Need help - Trojans, Darksma and more?

Started by NanaVic, August 22, 2007, 12:01:00 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

NanaVic

August 22, 2007, 12:01:00 PM
I first became aware of the problem when AOL started telling me it had found and blocked Darksma.  After some researching, I downloaded and ran Vundofix.  It found, but was unable to remove, c:\windows\system32\geebcaw.dll.

I ran Spybot S&D and it found:

1. DriveCleaner 2006: Clas ID (Registry key) HKEY_CLASSES_ROOT\CLSID\InprocServer32
2. Virtumonde: Library(File) C:\WINDOWS\system32\jcmdlv.dll
3. Virtumonde: Settings (Registry key) HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\Dlnf
4. Virtumonde: Settings (Registry key) HKEY_LOCAL-MACHINE\SOFTWARE\Microsoft\DnngCon

While Spybot is able to fix all except the Libray(File) C:\WINDOWS\system32\jcmdlv.dll, they seem to replicate themselves are found again on the next scan.

I ran a scan with AVG and it found and quarantined the following, but they also reappeared on the next scan.

WINDOWS\system32\wnstscc.exe -> Trojan.Small
WINDOWS\run2.exe -> Downloader.PurityScan.dc

I am at a loss on how fix this.  I have started receiving popups for spyware. 

I am running Windows XP, SP2.

Here is my HJT log and thank you for any help you can provide!!

Logfile of HijackThis v1.99.1
Scan saved at 4:27:34 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
c:\program files\common files\aol\1139536199\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\aol\1139536199\ee\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Highjackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cdm.microsoft.com/update/certs/usacert.htm
R3 - URLSearchHook: (no name) - {84DC98F9-5137-2FC9-1C01-5EF07ECE3A97} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4a446b17-efd0-4082-b39a-45953a4e2e3d} - (no file)
O2 - BHO: (no name) - {4a7c03cd-6fde-4037-a727-128a1994d770} - C:\WINDOWS\system32\inetycc.dll (file missing)
O2 - BHO: (no name) - {4ba78b91-7ed0-4727-8d47-b82b3fcd4454} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77c51650-1f81-4911-a019-1931c0bbc1ff} - C:\WINDOWS\system32\iprdev.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {84DC98F9-5137-2FC9-1C01-5EF07ECE3A97} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\icmdlv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139180987906
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.rosashomehealth.com/Remote/msrdp.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O20 - AppInit_DLLs: c:\windows\system32\geebcaw.dll
O20 - Winlogon Notify: icmdlv - C:\WINDOWS\SYSTEM32\icmdlv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: inetycc - inetycc.dll (file missing)
O20 - Winlogon Notify: ippl32 - ippl32.dll (file missing)
O20 - Winlogon Notify: iprdev - iprdev.dll (file missing)
O20 - Winlogon Notify: jkhfd - jkhfd.dll (file missing)
O20 - Winlogon Notify: kbdqoa - kbdqoa.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Corrine

#1
August 23, 2007, 12:18:24 AM
Hi, NanaVic.  Welcome to LandzDown Forum. 

1. Download this file - combofix.exe (Mirror location:  http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe )
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it is running as that may cause it to stall.

Please also post a fresh HijackThis log.

Thanks.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

NanaVic

#2
August 23, 2007, 02:15:52 AM
Hi Corrine and thank you for your help.

I've run Combofix and here is that log and a new HJT log.

