My Anti Spyware
News, Free Programs, Online Scanners, Tutorials
Post your problems with Spyware, Hijackers, Trojans...
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister     ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Joke Bluescreen - HELP!!! [Antivirus XP]

 
Post new topic   Reply to topic    My Anti Spyware Forum Index -> Spyware Removal
View previous topic :: View next topic  
Author Message
sandsoftime



Joined: 26 Jun 2008
Posts: 5
PostPosted: Thu Jun 26, 2008 12:26 am    Post subject: Joke Bluescreen - HELP!!! [Antivirus XP] Reply with quote
My background has gone blue, and there is a yellow alert in the middle saying that spyware has been detected and i need to install an antivirus program. Norton keeps finding this file:

C:\WINDOWS\SYSTEM32\blphcrjej0er8t.scr

but is unable to remove it. Also, something called "Antivirus XP 2008" keeps installing itself and running. Besides that, things are messed up in general.

I have no idea what to do. The following is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:47 PM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {FC0A5DA1-E70D-486E-6AE3-19C19D12831A} - C:\PROGRA~1\AXISSA~1\Axis Keep.exe (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Mags chin rect meal] C:\Documents and Settings\All Users\Application Data\Free Does Mags Chin\Wave once.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [lphcrjej0er8t] C:\WINDOWS\system32\lphcrjej0er8t.exe
O4 - HKLM\..\Run: [SMrhcvjej0er8t] C:\Program Files\rhcvjej0er8t\rhcvjej0er8t.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [clipboard.exe] C:\WINDOWS\system32\clipboard.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MLB StatTracker - http://aud6.sports.yahoo.com/java/y/mlbst8294_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} (Wavexpress Cab Helper) - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.8/TVTStage1.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165772494265
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv1fd.pav1.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

--
End of file - 8644 bytes
Back to top
View user's profile Send private message
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1226
PostPosted: Thu Jun 26, 2008 11:13 am    Post subject: Reply with quote
Hello sandsoftime, welcome to the Myantispyware forum!

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present
Code:
O2 - BHO: (no name) - {FC0A5DA1-E70D-486E-6AE3-19C19D12831A} - C:\PROGRA~1\AXISSA~1\Axis Keep.exe (file missing)
O4 - HKLM\..\Run: [Mags chin rect meal] C:\Documents and Settings\All Users\Application Data\Free Does Mags Chin\Wave once.exe
O4 - HKLM\..\Run: [lphcrjej0er8t] C:\WINDOWS\system32\lphcrjej0er8t.exe
O4 - HKLM\..\Run: [SMrhcvjej0er8t] C:\Program Files\rhcvjej0er8t\rhcvjej0er8t.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [clipboard.exe] C:\WINDOWS\system32\clipboard.exe


Click on Fix Checked when finished and exit HijackThis.
Note: make sure your Internet Explorer (& or any other browser) is closed when you click Fix Checked!

Download combofix. Close any open browsers. Double click on combofix.exe and follow the prompts.

Make a fresh HijackThis log.

Post HijackThis log + combofix log with your reply.
_________________
Antispyware: HijackThis, SmitfraudFix, ComboFix, CounterSpy Antispyware, Super Antispyware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
sandsoftime



Joined: 26 Jun 2008
Posts: 5
PostPosted: Thu Jun 26, 2008 12:56 pm    Post subject: Reply with quote
thanks patrik, i'll do that as soon as i get home (i'm at work right now)

1 question:
Does it matter if I run Hijackthis and/or combofix in safe mode???
Back to top
View user's profile Send private message
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1226
PostPosted: Thu Jun 26, 2008 1:03 pm    Post subject: Reply with quote
Run both apps in the Normal mode.
_________________
Antispyware: HijackThis, SmitfraudFix, ComboFix, CounterSpy Antispyware, Super Antispyware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
sandsoftime



Joined: 26 Jun 2008
Posts: 5
PostPosted: Thu Jun 26, 2008 10:54 pm    Post subject: Reply with quote
ok, i deleted those items and then ran both hijackthis and then combofix.
here's what i got.

