13 17:58 --------- d-----w C:\Documents and Settings\Michelle Neary\Application Data\SpywareBot
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 17:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 05:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 14:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 23:14 185896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 23:36:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 00:34:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-04 11:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 21:46:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-07 21:50:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 05:50:19
ComboFix2.txt 2008-03-06 06:30:12
.
2007-12-13 07:23:01 --- E O F ---
The hijackthis log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:17 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10222 bytes
I guess I picked the right sign on name. Thank you again for the help. I like these easy to follow directions.
We'll end your trouble -- but perhaps not mine. I keep managing to close the tab when I have your instructions almost completed. I did it the other day and again tonight. I think that is why I missed tmp.reg. Let's take care of that and then do a KAV scan and see how your computer is working.
Custom CFScript
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\WINDOWS\system32\tmp.reg
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi266.photobucket.com%2Falbums%2Fii277%2FsUBs_%2FCFScript.gif&hash=e717b6d6f30949c01276451bd9201cb4202ba3db)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.Establish an internet connection & perform an online scan with Internet Explorer at
Kaspersky Online Scanner (http://www.kaspersky.co.uk/virusscanner)
Answer Yes, when prompted to install an ActiveX component.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded click on NEXT
- Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- Scan Options:
- Scan Archives
- Scan Mail Bases[/color][/b]
- Click OK & have it scan My Computer
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan *
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.[/color]
=====================
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
=====================
Logs Required
ComboFix Log
Kaspersky Scan Log
Hijackthis Log
Ok looks like I still have some problems. Attahed are all of the reports you requested.
Kaspersky report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 11:52:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 618846
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 86355
Number of viruses found: 6
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 00:53:47
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{8700256C-A6E3-4AD3-A0EE-A9E7AB14E3EB}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\247624e70eb4de53817858264d24ea48_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Adobe\Acrobat\6.0\Collab\Reviews Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Apple Computer\iTunes\iTunesPrefs.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Apple Computer\QuickTime\QTPlayerSession.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\bluterra.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\greenbrk.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\hatch.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\lace1.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\lace2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\marble1.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\marble2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\oil1.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\oil2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\paper1.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\paper2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\pine.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\poly.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\poplar.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\qw12EN.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\rock.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\stucco1.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\stucco2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\tile.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\water.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\wp12US.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\wrinkle.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\app-a50.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\app-d30.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\docbook2.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\docbook3.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\html.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\html32ip.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\html3_2.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\overview.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\sample1.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\sample2.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\teilite.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\XML.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\XML\xmlnews.wpt Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectExpert\12\Custom WP Templates\_autotmp.wpx Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ABBREV.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\adrs2mrg.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ALLFONTS.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\checkbox.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\closeall.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\CTRLM.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\cvtdocs12.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\DCConvert.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender01.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender02.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender03.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender04.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender05.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender06.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender07.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender08.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender09.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\ender10.wpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\endfoot.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\EXPNDALL.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\FILESTMP.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\flipenv.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\FONTDN.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\FONTUP.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\footend.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\LONGNAME.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\nomacro.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\PARABRK.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\pleading.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\prompts.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\reverse.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\saveall.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\SAVETOA.WCM Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\tconvert.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\uawp12EN.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\wp_org.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\PerfectScript\12\WordPerfect\wp_pr.wcm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\apli_eng.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\Avery Labels A4.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\Avery Labels EN.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\c-line.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\Herma_e.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\maco.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\Tower.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect\12\Labels\WilsonJ.lab Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect Office 12\User Config\CdrConv.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect Office 12\User Config\Color.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect Office 12\User Config\CorelApp.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect Office 12\User Config\Corelflt.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect Office 12\User Config\corelpdf.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel\WordPerfect Office 12\User Config\filters.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Corel Photo Album\6\ixdb.mdb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\ErrorKiller\Log\2008 Feb 21 - 02_58_11 PM_937.log Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\ErrorKiller\Log\2008 Feb 21 - 02_59_05 PM_375.log Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\ErrorKiller\Log\2008 Feb 21 - 04_57_37 PM_046.log Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\gtny\88D7456F-2D0E-40AA-BDBC-7BC292A1FF1A_CONFIRM.cache Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\persist.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\persist.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\persist.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\persist.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\channels.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\chdata\chdata.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\chn.pk Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\CIP\TransferAgentSetup.exe Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\CIPInfo\1157.cin Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1004.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1027.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1028.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1029.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1030.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1043.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1061.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1062.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1064.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1094.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1095.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1096.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1097.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1112.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1114.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1117.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1118.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1120.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1122.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1124.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1125.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1128.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1131.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1133.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1134.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1138.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1141.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1142.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1145.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1146.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1150.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1152.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1157.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1300.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\1301.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\516.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\519.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\526.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\527.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\528.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\579.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\580.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\587.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\632.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\699.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\701.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\703.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\706.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\716.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\745.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\752.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\758.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\759.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\793.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\794.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\798.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\800.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\801.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\804.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\809.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\810.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\812.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\832.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\840.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\846.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\848.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\873.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\879.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\880.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\883.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\884.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\885.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\886.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\887.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\888.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\889.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\901.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\902.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\903.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\905.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\906.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\907.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\908.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\909.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\910.