ComboFix 07-08-17.2 - "Vicky" 2007-08-22 20:24:13.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.577 [GMT -5:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Vicky\APPLIC~1\tmp190.tmp.exe
C:\DOCUME~1\Vicky\APPLIC~1\tmp191.tmp.exe
C:\DOCUME~1\Vicky\APPLIC~1\tmp31B.tmp.exe
C:\WINDOWS\ilnpru.ini
C:\WINDOWS\knpsut.ini
C:\WINDOWS\system32\awvvt.exe
C:\WINDOWS\system32\dnf4c700ea.dat
C:\WINDOWS\system32\geebcaw.dll
C:\WINDOWS\system32\icmdlv.dll
C:\WINDOWS\system32\jkkji.exe
C:\WINDOWS\system32\jkklk.exe
C:\WINDOWS\system32\pmkhe.exe
C:\WINDOWS\tuspnk.dll
C:\WINDOWS\urpnli.dll
C:\WINDOWS\ymbols~1


(((((((((((((((((((((((((   Files Created from 2007-07-23 to 2007-08-23  )))))))))))))))))))))))))))))))


2007-08-22 20:23   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-21 18:07   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-21 06:27   <DIR>   d--------   C:\Highjackthis
2007-08-21 06:02   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-08-21 05:39   <DIR>   d--------   C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-21 05:33   <DIR>   d--------   C:\WINDOWS\system32\Logs
2007-08-21 05:28   <DIR>   d--------   C:\VundoFix Backups
2007-08-20 07:58   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-19 20:44   <DIR>   d--------   C:\Program Files\IObit
2007-08-19 20:40   <DIR>   d--------   C:\Program Files\CCleaner
2007-08-15 08:15   143,360   --a------   C:\WINDOWS\system32\dunzip32.dll
2007-08-15 08:13   37,480   --a------   C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-08-15 08:13   34,184   --a------   C:\WINDOWS\system32\drivers\mfebopk.sys
2007-08-15 08:13   32,008   --a------   C:\WINDOWS\system32\drivers\mferkdk.sys
2007-08-15 08:12   71,496   --a------   C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-08-15 08:12   170,408   --a------   C:\WINDOWS\system32\drivers\mfehidk.sys
2007-08-15 08:12   109,608   --a------   C:\WINDOWS\system32\drivers\Mpfp.sys
2007-08-15 08:12   <DIR>   d--------   C:\Program Files\McAfee.com
2007-08-15 08:12   <DIR>   d--------   C:\Program Files\McAfee
2007-08-15 08:12   <DIR>   d--------   C:\Program Files\Common Files\McAfee
2007-08-15 04:46   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-12 10:37   1,645,320   --a------   C:\WINDOWS\system32\gdiplus.dll
2007-08-12 10:37   <DIR>   d--------   C:\Program Files\Miuchiz
2007-08-05 21:06   <DIR>   d--------   C:\WINDOWS\system32\NtmsData
2007-08-04 08:21   <DIR>   d--------   C:\Program Files\SimPE


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 18:22   94208   --a------   C:\WINDOWS\system32\igfxtray.exe
2007-08-15 18:22   77824   --a------   C:\WINDOWS\system32\hkcmd.exe
2007-08-15 18:22   114688   --a------   C:\WINDOWS\system32\igfxpers.exe
2007-07-12 05:58   ---------   d--------   C:\Program Files\AOL 9.0
2007-07-05 07:08   ---------   d--------   C:\Program Files\Common Files\Symantec Shared
2007-07-04 22:14   ---------   d--------   C:\DOCUME~1\Vicky\APPLIC~1\AOL
2007-07-04 22:13   ---------   d--------   C:\Program Files\Common Files\aolshare
2007-07-04 22:13   ---------   d--------   C:\Program Files\Common Files\AOL
2007-06-23 11:24   ---------   d--------   C:\Program Files\PopCap Games
2007-06-23 07:43   278528   --a------   C:\WINDOWS\system32\livesnth.dll
2007-06-19 08:31   282112   --a------   C:\WINDOWS\system32\gdi32.dll
2007-06-13 05:23   1033216   --a------   C:\WINDOWS\explorer.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a446b17-efd0-4082-b39a-45953a4e2e3d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4a7c03cd-6fde-4037-a727-128a1994d770}]
         C:\WINDOWS\system32\inetycc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ba78b91-7ed0-4727-8d47-b82b3fcd4454}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77c51650-1f81-4911-a019-1931c0bbc1ff}]
         C:\WINDOWS\system32\iprdev.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84DC98F9-5137-2FC9-1C01-5EF07ECE3A97}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2007-08-15 08:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-05 17:30]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 15:04]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 01:55]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-15 18:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-15 18:22]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-15 18:22]
"HostManager"="C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe" [2007-08-15 08:12]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2006-01-25 12:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 10:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2006-06-11 16:50:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\inetycc]
inetycc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ippl32]
ippl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iprdev]
iprdev.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfd]
jkhfd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdqoa]
kbdqoa.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
R1 UdfReadr;UdfReadr;C:\WINDOWS\system32\drivers\UdfReadr.sys