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:00 PM, on 6/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MLB StatTracker - http://aud6.sports.yahoo.com/java/y/mlbst8294_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} (Wavexpress Cab Helper) - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.8/TVTStage1.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165772494265
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv1fd.pav1.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

--
End of file - 8222 bytes

combofix:

ComboFix 08-06-20.4 - Evan Dubovsky 2008-06-26 17:38:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254 [GMT -5:00]
Running from: C:\Documents and Settings\Evan Dubovsky\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-25 18:04 . 2008-06-25 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 20:55 . 2008-06-24 20:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-24 20:55 . 2008-06-24 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 20:45 . 2008-06-24 20:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 23:03 . 2008-06-23 23:03 3,042 --a------ C:\WINDOWS\SYSTEM32\PerfStringBackup.TMP
2008-06-23 21:10 . 2008-06-23 21:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-06-23 21:10 . 2008-06-23 21:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-06-23 21:10 . 2008-06-23 21:10 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-23 20:19 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-06-23 20:18 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-06-23 20:18 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-06-23 20:18 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-06-23 20:18 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-06-23 20:18 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-06-23 20:17 . 2008-04-13 19:12 412,160 --------- C:\WINDOWS\SYSTEM32\photometadatahandler.dll
2008-06-23 20:17 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-06-23 20:17 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-06-23 20:17 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\SYSTEM32\qagent.dll
2008-06-23 20:17 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\SYSTEM32\qutil.dll
2008-06-23 20:17 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\SYSTEM32\qcliprov.dll
2008-06-23 20:17 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\SYSTEM32\rasqec.dll
2008-06-23 20:17 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\SYSTEM32\setupn.exe
2008-06-23 20:17 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-06-23 20:16 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-06-23 20:16 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6.dll
2008-06-23 20:16 . 2008-04-13 19:12 193,024 --------- C:\WINDOWS\SYSTEM32\napmontr.dll
2008-06-23 20:16 . 2008-04-13 19:12 176,640 --------- C:\WINDOWS\SYSTEM32\napstat.exe
2008-06-23 20:16 . 2008-04-13 19:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-06-23 20:16 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\SYSTEM32\onex.dll
2008-06-23 20:16 . 2008-04-13 12:27 79,872 --------- C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-06-23 20:16 . 2008-04-13 12:27 79,872 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-06-23 20:16 . 2008-04-13 13:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-06-23 20:16 . 2008-04-13 19:12 30,208 --------- C:\WINDOWS\SYSTEM32\napipsec.dll
2008-06-23 20:15 . 2008-04-13 19:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-06-23 20:15 . 2008-04-13 19:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-06-23 20:15 . 2008-04-13 19:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-06-23 20:15 . 2008-04-13 19:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-06-23 20:13 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-06-23 18:44 . 2008-06-25 17:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-23 18:05 . 2008-06-23 18:05 <DIR> d-------- C:\Documents and Settings\Evan Dubovsky\Application Data\rhcvjej0er8t
2008-06-23 18:05 . 2008-06-25 19:17 94,208 --a------ C:\WINDOWS\SYSTEM32\pphcrjej0er8t.exe
2008-06-23 18:02 . 2008-06-23 18:02 109,056 --a------ C:\WINDOWS\SYSTEM32\lphcrjej0er8t.exe
2008-06-23 18:02 . 2008-06-26 17:31 90,838 --a------ C:\WINDOWS\SYSTEM32\phcrjej0er8t.bmp
2008-06-11 06:47 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-11 06:47 . 2008-05-08 09:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 22:30 9,841 --sha-w C:\WINDOWS\SYSTEM32\mmf.sys
2008-06-25 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 02:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-25 01:44 --------- d-----w C:\Program Files\DivX
2008-06-23 23:07 --------- d-----w C:\Documents and Settings\Evan Dubovsky\Application Data\Azureus
2008-06-17 03:07 --------- d-----w C:\Program Files\Azureus