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\911.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\912.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\914.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\915.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\916.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\917.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\918.ucl Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\Config\channel.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\config\groups.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\config\ocxid.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\bios.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\computer_models.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\DAntivirus.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\dell_inspiron_service_tag.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\dell_printers.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\dvd.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\inspiron_172X.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\popup.sini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\printers.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\trojan.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\diag\vista_capbale_models.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\10675121.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\10886371.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\122779.html Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\696.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\697.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\global.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\globe.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\faqs\title.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\fix\arg.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\fix\DellSupportLauncher.exe Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\group_icon\security\icon.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\group_icon\system\icon.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\blank.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\confirm.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\gtagent_events.vbs Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\index.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\moreinfo.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\noitems.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\senddata.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\statinfo.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\survey.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\html\wait.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\bg.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\but_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\but_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\close_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\close_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\close_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\count_bg.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\delete_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\delete_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\delete_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\delete_d.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\dialog_strip.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\dialog_title.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\first_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\first_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\first_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\first_d.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\fix_abort.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\fix_fail.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\fix_ok.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\help_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\help_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\help_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\last_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\last_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\last_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\last_d.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\left_but_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\left_but_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\min_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\min_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\min_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\msg_bg.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\next_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\next_a2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\next_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\next_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\next_d.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\noproblems.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\prev_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\prev_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\prev_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\prev_d.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\right_but_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\right_but_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\settings_a.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\settings_b.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\settings_c.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\spacer.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\images\wait.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\index.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\agent_infolet_exe.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\ab.ppk Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\AdpUtil.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Adp_GUI.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\adpicon.ico Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\button_cirlce.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\button_disable.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\Chimes.wav Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\close_popup.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\close_popup_over.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\dot.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\Ending_v.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\Ending_x.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\field_bar.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\inprogress.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\installing.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\logo.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\main_bar.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\mini_logo.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\mini_topbar.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\Notify.wav Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\progress_bg.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\progress_slice.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Common\topbar.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\De\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\De\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\En\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\En\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Es\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Es\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Fr\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Fr\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\ImgOver.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Initialize.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\It\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\It\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Jp\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Jp\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Ko\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Ko\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\main.htm Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Nl\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Nl\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\popupMsg.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\PtB\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\PtB\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Query.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Sv\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Sv\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Wrapper.js Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Zh\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\Zh\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\ZhT\Generic.css Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\adpglobal\ZhT\global_adp_Text.xml Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\ccnotify.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\cybercoach.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\enginecf_ver.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\glfs\default.glf Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\glfs\Dell.glf Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\abort.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\cloak.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\De_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\En_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\errorlib.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Es_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Fr_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\func.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\generic.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\getmaindriver.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\It_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Jp_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Ko_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\mini.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Nl_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\oeonwindows.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\outlookexpress.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\PtB_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Sv_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\taskbarandstartmenu.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\xsystray.trn Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\ZhT_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\LibDir\Zh_LibText.ini Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\configuration\trainer.ppk Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\1.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\DeleteTempFolder.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\DeleteWow6432Node.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\DisableHDAutorun.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\Dl_DriverReset.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\Dl_PwrMngUtil.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\EnableAutomaticUpdates.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\EnablePopupBlocker.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\LimitExcelMacro.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\LimitPwrPointMacro.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\LimitWordMacro.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\SetDefaultPrinter.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\SetXPFirewall.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\Spool_ActivateService.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\StartupLinkage.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\TurnOnSystemRestore.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\UnInst_Delport.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\UnInst_WinIK.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\VM_SystemManagedSize.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\lessons\VM_UserManagedSize.gdpb Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\RunGdp.exe Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\coach\RunGdpCfg.cfg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\application.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\autorun.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\CD.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\datasafe.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\dell_recommends.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\driver.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\dsc2.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\dvd.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\extend_warranty.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\firewall.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\flash.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\internet.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\internet_security_general.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\java.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\memory.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\memory.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\monitor.gif Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\Msexcel2.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\MSpowerpoint2.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\MSword2.jpg Object is locked skipped
C:\Documents and Settings\Austin Neary\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\HTML\item_templ\common\images\items_img\music.jpg Object is locked skipped
C:\Documents and S
I was making sure it posted and it looks like the log reports got cutt off. Maybe they are too big so I will post one at a time
Kaspersky report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 11:52:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 618846
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 86355
Number of viruses found: 6
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 00:53:47
{Duplicate data edited out by Corrine.}
Yes, the log is too large to get at one time. I need to see the full Kaspersky log to determine if the findings are in the ComboFix quarantine, your Antivirus quarantine, etc. Can you attach the Kaspersky log and post the ComboFix and HJT logs, please.