Contents of the 'Scheduled Tasks' folder
2007-08-15 13:12:38 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-15 13:12:37 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 20:50:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 20:51:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-22 20:51

   --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 8:54:43 PM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\common files\aol\1139536199\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Highjackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cdm.microsoft.com/update/certs/usacert.htm
R3 - URLSearchHook: (no name) - {84DC98F9-5137-2FC9-1C01-5EF07ECE3A97} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4a446b17-efd0-4082-b39a-45953a4e2e3d} - (no file)
O2 - BHO: (no name) - {4a7c03cd-6fde-4037-a727-128a1994d770} - C:\WINDOWS\system32\inetycc.dll (file missing)
O2 - BHO: (no name) - {4ba78b91-7ed0-4727-8d47-b82b3fcd4454} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77c51650-1f81-4911-a019-1931c0bbc1ff} - C:\WINDOWS\system32\iprdev.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {84DC98F9-5137-2FC9-1C01-5EF07ECE3A97} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139180987906
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.rosashomehealth.com/Remote/msrdp.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: inetycc - inetycc.dll (file missing)
O20 - Winlogon Notify: ippl32 - ippl32.dll (file missing)
O20 - Winlogon Notify: iprdev - iprdev.dll (file missing)
O20 - Winlogon Notify: jkhfd - jkhfd.dll (file missing)
O20 - Winlogon Notify: kbdqoa - kbdqoa.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Corrine

#3
August 23, 2007, 11:28:49 AM
Hi, NanaVic.

I am about to start work so will not be able to review your log at this time and advise further cleanup.  In the meantime, however, is there a reason you haven't upgraded to IE7?  I would also hesitate to add anything to the Trusted Zone with such complete freedom:  O15 - Trusted Zone: http://*.turbotax.com.  The asterisk means that any web page preceding .turbotax.com is trusted.

BTW, is your machine running better?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

NanaVic

#4
August 23, 2007, 12:26:56 PM
Thank you and yes, the machine is running much better. The only reason I haven't upgraded is I wasn't aware there was one.  Guilty of not keeping up with some things.  Will remove TurboTax from trusted zone.  I really appreciate all the help - Thank you!!

Paddy

#5
August 23, 2007, 02:21:20 PM
Some reading for you as to why you should upgrade to IE 7

http://windowshelp.microsoft.com/Windows/en-US/Help/a426bb85-708c-4b75-87e2-874f9be3b4aa1033.mspx

Also make sure you are up to-date with your Microsoft up dates .
http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us


Also your Adobe Reader is way out of date >>> C:\Program Files\Adobe\Acrobat 6.0\Reader\

Adobe Reader 8.1>> is the new one
http://filehippo.com/download_adobe_acrobat_reader/

numbnuts.. :breakkie:
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

GR@PH;<'S

#6
August 23, 2007, 07:57:39 PM
NanaVic,
To help you keep up with all your program updates may I recommenfd that you use Secunia Software Inspector.
QuoteThe Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required

GR@PH;<'S   :Hammys pint:
press Enter then have a Brandy then if the problem is still there have another Brandy
Q: does it work
A: It does seem to for a few hours at least.