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-24 18:24 --------- d-----w C:\Documents and Settings\Evan Dubovsky\Application Data\SiteAdvisor
2008-05-22 02:53 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-22 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-12 22:39 --------- d-----w C:\Program Files\Replay AV 8
2008-05-12 22:39 --------- d-----w C:\Program Files\Red Kawa
2008-05-12 22:39 --------- d-----w C:\Program Files\AviSynth 2.5
2008-05-12 22:28 --------- d-----w C:\Program Files\Avex
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:43 0 --sha-w C:\Documents and Settings\Evan Dubovsky\Application Data\0000000000CHEV1.dat
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-04 16:00 --------- d-----w C:\Program Files\McAfee
2008-05-03 17:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-05-03 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-03 16:57 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-03 16:56 --------- d-----w C:\Program Files\McAfee.com
2008-05-03 16:42 --------- d-----w C:\Program Files\Yahoo!
2008-05-03 16:40 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-30 04:54 --------- d-----w C:\Program Files\MagicISO
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-24 03:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\SYSTEM32\setupapi.dll
2008-04-14 10:42 11,264 ------w C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\SYSTEM32\msgina.dll
2008-04-14 00:10 67,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2008-04-14 00:10 53,760 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 00:10 175,104 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
2008-04-14 00:10 15,872 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2008-04-14 00:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
2008-04-14 00:10 10,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tmigrate.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\SYSTEM32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\SYSTEM32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\SYSTEM32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\SYSTEM32\msvcrt40.dll
2008-04-13 17:39 438,784 ------w C:\WINDOWS\SYSTEM32\xpob2res.dll
2008-04-13 17:39 2,897,920 ------w C:\WINDOWS\SYSTEM32\xpsp2res.dll
2008-04-13 17:39 187,392 ------w C:\WINDOWS\SYSTEM32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\SYSTEM32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\SYSTEM32\dssenh.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\SYSTEM32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\SYSTEM32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\SYSTEM32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\SYSTEM32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\SYSTEM32\qedwipes.dll
2008-04-13 17:09 4,096 ------w C:\WINDOWS\SYSTEM32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\SYSTEM32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\SYSTEM32\shdoclc.dll
2008-04-13 16:48 1,647,616 ------w C:\WINDOWS\SYSTEM32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\SYSTEM32\moricons.dll
2008-04-13 16:43 70,144 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\SYSTEM32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\SYSTEM32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\SYSTEM32\msimsg.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2005-11-02 22:11 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(10)(2).sys
2005-11-02 17:38 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(11)(2).sys
2005-11-03 01:33 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(12)(2).sys
2005-11-01 00:55 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(2)(3).sys
2005-11-03 01:33 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(2)(4).sys
2005-11-03 01:19 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(3)(2).sys
2005-11-03 01:13 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(4)(2).sys
2005-11-03 01:11 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(5)(2).sys
2005-11-03 01:04 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(6)(2).sys
2005-11-03 01:00 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(7)(2).sys
2005-11-02 22:21 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(Cool(2).sys
2005-11-02 22:14 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(9)(2).sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_19.04.21.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 23:54:52 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-26 22:30:13 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 06:52 380928]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41 28738]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-08-24 08:53:49 217088]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-08-20 21:51:25 45056]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 17:06:54 24633]