To attach, click Additional Options and brows to the location of the KAV log.
I have a ton of temp files on one of my directories that makes the file huge. I will try and split it up in a couple of files and see if it works.
Sorry for the hassle.
1st half
[attachment deleted by admin]
2nd part
[attachment deleted by admin]
3rd part. I obviously have a ton of temp files that were created on one of the directories. Sorry for the hassle of this huge file.
[attachment deleted by admin]
Here is a fresh Hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:17 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10600 bytes
I cannot find the combofix log. Can I rerun the last process and then post it?
Look for the Combofix log here:
C:\ComboFix.txt
Thank you! Combofix log:
ComboFix 08-03-04.2 - Mark Neary 2008-03-09 10:17:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.229 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\tmp.reg
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-03 00:16 . 2008-03-03 00:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2007-09-25 00:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 22:58 . 2008-03-03 21:31 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:52 . 2008-02-27 21:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
2008-02-14 18:22 . 2008-02-14 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 08:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 06:54 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43 --------- d-----w C:\Program Files\TurboTax
2008-03-05 02:40 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-04 13:47 --------- d-----w C:\Program Files\ErrorKiller
2008-03-04 04:31 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\ErrorKiller
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-03-03 06:58 --------- d-----w C:\Program Files\Java
2008-02-28 02:44 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\SpywareBot
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-25 19:13 --------- d-----w C:\Documents and Settings\Michelle Neary\Application Data\ErrorKiller
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-04 04:54 53,312 ----a-w C:\WINDOWS\system32\eemtogwl.exe
2008-02-02 12:50 96,832 ----a-w C:\WINDOWS\system32\tdpeilfj.dll
2008-02-02 12:47 53,312 ----a-w C:\WINDOWS\system32\pojdacuo.exe
2008-02-01 00:45 53,312 ----a-w C:\WINDOWS\system32\nmaflglt.exe
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-30 00:44 53,312 ----a-w C:\WINDOWS\system32\eumfuoxo.exe
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-28 00:37 53,312 ----a-w C:\WINDOWS\system32\serofpnb.exe
2008-01-27 00:37 53,312 ----a-w C:\WINDOWS\system32\ivhsagsw.exe
2008-01-26 00:41 53,312 ----a-w C:\WINDOWS\system32\vkulckho.exe
2008-01-25 00:40 53,312 ----a-w C:\WINDOWS\system32\wpqjbvfr.exe
2008-01-23 21:07 53,312 ----a-w C:\WINDOWS\system32\ywtlxppy.exe
2008-01-22 21:07 53,312 ----a-w C:\WINDOWS\system32\ualfebar.exe
2008-01-14 16:32 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 16:32 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\Lavasoft
2008-01-14 16:30 --------- d-----w C:\Program Files\PopupRadar
2008-01-13 17:58 --------- d-----w C:\Documents and Settings\Michelle Neary\Application Data\SpywareBot
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 23:36:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 00:34:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-04 11:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 10:20:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-09 10:20:52
ComboFix-quarantined-files.txt 2008-03-09 17:20:50
ComboFix2.txt 2008-03-08 05:50:24
ComboFix3.txt 2008-03-06 06:30:12
.
