•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 456,532 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,893 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community
Views: 2412 | Replies: 17 | Solved
 |
•
•
Join Date: Oct 2007
Location: Southern California
Posts: 9
Reputation: 
Rep Power: 0
Solved Threads: 0
Chess Player
Hi, crunchie,
My son ran VundoFix again, and it reported as below. However, even as he was sending me this log, the problem returned. Obviously there is something else well hidden that is building these new instances of Vundo.
Thanks again for your help in solving this problem.
Dave Zechiel
===
VundoFix V6.5.9
Checking Java version...
Scan started at 9:46:01 PM 10/10/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Scan started at 10:17:39 PM 10/10/2007
Listing files found while scanning....
C:\WINDOWS\System32\aygumxdm.ini
C:\WINDOWS\System32\mdxmugya.dll
Beginning removal...
Attempting to delete C:\WINDOWS\System32\aygumxdm.ini
C:\WINDOWS\System32\aygumxdm.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\mdxmugya.dll
C:\WINDOWS\System32\mdxmugya.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\System32\mdxmugya.dll
C:\WINDOWS\System32\mdxmugya.dll Has been deleted!
Performing Repairs to the registry.
Done!
My son ran VundoFix again, and it reported as below. However, even as he was sending me this log, the problem returned. Obviously there is something else well hidden that is building these new instances of Vundo.
Thanks again for your help in solving this problem.
Dave Zechiel
===
VundoFix V6.5.9
Checking Java version...
Scan started at 9:46:01 PM 10/10/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Scan started at 10:17:39 PM 10/10/2007
Listing files found while scanning....
C:\WINDOWS\System32\aygumxdm.ini
C:\WINDOWS\System32\mdxmugya.dll
Beginning removal...
Attempting to delete C:\WINDOWS\System32\aygumxdm.ini
C:\WINDOWS\System32\aygumxdm.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\mdxmugya.dll
C:\WINDOWS\System32\mdxmugya.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\System32\mdxmugya.dll
C:\WINDOWS\System32\mdxmugya.dll Has been deleted!
Performing Repairs to the registry.
Done!
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,018
Reputation:
Rep Power: 23
Solved Threads: 455
First up, when you save the hijackthis log, can you go to the format Tab and check the wordwrap as you log is not working correctly in the tool I use to analyse it.
==
1. Download this file from one of the following links :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
==
1. Download this file from one of the following links :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Sep 2007
Location: UK
Posts: 39
Reputation:
Rep Power: 2
Solved Threads: 1
Light Poster
IMO the main problem is that he s using Firefox but IE is still his default browser. He needs to make FF as his default browser.
In your FF browser Go to tools >> options >>main >> check the last option which says Always check if Firefox is the default browser on startup.
This should solve your issue.
In your FF browser Go to tools >> options >>main >> check the last option which says Always check if Firefox is the default browser on startup.
This should solve your issue.
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,018
Reputation:
Rep Power: 23
Solved Threads: 455
Certain malware can actually start IE by themselves. Setting FF as the default browser will not remove the trojans that are on the pc now 
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Oct 2007
Location: Southern California
Posts: 9
Reputation:
Rep Power: 0
Solved Threads: 0
Chess Player
Re: I use Firefox, but IE keeps opening by itself Hi, crunchie,
Here's the log from ComboFix.exe:
ComboFix 07-10-12.4 - John Zechiel 2007-10-11 20:17:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.648 [GMT -7:00]
Running from: C:\Documents and Settings\John Zechiel\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com\played_list.sol
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bwgoubdl.dll
C:\WINDOWS\system32\dlrhfxjh.dll
C:\WINDOWS\system32\efqexyij.ini
C:\WINDOWS\system32\jiyxeqfe.dll
C:\WINDOWS\system32\kdrytfkg.dll
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\smsxjxsf.dll
C:\WINDOWS\system32\telbxbjv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.