[HKLM\~\startupfolder\C:^Documents and Settings^Evan Dubovsky^Start Menu^Programs^Startup^Trivial Pursuit_ Unhinged Registration.lnk]
path=C:\Documents and Settings\Evan Dubovsky\Start Menu\Programs\Startup\Trivial Pursuit_ Unhinged Registration.lnk
backup=C:\WINDOWS\pss\Trivial Pursuit_ Unhinged Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
"C:\\Program Files\\Hexacto Games\\Lemonade Tycoon\\Lemonade.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\Evan Dubovsky\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\WINDOWS\\SYSTEM32\\msiexec.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Dube.
"6882:TCP"= 6882:TCP:Dube.
"6883:TCP"= 6883:TCP:Dube.
"6884:TCP"= 6884:TCP:Dube.
"6885:TCP"= 6885:TCP:Dube.
"6886:TCP"= 6886:TCP:Dube.
"6887:TCP"= 6887:TCP:Dube.
"6888:TCP"= 6888:TCP:Dube.
"6889:TCP"= 6889:TCP:Dube.

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2002-12-04 05:31]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-11-06 18:04]
R3 USB20L;Linksys USB 2.0 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\USB200M.sys [2002-09-24 01:35]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS [2002-06-23 16:31]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\29.tmp []
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9de5dcdb-367d-11da-80b1-00106085b00e}]
\Shell\AutoRun\command - E:\GizmoSecure\Windows\GizmoSecure30.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 00:00:00 C:\WINDOWS\Tasks\A7B9A04993125CA9.job"
- c:\progra~1\mfcdload\Option team help.exe
"2008-06-26 00:00:01 C:\WINDOWS\Tasks\A80F1C4D91889335.job"
- c:\progra~1\mfcdload\Option team help.exe
"2008-05-26 19:12:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-15 06:14:16 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-26 14:00:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 17:43:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\29.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
Completion time: 2008-06-26 17:47:30
ComboFix-quarantined-files.txt 2008-06-26 22:46:21
ComboFix2.txt 2008-06-26 00:05:16

Pre-Run: 6,994,935,808 bytes free
Post-Run: 6,974,459,904 bytes free

265 --- E O F --- 2008-06-26 22:34:19
Back to top
View user's profile Send private message
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1226
PostPosted: Sat Jun 28, 2008 6:19 am    Post subject: Reply with quote
You also have Lop infection.

Download Deljob.exe and save it on your desktop.

Open notepad, copy/paste the text in the quote box below into notepad:
Quote:
Folder::
C:\Documents and Settings\Evan Dubovsky\Application Data\rhcvjej0er8t

File::
C:\WINDOWS\SYSTEM32\pphcrjej0er8t.exe
C:\WINDOWS\SYSTEM32\lphcrjej0er8t.exe
C:\WINDOWS\SYSTEM32\phcrjej0er8t.bmp

Driver::
MEMSWEEP2


Name the Notepad file CFScript and Save it to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Run Deljob.

Post back with the following:
- combofix log
- Deljob log
_________________
Antispyware: HijackThis, SmitfraudFix, ComboFix, CounterSpy Antispyware, Super Antispyware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
sandsoftime



Joined: 26 Jun 2008
Posts: 5
PostPosted: Sat Jun 28, 2008 4:17 pm    Post subject: Reply with quote
ok, now here's what i got:

combofix log:

ComboFix 08-06-20.4 - Evan Dubovsky 2008-06-28 10:56:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.219 [GMT -5:00]
Running from: C:\Documents and Settings\Evan Dubovsky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Evan Dubovsky\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\lphcrjej0er8t.exe
C:\WINDOWS\SYSTEM32\phcrjej0er8t.bmp
C:\WINDOWS\SYSTEM32\pphcrjej0er8t.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Evan Dubovsky\Application Data\rhcvjej0er8t