2007-12-13 07:23:01 --- E O F ---
Believe it or not, the Kaspersky log isn't as bad as it looks. However, I'm seeing something in the ComboFix log that I want to investigate further and consult with the other members of the team. So, in the meantime, please do the following:
Please change your settings to show hidden files. You can change the setting back when the cleanup is completed.
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Please download ATF Cleaner by Atribune from http://www.atribune.org/content/view/25/2/ (http://www.atribune.org/content/view/25/2/) . Save it to your Desktop.
Restart your computer in
Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe Mode.
- Login on your usual account.
Locate and remove the following:
C:\Program Files\ErrorKiller
C:\My Music\Spywarestop_setupxv.exe
C:\Documents and Settings\Mark Neary\Application Data\ErrorKiller
C:\Documents and Settings\Mark Neary\Application Data\SpywareBot
C:\Documents and Settings\Michelle Neary\Application Data\ErrorKiller
C:\Documents and Settings\Michelle Neary\Application Data\SpywareBot
C:\Documents and Settings\Mark Neary\Application Data\Sun\Java\Deployment\cache\6.0\20\5312bcd4-5a82d998
C:\Documents and Settings\Mark Neary\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-42a9216c
Now run ATF Cleaner:
- Double-click ATF-Cleaner.exe to run the program.
- Click Select All found at the bottom of the list.
- Click the Empty Selected button.
- Click Exit on the Main menu to close the program.
- Shutdown/restart the computer.
Please repeat the process on the other account on the computer. Let me know if you were unable to remove any of the files.
Ok I deleted all of the files and then ran the ATF cleaner on each of the accounts. It seemed to clean everything off. I ran it each time in safe mode. There was a lot of stuff out there.
Good job!
Before I post the next set of instructions, please advise as to whether your McAfee subscription is current and also if you intentionally turned off the Security Center monitoring of antivirus/firewall.
My McAfee is up to date. In fact I think it updates on a daily basis through comcast. I intentionally shut off all of the McAfee things when I was running the programs as instructed. As soon as they were done I restored the settings. When I look at the McAfee security center now it tells me that I am protected and that my firewall is on. So when I was running the combofix log all of the McAfee programs were disabled. Hopefully that is what I was supposed to do. :)
Thanks for that information. It makes a difference in what I hope will be the last go-through with ComboFix for you.
- Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\WINDOWS\system32\eemtogwl.exe
C:\WINDOWS\system32\tdpeilfj.dll
C:\WINDOWS\system32\pojdacuo.exe
C:\WINDOWS\system32\nmaflglt.exe
C:\WINDOWS\system32\eumfuoxo.exe
C:\WINDOWS\system32\serofpnb.exe
C:\WINDOWS\system32\ivhsagsw.exe
C:\WINDOWS\system32\vkulckho.exe
C:\WINDOWS\system32\wpqjbvfr.exe
C:\WINDOWS\system32\ywtlxppy.exe
C:\WINDOWS\system32\ualfebar.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi266.photobucket.com%2Falbums%2Fii277%2FsUBs_%2FCFScript.gif&hash=e717b6d6f30949c01276451bd9201cb4202ba3db)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.TotalScanYour Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >>
TotalScan (http://www.nanoscan.com/as/v1/?) << LINK
- Under Scan Now click the Full Scan button
- Follow the prompts to install the Active X if necessary
- Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
- When the scan is finished, a report will be generated
- Next to Scan Details click the small Save button and save the report to your desktop.
- Please post the report in your reply along with the ComboFix log and a yet another HijackThis log.
I must be tired. I forgot to shut off McAfee and so when the license agreement for combo fix came up I clicked no and now combofix is gone. Do I have to start over or can I download combofix again and just go from there? Sorry about the mistake.