2007-10-11 20:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 22:24 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-10 19:05 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-10 18:43 <DIR> d-------- C:\VundoFix Backups
2007-10-06 10:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-06 10:26 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-06 10:26 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-06 10:26 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-03 13:48 6,221,304 --a------ C:\TEMP\winamp535_full_emusic-7plus.exe
2007-10-03 00:36 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-03 00:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-02 23:52 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-02 23:52 <DIR> d-------- C:\TEMP\xOe
2007-09-24 22:58 3,269,420 --a------ C:\TEMP\The Terminator Theme (From T3)- Brad Fiedel.zip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 02:06 --------- d-----w C:\Program Files\Java
2007-10-09 04:49 1,550 ----a-w C:\Program Files\ProgramFiles.txt
2007-10-07 07:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 21:06 --------- d-----w C:\Program Files\McAfee
2007-10-03 20:52 --------- d-----w C:\Program Files\Winamp
2007-08-27 05:44 --------- d-----w C:\Program Files\iTunes
2007-08-27 05:44 --------- d-----w C:\Program Files\iPod
2007-08-27 05:42 --------- d-----w C:\Program Files\QuickTime
2007-08-27 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-27 05:40 --------- d-----w C:\Program Files\Apple Software Update
2007-08-27 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2003-03-31 05:00]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 13:08]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-15 20:26]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 11:20]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TraySantaCruz"="C:\WINDOWS\system32\tbctray.exe" [2002-04-17 12:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 20:35]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-20 15:43:59]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 01:00:00]
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [1997-07-11 01:00:00]
Net DDE.lnk - C:\WINDOWS\system32\netdde.exe [2004-06-16 11:32:52]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 01:00:00]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mlljk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
R0 mpegport;mpegport;C:\WINDOWS\System32\DRIVERS\mpegport.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UBHelper;UBHelper;C:\WINDOWS\System32\drivers\UBHelper.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 iSMBIOS;iSMBIOS;\??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
R2 rmdvd;RM DVD helper;C:\WINDOWS\System32\DRIVERS\rmdvd.sys
R2 SIODRV;SIODRV;\??\C:\WINDOWS\System32\drivers\SIODRV.SYS
R3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\System32\Drivers\ICAM3D2.SYS
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\System32\DRIVERS\smb.sys
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\System32\drivers\tbcspud.sys
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\System32\drivers\tbcwdm.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 cel90xbe;cel90xbe;\??\C:\DOCUME~1\JOHNZE~1\LOCALS~1\Temp\cel90xbe.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\System32\DRIVERS\rmquasar.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 20:22:29
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-11 20:24:15 - machine was rebooted
.
--- E O F ---
=====
Here's the log from HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:47 PM, on 10/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe
--
End of file - 7561 bytes
====
We don't know if this was successful or not. If my son tells me the problem still exists, I'll post here. If this is my last message, then it's because the problem has not reemerged.
Thanks again for all your help.
Dave Zechiel
Here's the log from ComboFix.exe:
ComboFix 07-10-12.4 - John Zechiel 2007-10-11 20:17:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.648 [GMT -7:00]
Running from: C:\Documents and Settings\John Zechiel\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com\played_list.sol
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bwgoubdl.dll
C:\WINDOWS\system32\dlrhfxjh.dll
C:\WINDOWS\system32\efqexyij.ini
C:\WINDOWS\system32\jiyxeqfe.dll
C:\WINDOWS\system32\kdrytfkg.dll
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\smsxjxsf.dll
C:\WINDOWS\system32\telbxbjv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.
2007-10-11 20:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 22:24 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-10 19:05 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-10 18:43 <DIR> d-------- C:\VundoFix Backups
2007-10-06 10:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-06 10:26 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-06 10:26 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-06 10:26 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-03 13:48 6,221,304 --a------ C:\TEMP\winamp535_full_emusic-7plus.exe
2007-10-03 00:36 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-03 00:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-02 23:52 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-02 23:52 <DIR> d-------- C:\TEMP\xOe
2007-09-24 22:58 3,269,420 --a------ C:\TEMP\The Terminator Theme (From T3)- Brad Fiedel.zip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 02:06 --------- d-----w C:\Program Files\Java
2007-10-09 04:49 1,550 ----a-w C:\Program Files\ProgramFiles.txt
2007-10-07 07:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 21:06 --------- d-----w C:\Program Files\McAfee
2007-10-03 20:52 --------- d-----w C:\Program Files\Winamp
2007-08-27 05:44 --------- d-----w C:\Program Files\iTunes
2007-08-27 05:44 --------- d-----w C:\Program Files\iPod
2007-08-27 05:42 --------- d-----w C:\Program Files\QuickTime
2007-08-27 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-27 05:40 --------- d-----w C:\Program Files\Apple Software Update
2007-08-27 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2003-03-31 05:00]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 13:08]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-15 20:26]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 11:20]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TraySantaCruz"="C:\WINDOWS\system32\tbctray.exe" [2002-04-17 12:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 20:35]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-20 15:43:59]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 01:00:00]
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [1997-07-11 01:00:00]
Net DDE.lnk - C:\WINDOWS\system32\netdde.exe [2004-06-16 11:32:52]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 01:00:00]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mlljk.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
R0 mpegport;mpegport;C:\WINDOWS\System32\DRIVERS\mpegport.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UBHelper;UBHelper;C:\WINDOWS\System32\drivers\UBHelper.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 iSMBIOS;iSMBIOS;\??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
R2 rmdvd;RM DVD helper;C:\WINDOWS\System32\DRIVERS\rmdvd.sys
R2 SIODRV;SIODRV;\??\C:\WINDOWS\System32\drivers\SIODRV.SYS
R3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\System32\Drivers\ICAM3D2.SYS
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\System32\DRIVERS\smb.sys
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\System32\drivers\tbcspud.sys
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\System32\drivers\tbcwdm.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 cel90xbe;cel90xbe;\??\C:\DOCUME~1\JOHNZE~1\LOCALS~1\Temp\cel90xbe.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\System32\DRIVERS\rmquasar.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 20:22:29
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-11 20:24:15 - machine was rebooted
.
--- E O F ---
=====
Here's the log from HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:47 PM, on 10/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe
--
End of file - 7561 bytes
====
We don't know if this was successful or not. If my son tells me the problem still exists, I'll post here. If this is my last message, then it's because the problem has not reemerged.