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-28 10:53 . 2008-06-28 10:53 <DIR> d-------- C:\deljob
2008-06-25 18:04 . 2008-06-25 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 20:55 . 2008-06-24 20:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-24 20:55 . 2008-06-24 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 20:45 . 2008-06-24 20:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 23:03 . 2008-06-23 23:03 3,042 --a------ C:\WINDOWS\SYSTEM32\PerfStringBackup.TMP
2008-06-23 21:10 . 2008-06-23 21:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-06-23 21:10 . 2008-06-23 21:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-06-23 21:10 . 2008-06-23 21:10 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-23 20:19 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-06-23 20:18 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-06-23 20:18 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-06-23 20:18 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-06-23 20:18 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-06-23 20:18 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-06-23 20:17 . 2008-04-13 19:12 412,160 --------- C:\WINDOWS\SYSTEM32\photometadatahandler.dll
2008-06-23 20:17 . 2008-04-13 19:12 291,328 --------- C:\WINDOWS\SYSTEM32\qagentrt.dll
2008-06-23 20:17 . 2008-04-13 19:12 290,304 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2008-06-23 20:17 . 2008-04-13 19:12 150,528 --------- C:\WINDOWS\SYSTEM32\qagent.dll
2008-06-23 20:17 . 2008-04-13 19:12 76,800 --------- C:\WINDOWS\SYSTEM32\qutil.dll
2008-06-23 20:17 . 2008-04-13 19:12 62,464 --------- C:\WINDOWS\SYSTEM32\qcliprov.dll
2008-06-23 20:17 . 2008-04-13 19:12 61,952 --------- C:\WINDOWS\SYSTEM32\rasqec.dll
2008-06-23 20:17 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\SYSTEM32\setupn.exe
2008-06-23 20:17 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\SYSTEM32\DRIVERS\sffp_mmc.sys
2008-06-23 20:16 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\msxml6.dll
2008-06-23 20:16 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6.dll
2008-06-23 20:16 . 2008-04-13 19:12 193,024 --------- C:\WINDOWS\SYSTEM32\napmontr.dll
2008-06-23 20:16 . 2008-04-13 19:12 176,640 --------- C:\WINDOWS\SYSTEM32\napstat.exe
2008-06-23 20:16 . 2008-04-13 19:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-06-23 20:16 . 2008-04-13 19:12 144,384 --------- C:\WINDOWS\SYSTEM32\onex.dll
2008-06-23 20:16 . 2008-04-13 12:27 79,872 --------- C:\WINDOWS\SYSTEM32\msxml6r.dll
2008-06-23 20:16 . 2008-04-13 12:27 79,872 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml6r.dll
2008-06-23 20:16 . 2008-04-13 13:14 76,800 --------- C:\WINDOWS\SYSTEM32\msshavmsg.dll
2008-06-23 20:16 . 2008-04-13 19:12 30,208 --------- C:\WINDOWS\SYSTEM32\napipsec.dll
2008-06-23 20:15 . 2008-04-13 19:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-06-23 20:15 . 2008-04-13 19:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-06-23 20:15 . 2008-04-13 19:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-06-23 20:15 . 2008-04-13 19:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-06-23 20:13 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-06-23 18:44 . 2008-06-25 17:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-11 06:47 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-11 06:47 . 2008-05-08 09:02 203,136 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-28 15:52 --------- d-----w C:\Documents and Settings\Evan Dubovsky\Application Data\Azureus
2008-06-25 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 02:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-25 01:44 --------- d-----w C:\Program Files\DivX
2008-06-17 03:07 --------- d-----w C:\Program Files\Azureus
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-24 18:24 --------- d-----w C:\Documents and Settings\Evan Dubovsky\Application Data\SiteAdvisor
2008-05-22 02:53 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-22 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-12 22:39 --------- d-----w C:\Program Files\Replay AV 8
2008-05-12 22:39 --------- d-----w C:\Program Files\Red Kawa
2008-05-12 22:39 --------- d-----w C:\Program Files\AviSynth 2.5
2008-05-12 22:28 --------- d-----w C:\Program Files\Avex
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:43 0 --sha-w C:\Documents and Settings\Evan Dubovsky\Application Data\0000000000CHEV1.dat
2008-05-04 16:00 --------- d-----w C:\Program Files\McAfee
2008-05-03 17:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-05-03 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-03 16:57 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-03 16:56 --------- d-----w C:\Program Files\McAfee.com
2008-05-03 16:42 --------- d-----w C:\Program Files\Yahoo!
2008-05-03 16:40 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-30 04:54 --------- d-----w C:\Program Files\MagicISO
2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2005-11-02 22:11 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(10)(2).sys
2005-11-02 17:38 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(11)(2).sys
2005-11-03 01:33 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(12)(2).sys
2005-11-01 00:55 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(2)(3).sys
2005-11-03 01:33 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(2)(4).sys
2005-11-03 01:19 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(3)(2).sys
2005-11-03 01:13 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(4)(2).sys
2005-11-03 01:11 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(5)(2).sys
2005-11-03 01:04 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(6)(2).sys
2005-11-03 01:00 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(7)(2).sys
2005-11-02 22:21 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(Cool(2).sys
2005-11-02 22:14 6,073 --sha-w C:\WINDOWS\SYSTEM32\mmf(9)(2).sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_19.04.21.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 23:54:52 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-28 16:03:17 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-06-25 23:47:50 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-06-28 15:48:19 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-06-25 23:47:50 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-06-28 15:48:19 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-06-25 23:47:50 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-06-28 15:48:19 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2008-06-25 23:55:08 9,841 --sha-w C:\WINDOWS\SYSTEM32\mmf.sys
+ 2008-06-28 16:03:40 9,841 --sha-w C:\WINDOWS\SYSTEM32\mmf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 06:52 380928]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41 28738]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2005-08-24 08:53:49 217088]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-08-20 21:51:25 45056]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 17:06:54 24633]