Well I mustered up some courage and just redownloaded combo fix, starting where I left off. This time I actually disabled McAfee like I was supposed to the first time. The total scan is a little scary, appearently I am still infected. See attached.
combo fix log
ComboFix 08-03-10.1 - Mark Neary 2008-03-13 5:03:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\eemtogwl.exe
C:\WINDOWS\system32\eumfuoxo.exe
C:\WINDOWS\system32\ivhsagsw.exe
C:\WINDOWS\system32\nmaflglt.exe
C:\WINDOWS\system32\pojdacuo.exe
C:\WINDOWS\system32\serofpnb.exe
C:\WINDOWS\system32\tdpeilfj.dll
C:\WINDOWS\system32\ualfebar.exe
C:\WINDOWS\system32\vkulckho.exe
C:\WINDOWS\system32\wpqjbvfr.exe
C:\WINDOWS\system32\ywtlxppy.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\eemtogwl.exe
C:\WINDOWS\system32\eumfuoxo.exe
C:\WINDOWS\system32\ivhsagsw.exe
C:\WINDOWS\system32\nmaflglt.exe
C:\WINDOWS\system32\pojdacuo.exe
C:\WINDOWS\system32\serofpnb.exe
C:\WINDOWS\system32\tdpeilfj.dll
C:\WINDOWS\system32\ualfebar.exe
C:\WINDOWS\system32\vkulckho.exe
C:\WINDOWS\system32\wpqjbvfr.exe
C:\WINDOWS\system32\ywtlxppy.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 00:16 . 2008-03-03 00:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 22:58 . 2008-03-03 21:31 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:52 . 2008-02-27 21:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
2008-02-14 18:22 . 2008-02-14 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 13:34 --------- d-----w C:\Program Files\Java
2008-03-08 08:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 06:54 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43 --------- d-----w C:\Program Files\TurboTax
2008-03-05 02:40 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-14 16:32 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 16:32 --------- d-----w C:\Documents and Settings\Mark Neary\Application Data\Lavasoft
2008-01-14 16:30 --------- d-----w C:\Program Files\PopupRadar
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 00:34:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-10 10:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 05:06:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-13 5:06:56
ComboFix-quarantined-files.txt 2008-03-13 12:06:54
ComboFix2.txt 2008-03-09 17:20:53
ComboFix3.txt 2008-03-08 05:50:24
ComboFix4.txt 2008-03-06 06:30:12
.
2008-03-12 13:41:07 --- E O F ---
hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:15 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10398 bytes
And for the scary part here is the total scan log:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-03-13 06:19:47
PROTECTIONS: 1
MALWARE: 47
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\10.qit
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\14.qit
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\15.qit
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\8.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\8.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\2.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-17-36-26\0.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\6.qit
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\5.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\4.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\5.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\4.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\5.qit
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\1.qit
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Mark Neary\Desktop\SmitfraudFix\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\0.qit
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\9.qit
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\6.qit
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\7.qit
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\9.qit
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\11.qit
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\9.qit
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\16.qit
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\15.qit
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\11.qit
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\11.qit
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\1.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\0.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\0.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\0.qit
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\1.qit
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\3.qit
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\3.qit
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\4.qit
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\4.qit
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\6.qit
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\6.qit
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\5.qit
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@burstnet[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\16.qit
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\2.qit
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\2.qit
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\3.qit
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\3.qit
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\07-03-2008-00-21-09\3.qit
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\17.qit
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-22-35-32\8.qit
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\12.qit
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\13.qit
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\14.qit
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\05-03-2008-00-07-25\9.qit
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\13.qit
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\04-03-2008-04-34-36\17.qit
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Cookies\mark_neary@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\02-03-2008-07-32-05\18.qit
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Mark Neary\Desktop\SmitfraudFix\restart.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0080914.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP677\A0081054.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP669\A0075952.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP669\A0076916.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079929.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081342.EXE
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Mark Neary\Desktop\SmitfraudFix\Reboot.exe
02885171 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine\28-02-2008-22-19-55\19.qit
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0080908.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP669\A0076910.sys
02897594 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\suhgrfqb.dll.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\gvbbmmsd.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081345.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081344.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ivhsagsw.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081343.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\eemtogwl.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\dvsqyjfv.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\eumfuoxo.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081346.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nmaflglt.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079955.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\pojdacuo.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079954.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\qeyocycp.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079948.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\serofpnb.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081353.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081348.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP672\A0079946.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081350.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ualfebar.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\uuxwpqne.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\vkulckho.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\wpqjbvfr.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081351.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ywtlxppy.exe.vir
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081352.exe
02897596 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP682\A0081347.exe
02897936 W32/Lineage.HJB.worm Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\mehvbwsy.dll.vir
02898848 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\llebouhl.dll.vir
02898849 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\spqdxpek.dll.vir
02898852 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\kqiunjfo.dll.vir
02898853 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\elydsdny.dll.vir
02899193 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\cigrmgww.dll.vir
02899864 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\innuuuar.dll.vir
02902098 Spyware/Virtumonde Spyware No &nb
Was that the complete log from Total Scan?