Corrine

#7
August 23, 2007, 10:17:41 PM
Close all programs leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - URLSearchHook: (no name) - {84DC98F9-5137-2FC9-1C01-5EF07ECE3A97} - (no file)
O2 - BHO: (no name) - {4a446b17-efd0-4082-b39a-45953a4e2e3d} - (no file)
O2 - BHO: (no name) - {4a7c03cd-6fde-4037-a727-128a1994d770} - C:\WINDOWS\system32\inetycc.dll (file missing)
O2 - BHO: (no name) - {4ba78b91-7ed0-4727-8d47-b82b3fcd4454} - (no file)
O2 - BHO: (no name) - {77c51650-1f81-4911-a019-1931c0bbc1ff} - C:\WINDOWS\system32\iprdev.dll (file missing)
O2 - BHO: (no name) - {84DC98F9-5137-2FC9-1C01-5EF07ECE3A97} - (no file)
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - (no file)
O15 - Trusted Zone: http://*.turbotax.com
O20 - Winlogon Notify: inetycc - inetycc.dll (file missing)
O20 - Winlogon Notify: ippl32 - ippl32.dll (file missing)
O20 - Winlogon Notify: iprdev - iprdev.dll (file missing)
O20 - Winlogon Notify: jkhfd - jkhfd.dll (file missing)
O20 - Winlogon Notify: kbdqoa - kbdqoa.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Since search results were rather slim, if you don't know what the following is, I suggest remove it:  C:\Program Files\Miuchiz.  Be sure hidden files are showing and remove in safe mode. 

To enable the viewing of Hidden files in XP, follow these steps:

   1. Close all programs so that you are at your desktop.
   2. Double-click on the My Computer icon.
   3. Select the Tools menu and click Folder Options.
   4. After the new window appears select the View tab.
   5. Put a checkmark in the checkbox labeled Display the contents of system folders.
   6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
   7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
   8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
   9. Press the Apply button and then the OK button and shutdown My Computer.
  10. Now your computer is configured to show all hidden files.

I agree completely with the recommendations of numbnuts & GR@PH;<'S, especially Secunia Software Inspector.  Since you didn't know about IE7, that implies that you have not been getting Microsoft Updates for many, many months.  I just looked it up and see that Microsoft released IE7 on October 18, 2006.  That is a mighty long time not to be getting updates.  There have been quite a few critical issues that Microsoft has addressed during this time.  Do you have automatic updates turned off? 

Please download ATF Cleaner by Atribune from http://www.atribune.org/content/view/40/2/ .  Save it to your Desktop.

Run ATF Cleaner

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Click Exit on the Main menu to close the program.
  • Shutdown/restart the computer.
Now scan again with HijackThis, post the log as a reply and let us know if your computer still seems to be ok.

Thanks.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

NanaVic

#8
August 24, 2007, 12:37:09 PM
Thank you everyone for the advice and assistance.  I'm still in the process of updating everything you identified (dial up is a slow process) but wanted to go ahead and post the most recent HJT because the main issues I was having seem to have been resolved.  How is it looking now?

Logfile of HijackThis v1.99.1
Scan saved at 7:15:31 AM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\program files\common files\aol\1139536199\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1139536199\ee\aolsoftware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Highjackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cdm.microsoft.com/update/certs/usacert.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139536199\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187915657531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187916105312
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.rosashomehealth.com/Remote/msrdp.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Corrine

#9
August 24, 2007, 11:19:12 PM
Hi, NanaVic.  Great job!!! 

For additional information on protecting your PC, please see Tony Klein's "So how did I get infected in the first place?" for important tips on how to prevent future infections.  There is also a lot of helpful information in "Mitch's Good Stuff" linked from here.

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software.  You can click "Notify" on this thread to receive email notices of SpywareBlaster updates:  http://www.landzdown.com/index.php?topic=288.0

SpywareBlaster -- http://www.javacoolsoftware.com/spywareblaster.html 

I really like WinPatrol, which includes the features described here.

Regards,


Corrine :rose:


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages1
User actions