[HKLM\~\startupfolder\C:^Documents and Settings^Evan Dubovsky^Start Menu^Programs^Startup^Trivial Pursuit_ Unhinged Registration.lnk]
path=C:\Documents and Settings\Evan Dubovsky\Start Menu\Programs\Startup\Trivial Pursuit_ Unhinged Registration.lnk
backup=C:\WINDOWS\pss\Trivial Pursuit_ Unhinged Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\mozilla.org\\Mozilla\\mozilla.exe"=
"C:\\Program Files\\Hexacto Games\\Lemonade Tycoon\\Lemonade.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\Evan Dubovsky\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\WINDOWS\\SYSTEM32\\msiexec.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Dube.
"6882:TCP"= 6882:TCP:Dube.
"6883:TCP"= 6883:TCP:Dube.
"6884:TCP"= 6884:TCP:Dube.
"6885:TCP"= 6885:TCP:Dube.
"6886:TCP"= 6886:TCP:Dube.
"6887:TCP"= 6887:TCP:Dube.
"6888:TCP"= 6888:TCP:Dube.
"6889:TCP"= 6889:TCP:Dube.

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2002-12-04 05:31]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-11-06 18:04]
R3 USB20L;Linksys USB 2.0 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\USB200M.sys [2002-09-24 01:35]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS [2002-06-23 16:31]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9de5dcdb-367d-11da-80b1-00106085b00e}]
\Shell\AutoRun\command - E:\GizmoSecure\Windows\GizmoSecure30.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 19:12:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-15 06:14:16 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-26 14:00:15 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 11:04:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-28 11:14:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-28 16:14:04
ComboFix2.txt 2008-06-26 22:47:32
ComboFix3.txt 2008-06-26 00:05:16

Pre-Run: 6,720,794,624 bytes free
Post-Run: 6,700,417,024 bytes free

244 --- E O F --- 2008-06-28 06:57:40


deljob log:

--------------------------------------------------------
Backups created in C:\deljob

A7B9A04993125CA9.job
A80F1C4D91889335.job
--------------------------------------------------------
Files in Windows Tasks folder

AppleSoftwareUpdate.job
McDefragTask.job
McQcTask.job
--------------------------------------------------------
Export App Data folders
--------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is F87D-9D2C

Directory of C:\Documents and Settings\Evan Dubovsky\Application Data

06/28/2008 10:57 AM <DIR> .
06/28/2008 10:57 AM <DIR> ..
02/26/2005 04:38 AM <DIR> BITTOR~1 .BitTornado
04/13/2006 03:27 PM <DIR> acccore
02/10/2008 09:54 AM <DIR> Adobe
09/28/2004 08:26 PM <DIR> AdobeUM
09/24/2007 06:52 PM <DIR> APPLEC~1 Apple Computer
06/28/2008 10:52 AM <DIR> Azureus
03/27/2008 10:37 PM <DIR> DivX
09/04/2002 12:35 AM <DIR> Help
08/20/2002 07:34 PM <DIR> IDENTI~1 Identities
08/25/2005 10:12 PM <DIR> Lavasoft
11/15/2005 01:25 PM <DIR> LEADER~1 Leadertech
04/02/2003 01:25 AM <DIR> MACROM~1 Macromedia
04/02/2007 06:53 AM <DIR> MICROS~1 Microsoft
08/24/2005 09:20 AM <DIR> Motive
02/10/2008 09:44 AM <DIR> Mozilla
08/31/2002 09:53 PM <DIR> MSN6
12/14/2007 06:37 PM <DIR> OUTOFT~1 Out of the Park Developments
05/26/2004 02:08 PM <DIR> Real
05/24/2008 01:24 PM <DIR> SITEAD~1 SiteAdvisor
01/24/2003 10:01 PM <DIR> SmartFTP
11/15/2005 01:49 PM <DIR> Sonic
03/30/2008 07:13 PM <DIR> SopCast
09/09/2007 10:56 AM <DIR> SPORTS~1 Sports Interactive
12/31/2004 10:13 PM <DIR> Sun
02/10/2008 09:59 AM <DIR> Talkback
07/31/2007 06:01 PM <DIR> vlc
11/12/2007 07:05 PM <DIR> WinRAR
11/30/2005 11:26 AM <DIR> Yahoo!
0 File(s) 0 bytes
30 Dir(s) 6,700,412,928 bytes free
Volume in drive C has no label.
Volume Serial Number is F87D-9D2C