From what I can see, there is one last file to remove and then cleanup. What is shown in the Total Scan log is the quarantined files and System Restore points. At the end, I'll give you instructions on clearing System Restore and creating a fresh restore point. However, you may have noticed that ComboFix creates a new restore point before each run. This is a safety feature as an infected restore point is better than none at all.
We're still left with C:\WINDOWS\LMI38.tmp and remnants of SpywareStop.
See if you can remove the SpywareStop items in safe mode as you did the other files:
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Quarantine
Please go to: http://virusscan.jotti.org/
Upload the filepath shown below into the "File to upload & scan" box at the upper left:
C:\WINDOWS\LMI38.tmp
Let us know what Jotti has to say in your reply.
I did run the total scan. It took about an hour to complete.
I was able to remove the quarantine directory in safe mode, then I ran the ATF cleaner again.
When I went to Jotti and uploaded the file when I submitted it I got the following reply:
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
Should I turn off my mcafee firewall and virus scan for this process?
QuoteShould I turn off my mcafee firewall and virus scan for this process?
Turn off the firewall then try Jotti again. Make sure to turn the firewall back on right after though ;)
If you get the same thing again then please navigate to this file
C:\WINDOWS\LMI38.tmp. It appears to be a file but one of the tools says that it might actually be a folder. Please let us know.
I turned off the firewall and tried again, got the same response. :(
I navigated to c:\windows and the LMI38.tmp is actually a folder as oppossed to a file.
I also have a bunch of $NtUninstall folders??? Not sure if this is normal or related to the work we have been doing?
Another wierd thing I noticed is that when McAfee runs a scan sometimes it detects items, but may not remove them or be able to remove them?
LMI38.tmp does not yield any results in a search, however, I would rather take the safe route and submit the folder for examination.
Open notepad and copy/paste the text in the code box below into it:
http://www.landzdown.com/index.php?topic=23102.msg72619#msg72619
Suspect::
C:\WINDOWS\LMI38.tmp
Save this as CFScript.txt
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fusers.pandora.be%2Fbluepatchy%2Fmiekiemoes%2Fimages%2FCFScript.gif&hash=12b7eb752b48654ee43f22fa25abf582ca4ebd54)
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Quote from: trouble on March 14, 2008, 02:04:43 PM
I also have a bunch of $NtUninstall folders??? Not sure if this is normal or related to the work we have been doing?
Those folders are the uninstall files relating to each individual update from Microsoft, and the service packs.
Can you tell us where McAfee is detecting those too? Does it produce any logfile?
I submitted the log file for your review.
Just in case here is copy of the log file:
ComboFix 08-03-10.1 - Mark Neary 2008-03-15 18:15:49.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.
2008-03-13 05:12 . 2008-03-13 05:13 <DIR> d-------- C:\Program Files\Panda Security
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 00:16 . 2008-03-03 00:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 22:58 . 2008-03-13 18:43 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:52 . 2008-02-27 21:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 13:34 --------- d-----w C:\Program Files\Java
2008-03-08 08:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 06:54 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43 --------- d-----w C:\Program Files\TurboTax
2008-03-05 02:40 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-15 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
"SpywareStop"="C:\Program Files\SpywareStop\SpywareStop.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 08:16:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-15 10:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 18:18:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-15 18:18:57
ComboFix-quarantined-files.txt 2008-03-16 01:18:46
ComboFix2.txt 2008-03-13 12:06:57
ComboFix3.txt 2008-03-09 17:20:53
ComboFix4.txt 2008-03-08 05:50:24
ComboFix5.txt 2008-03-06 06:30:12
.
2008-03-12 13:41:07 --- E O F ---
Here is a hyjack this log too:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:33 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpywareStop] C:\Program Files\SpywareStop\SpywareStop.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10638 bytes
McAfee detects three potentially unwated programs and does not delete them. One is called GenericPUP.g, this is located in C:\Documents and Settings\Mark Neary\Desktop\Smitfraudfix\reboot.exe.