Thanks again for all your help.
Dave Zechiel
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,018
Reputation:
Rep Power: 23
Solved Threads: 455
Can you please do the following.
===============
Scan with HijackThis and then place a check next to all the following, if present:
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
When your done, rescan your system and make sure the following isn't present:
N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src
If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.
===============
Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.
C:\WINDOWS\system32\drivers\mouhid.sys
C:\WINDOWS\system32\dllcache\mouhid.sys
C:\WINDOWS\system32\drivers\hidusb.sys
C:\WINDOWS\system32\dllcache\hidusb.sys
===============
Scan with HijackThis and then place a check next to all the following, if present:
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
When your done, rescan your system and make sure the following isn't present:
N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src
If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.
===============
Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.
C:\WINDOWS\system32\drivers\mouhid.sys
C:\WINDOWS\system32\dllcache\mouhid.sys
C:\WINDOWS\system32\drivers\hidusb.sys
C:\WINDOWS\system32\dllcache\hidusb.sys
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Oct 2007
Location: Southern California
Posts: 9
Reputation:
Rep Power: 0
Solved Threads: 0
Chess Player
Hi, crunchie,
Here are the logs from the scan of the four drivers you asked for, along with a HijackThis log report. My son says his computer didn't display any symptoms since we ran combofix.exe.
File to upload & scan: Virus
Service
Service load:
0% 100%
File: mouhid.sys
Status:
OK
MD5: b1c303e17fb9d46e87a98e4ba6769685
Packers detected:
Analyzing...
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:38:09 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Service load:
0% 100%
File: mouhid.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b1c303e17fb9d46e87a98e4ba6769685
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:42:09 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Service load:
0% 100%
File: hidusb.sys
Status:
OK
MD5: 1de6783b918f540149aa69943bdfeba8
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:43:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Service load:
0% 100%
File: hidusb.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 1de6783b918f540149aa69943bdfeba8
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:47:08 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:08 AM, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2004\EDICT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcvsshld.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe
--
End of file - 7956 bytes
Thanks again for all your help.
David Zechiel
Here are the logs from the scan of the four drivers you asked for, along with a HijackThis log report. My son says his computer didn't display any symptoms since we ran combofix.exe.
File to upload & scan: Virus
Service
Service load:
0% 100%
File: mouhid.sys
Status:
OK
MD5: b1c303e17fb9d46e87a98e4ba6769685
Packers detected:
Analyzing...
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:38:09 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Service load:
0% 100%
File: mouhid.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b1c303e17fb9d46e87a98e4ba6769685
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:42:09 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Service load:
0% 100%
File: hidusb.sys
Status:
OK
MD5: 1de6783b918f540149aa69943bdfeba8
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:43:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Service load:
0% 100%
File: hidusb.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 1de6783b918f540149aa69943bdfeba8
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:47:08 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:08 AM, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2004\EDICT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcvsshld.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe
--
End of file - 7956 bytes
Thanks again for all your help.
David Zechiel
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,018
Reputation:
Rep Power: 23
Solved Threads: 455
You are welcome.
Congratulations! Your log looks clean - good work!
===============
Now that your PC is clean you need to follow these easy steps to keeping it this way:
Download CCleaner and install, then run it. It will clear out your temp folders.
Secure your Internet Explorer by going here and following the instructions there.
Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.
Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
Empty the Recycle Bin.
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
===============
If you have any more problems, post back.
-
Happy surfing,
crunchie.
Congratulations! Your log looks clean - good work!
===============
Now that your PC is clean you need to follow these easy steps to keeping it this way:
Download CCleaner and install, then run it. It will clear out your temp folders.
- Uncheck "Cookies" under "Internet Explorer".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
- Close when finished.
Secure your Internet Explorer by going here and following the instructions there.
Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.
Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
Empty the Recycle Bin.
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
===============
If you have any more problems, post back.
-
Happy surfing,
crunchie.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
•
•
•
•
adware beta bon browser browsers defender development echo email encryption firefox gecko im internet internet explorer 7 leak legal linux malware mcafee memory microsoft mozilla networking new folder new viruses news nhatquanglan open source open-source patch phishing reliability scams search security social software spyware super survey svchost testing users virus viruses vista web webmail windows
- Vista: Networking: "LSP is outdated"? (Windows Vista)
- Comments about browser window spam issues (Viruses, Spyware and other Nasties)
- Despite use of Firefox, IE pop-ups still abundant (Viruses, Spyware and other Nasties)
- XP SP2 Freezing upon opening new explorer/Internet excplorer windows (Viruses, Spyware and other Nasties)
- New Laptop .... Browser keeps opening (Viruses, Spyware and other Nasties)
- Browser Windows Keep Opening and Won´t Stop (HT Log included) (Viruses, Spyware and other Nasties)
- XP SP2 Freezing upon opening new explorer/Internet excplorer windows (Viruses, Spyware and other Nasties)
- IE and Firefox problems (Windows NT / 2000 / XP / 2003)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Infestation under control now need to clean it up
- Next Thread: Do they always get in...eventually??