Directory of C:\Documents and Settings\All Users\Application Data

06/24/2008 08:55 PM <DIR> .
06/24/2008 08:55 PM <DIR> ..
09/28/2004 08:25 PM <DIR> Adobe
11/18/2007 12:22 PM <DIR> AOL
11/18/2007 12:22 PM <DIR> AOLDOW~1 AOL Downloads
07/06/2007 06:54 AM <DIR> AOLOCP~1 AOL OCP
08/26/2007 06:58 PM <DIR> Apple
11/26/2006 10:13 AM <DIR> APPLEC~1 Apple Computer
08/20/2002 09:51 PM <DIR> BVRPSO~1 BVRP Software
12/14/2006 04:56 PM <DIR> CA
11/10/2007 09:01 PM <DIR> EXTEND~1 ExtendMedia
09/25/2004 03:04 PM <DIR> FREEDO~1 Free Does Mags Chin
06/24/2008 08:57 PM <DIR> Lavasoft
05/03/2008 12:01 PM <DIR> McAfee
12/12/2006 07:19 PM <DIR> MICROS~1 Microsoft
08/24/2005 08:55 AM <DIR> Motive
08/31/2002 05:07 PM <DIR> MSN6
02/10/2006 10:54 PM <DIR> OOZEFL~1 Ooze Flaw Mix Delete
01/31/2007 10:15 PM <DIR> PACEAN~1 PACE Anti-Piracy
09/17/2005 09:22 AM <DIR> QUICKT~1 QuickTime
08/20/2002 09:50 PM <DIR> SBSI
05/21/2008 07:00 PM <DIR> SITEAD~1 SiteAdvisor
06/25/2008 05:59 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
11/10/2007 09:02 PM <DIR> TEMP
12/29/2007 08:32 PM <DIR> VIEWPO~1 Viewpoint
05/02/2006 08:14 PM <DIR> WINDOW~1 Windows Genuine Advantage
12/05/2005 07:03 PM <DIR> Yahoo!
0 File(s) 0 bytes
27 Dir(s) 6,700,408,832 bytes free
--------------------------------------------------------
All User Accounts
--------------------------------------------------------
All Users
Evan Dubovsky
Owner
--------------------------------------------------------
Back to top
View user's profile Send private message
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1226
PostPosted: Sun Jun 29, 2008 2:44 am    Post subject: Reply with quote
Looks good. How is everything running now?
_________________
Antispyware: HijackThis, SmitfraudFix, ComboFix, CounterSpy Antispyware, Super Antispyware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
sandsoftime



Joined: 26 Jun 2008
Posts: 5
PostPosted: Sun Jun 29, 2008 8:27 pm    Post subject: Reply with quote
YES, everything looks good now.
Back to top
View user's profile Send private message
patrik
Site Admin


Joined: 08 Jan 2006
Posts: 1226
PostPosted: Mon Jun 30, 2008 11:41 pm    Post subject: Reply with quote
Glad to help Smile

Now uninstall combofix.
Quote:
Start > Run - type ComboFix /u
Press Ok.


Update java:
Quote:
1. Download the latest version of Java Runtime Environment (JRE) 6 update 6.
2. Close any programs you may have running (include your web browser).
3. Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
4. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
5. Click the Remove or Change/Remove button.
6. Repeat as many times as necessary to remove each Java version.
7. Reboot your computer once all Java components are removed.
8. Then from your desktop double-click on the download to install the newest version.


Open McAfee Control Center and enable autoprotection.

Make a new restore point.
Quote:
Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.


Safe surfing!
_________________
Antispyware: HijackThis, SmitfraudFix, ComboFix, CounterSpy Antispyware, Super Antispyware
Instructions: Show hidden files, Reboot in Safe Mode
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    My Anti Spyware Forum Index -> Spyware Removal All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
phpBB SEO