The next one is Prcviewer located here C:\Documents and Settings\Mark Neary\Desktop\Smitfraudfix\Process.exe
The last one is called RemAdm-ProcLaunch!171 and it is located in C:\Documents and Settings\Mark Neary\Desktop\Combofix.exe
Hopefully this is the information that you were asking for. Let me know if you need something different.
Thanks. It is common that A/V software detects Smitfraudfix and Combofix. We'll take care of those at the end. I'm wondering why SpywareStop is still showing in Program Files. We can remove the entry from Start Up, but I want to be sure the software is off your computer.
Hello Trouble(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fdoom3.planet-multiplayer.de%2Fforum%2Fhtml%2Femoticons%2Fhallo.gif&hash=b0febf6bfd61228ff92ade2dc633cef784e7edf4)
Open notepad and copy/paste the text in the codebox below into it:
DirLook::
C:\WINDOWS\LMI38.tmp
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareStop"=-
Save this as "CFScript"
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi119.photobucket.com%2Falbums%2Fo129%2FClark76%2FCFScript.gif&hash=586d0505c5252217316210a24a53458d755d3be8)
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Post back with a new Hijackthis log also.
I went into add/remove programs and spywarestop was still there so I removed it. Then I copied the CFScript and ran combodix. The logs are presented below:
combofix:
ComboFix 08-03-10.1 - Mark Neary 2008-03-16 20:04:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.167 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.
2008-03-13 05:12 . 2008-03-13 05:13 <DIR> d-------- C:\Program Files\Panda Security
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 00:16 . 2008-03-03 00:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 22:58 . 2008-03-13 18:43 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
2008-02-27 21:52 . 2008-02-27 21:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 13:34 --------- d-----w C:\Program Files\Java
2008-03-08 08:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 06:54 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43 --------- d-----w C:\Program Files\TurboTax
2008-03-05 02:40 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-15 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\WINDOWS\LMI38.tmp ----
2008-02-27 23:50 324 --a------ C:\WINDOWS\LMI38.tmp\rescue.log
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 08:16:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-16 10:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 20:06:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-16 20:07:17
ComboFix-quarantined-files.txt 2008-03-17 03:07:14
ComboFix2.txt 2008-03-16 01:18:58
ComboFix3.txt 2008-03-13 12:06:57
ComboFix4.txt 2008-03-09 17:20:53
ComboFix5.txt 2008-03-08 05:50:24
.
2008-03-12 13:41:07 --- E O F ---
the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:07 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10538 bytes
We are just about there.
Please submit the following file to Jotti File Scan (http://virusscan.jotti.org)
C:\WINDOWS\LMI38.tmp\rescue.log
At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".
When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread.
If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html (http://www.virustotal.com/en/indexf.html)
~~~~~~~~~
Open notepad and copy/paste the text in the codebox below into it:
Folder::
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
FileLook::
C:\WINDOWS\LMI38.tmp\rescue.log
Save this as "CFScript"
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi119.photobucket.com%2Falbums%2Fo129%2FClark76%2FCFScript.gif&hash=586d0505c5252217316210a24a53458d755d3be8)
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
~~~~~~
Are you experiencing any problems with your computer?
here is the jotti file results
Service load: 0% 100%
File: rescue.log
Status: OK
MD5: d138b481bade595e5bfc5bba9a0b65a1
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 18 Mar 2008 04:13:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
The computer seems to be working fine. It is a little slow during startup, but when I get on the internet it does not have a bunch of advertisements popping up. Seems like that part has been fixed. Except for the items I noted above mcAfee is not detecting any more problems. :Hammys pint:
Here is the combofix log
ComboFix 08-03-10.1 - Mark Neary 2008-03-17 21:23:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.207 [GMT -7:00]
Running from: C:\Documents and Settings\Mark Neary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Neary\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\Log\2008 Mar 07 - 03_40_20 PM_687.log
C:\Documents and Settings\Mark Neary\Application Data\SpywareStop\rs.dat
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-13 05:12 . 2008-03-13 05:13 <DIR> d-------- C:\Program Files\Panda Security
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 10:32 . 2008-03-09 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 00:16 . 2008-03-03 00:16 <DIR> d-------- C:\Documents and Settings\Mark Neary\Application Data\Talkback
2008-03-03 00:15 . 2008-03-03 00:15 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-03 00:15 . 2008-03-03 00:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 23:58 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 23:57 . 2008-03-02 23:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 08:58 . 2008-03-02 08:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 21:52 . 2008-02-27 21:52 <DIR> d-------- C:\VundoFix Backups
2008-02-27 21:27 . 2008-02-28 16:32 <DIR> d-------- C:\WINDOWS\LMI38.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 13:34 --------- d-----w C:\Program Files\Java
2008-03-08 08:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 06:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 06:54 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-08 06:43 --------- d-----w C:\Program Files\TurboTax
2008-03-05 02:40 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-03 07:15 --------- d-----w C:\Program Files\Real
2008-03-03 07:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-03 07:14 --------- d-----w C:\Program Files\Common Files\Real
2008-02-26 05:09 --------- d-----w C:\Program Files\McAfee
2008-02-15 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-06 17:51 171,400 ----a-w C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-30 04:56 --------- d-----w C:\Program Files\Dell Games
2008-01-30 04:55 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-01-30 04:54 --------- d-----w C:\Program Files\Dell
2008-01-28 05:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-11-07 01:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-01 18:48 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 06:56 139264]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 15:34 106496]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 00:14 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 22:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 08:16:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-16 10:00:01 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 21:25:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-17 21:25:43
ComboFix-quarantined-files.txt 2008-03-18 04:25:41
ComboFix2.txt 2008-03-17 03:07:17
ComboFix3.txt 2008-03-16 01:18:58
ComboFix4.txt 2008-03-13 12:06:57
ComboFix5.txt 2008-03-09 17:20:53
.
2008-03-12 13:41:07 --- E O F ---
Just in case here is a hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:24 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Popup Killer - {2D58DD23-2759-4C7B-9351-D68AF7D0D868} - C:\PROGRA~1\POPUPR~1\popup.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
--
End of file - 10456 bytes
Thank you very much for all of your help. This is an awesome site that I have already told some friend and family about. :flowers:
Well done, your logs appear clean :thumbsup:
Go to (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg.photobucket.com%2Falbums%2Fv666%2FsUBs%2FStartBtn.gif&hash=08ad734446a44d53e2f0959db184aec594e5550a) -> Run ->
copy/paste in the following single line command & click OK
combofix /u(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.techsupportforum.com%2Fsectools%2Ftetonbob%2Fcombofix%2520u.JPG&hash=59ec53a8adf10ac72832f6a20411caed9613abae)
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.
~~~~~~~~
If you have not already, please make sure you have re-enabled your anti-virus, and firewall ;)
~~~~~~~~
You can delete the following:
VundoFix.exe <-- located on your desktop
C:\VundoFix Backups <-- folder
~~~~~~~~~
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
Trace and Log Files
- Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. - Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.
~~~~~~~~~
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to
Microsoft (http://v4.windowsupdate.microsoft.com/en/default.asp) and download all the critical updates to help prevent possible re-infection.
=================================================
This is a good time to set up protection against further attacks. Read TonyKlein's
How Did I Get Infected In The First Place? (http://castlecops.com/postlite7736-.html). You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.
More information and downloads are available at the following links:
Spyware Blaster (http://www.javacoolsoftware.com/downloads.html) Spyware Guard (http://www.javacoolsoftware.com/downloads.html) IE-Spyad (http://www.spywarewarrior.com/uiuc/resource.htm)~~~~~~~~~~
If you want to fight back the Malware Writers that have made your life a misery, please take a look
here (http://www.malwarecomplaints.info/viewforum.php?f=2) and read what you can do against it.
Quote from: troubleThank you very much for all of your help. This is an awesome site that I have already told some friend and family about.
I guess you're not "trouble" any longer!
Clark76, thank you for jumping in while I was tied up as well as for your earlier consultation. Greatly appreciated! :rose:
No trouble at all Corrine :) and happy and safe surfing to you Trouble(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fyelims4.free.fr%2FOrdinateur%2FOrdinateur07.gif&hash=54fe9a3cc185e1b242700b5f74cc0fb690dbd6e7)
Thank you very much for the detailed instructions and handholding through this process. I thought I was going to have to wipe the computer and reinstall everything. It was well worth the time. It is sure nice to have people like you that are willing to donate their time and expertice. I have downloaded spyware blaster and spyware gaurd. Now I just have to make sure the kids do not download anything they are not supposed to. Landzdown is an awesome site! Hopefully I will not have to bug you for a while, but I feel comfortable that I know where you are in case I need help in the future! I wish I would have come here first.