0

I can only asume that my habit for p2p servers is what's destroyed my computers speed and created this pop up and internet problem. Explorer and firefox keep opening and closing by themselves and my computer tells me that it NEEDS to connect to networks that I am unfamiliar with in order to download more advertisements and adware. If anyone can glance through this for me it would mean alot. I appreciate the help.

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 3


9/29/2008 10:01:13 PM
mbam-log-2008-09-29 (22-01-13).txt


Scan type: Full Scan (C:\|D:\|)
Objects scanned: 100178
Time elapsed: 41 minute(s), 44 second(s)


Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 18


Memory Processes Infected:
(No malicious items detected)


Memory Modules Infected:
C:\WINDOWS\system32\pmnllJdE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sduggwwu.dll (Trojan.Vundo.H) -> Delete on reboot.


Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2a2ce504-670b-4cd1-934e-f085ccd99dd4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2a2ce504-670b-4cd1-934e-f085ccd99dd4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9f659df8-753e-5be5-1e00-2d10eb7b27b8} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9f659df8-753e-5be5-1e00-2d10eb7b27b8} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.


Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14154bda (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm17267846 (Trojan.Agent) -> Quarantined and deleted successfully.


Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnlljde -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnlljde  -> Delete on reboot.


Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.Darkfaithfull.000\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully.


Files Infected:
C:\WINDOWS\system32\pmnllJdE.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\EdJllnmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EdJllnmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sduggwwu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uwwgguds.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uaoy.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\Terms.rtf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.Darkfaithfull.000\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gyjfroeh.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxUkhF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17267846.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17267846.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.Darkfaithfull.000\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.


-------------------------------------------------------------------------------------


SDFix: Version 1.230 
Run by Owner on Mon 09/29/2008 at 08:30 PM


Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\SDFix\SDFix


Checking Services :



Restoring Default Security Values
Restoring Default Hosts File


Rebooting


Checking Files :


Trojan Files Found:


C:\WINDOWS\system32\khfCSjKb.dll - Deleted
C:\Program Files\GetModule\dicik.gz - Deleted
C:\Program Files\GetModule\GetModule23.exe - Deleted
C:\Program Files\GetModule\kwdik.gz - Deleted
C:\Program Files\GetModule\ozadik.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Common Files\Yazzle1554OinUninstaller.exe - Deleted
C:\WINDOWS\faceback.exe - Deleted
C:\WINDOWS\pskt.ini - Deleted


Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\VnrBlock - Removed



Removing Temp Files


ADS Check :


Final Check :


catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 20:42:28
Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


scanning hidden registry entries ...


scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1221894536\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1221894536\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files :



File Backups: - C:\DOCUME~1\OWNERD~1.000\Desktop\SDFix\SDFix\backups\backups.zip


Files with Hidden Attributes :


Tue 23 Sep 2008        20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 23 Sep 2008           265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 26 Sep 2008       618,496 ..SHR --- "C:\WINDOWS\system32\?ymantec\?vchost.exe"
Thu 25 Sep 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 28 Sep 2008       184,320 ..SHR --- "C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\s?curity\regedit.exe"
Thu 25 Sep 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT2E9.tmp"


Finished!


------------------------------------------------------------------------------------

.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:03 AM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\?ymantec\?vchost.exe
C:\DOCUME~1\OWNERD~1.000\APPLIC~1\SCURIT~1\regedit.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vgwugk] C:\WINDOWS\system32\?ymantec\?vchost.exe
O4 - HKCU\..\Run: [Ealb] "C:\DOCUME~1\OWNERD~1.000\APPLIC~1\SCURIT~1\regedit.exe" -vt yazb
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B1EF891-B89A-486B-B2DB-F54744E4AB1A}: NameServer = 68.87.72.130,68.87.77.130
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


--
End of file - 7887 bytes

Edited by Nick Evan: Fixed formatting

2
Contributors
7
Replies
8
Views
8 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to the Daniweb forums :).

==========

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Thanks for the welcome and the reply. Now lets give this another go....


ComboFix 08-09-30.03 - Owner 2008-09-30 19:23:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\SCURIT~1
C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\SCURIT~1\regedit.exe
C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\SCURIT~1\s?curity\
C:\Documents and Settings\Owner.Darkfaithfull.000\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\awapptlt.ini
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymante~1\?vchost.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-30 19:18 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-30 19:18 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-09-30 19:18 . 2008-04-13 13:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-30 19:18 . 2008-04-13 13:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-09-29 22:10 . 2008-09-30 05:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-09-29 21:17 . 2008-09-29 21:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 21:17 . 2008-09-29 21:17 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Malwarebytes
2008-09-29 21:17 . 2008-09-29 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 21:17 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-29 21:17 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-29 20:29 . 2008-09-29 20:29 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-29 20:28 . 2008-09-29 20:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-28 23:11 . 2008-09-29 23:05 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-28 23:07 . 2008-09-29 23:05 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-28 10:45 . 2008-09-28 10:45 <DIR> d-------- C:\Program Files\OINAnalytics
2008-09-25 23:20 . 2008-09-25 23:20 <DIR> d-------- C:\Program Files\MSBuild
2008-09-25 23:16 . 2008-09-25 23:16 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-25 23:15 . 2008-09-25 23:15 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-25 23:14 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-25 23:11 . 2008-09-25 23:11 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Windows Desktop Search
2008-09-25 23:10 . 2008-09-25 23:10 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-25 23:10 . 2008-09-25 23:10 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-25 23:10 . 2008-03-07 12:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-25 23:10 . 2008-03-07 12:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-25 23:10 . 2008-03-07 12:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-25 23:09 . 2008-09-25 23:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-25 23:08 . 2008-09-25 23:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000.Darkfaithfull.000
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\Default User.Darkfaithfull.000
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\Administrator.Darkfaithfull.000
2008-09-25 23:07 . 2008-09-25 23:07 376,832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe
2008-09-25 23:07 . 2008-09-25 23:07 21,361 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-25 23:07 . 2008-09-25 23:07 21,361 --a------ C:\WINDOWS\AegisP.sys
2008-09-25 23:07 . 2008-09-25 23:07 13,984 --a------ C:\WINDOWS\AegisP.inf
2008-09-25 23:07 . 2008-09-25 23:07 10,640 --a------ C:\WINDOWS\AegisP.cat
2008-09-25 23:06 . 2008-09-25 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-09-25 23:06 . 2008-09-25 23:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-25 23:06 . 2007-08-27 10:12 2,777,088 --a------ C:\WINDOWS\system32\NETw4r32.dll
2008-09-25 23:06 . 2007-10-31 10:23 2,236,544 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2008-09-25 23:06 . 2007-08-27 10:12 745,472 --a------ C:\WINDOWS\system32\NETw4c32.dll
2008-09-25 23:05 . 2008-09-25 23:05 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Intel
2008-09-23 19:42 . 2008-09-28 10:53 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Azureus
2008-09-23 19:42 . 2008-09-23 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-09-23 19:41 . 2008-09-23 19:41 <DIR> d-------- C:\Program Files\Vuze
2008-09-23 19:32 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-23 19:32 . 2008-09-30 05:24 9,657 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-23 19:30 . 2008-09-23 19:30 <DIR> d-------- C:\Program Files\McAfee.com
2008-09-23 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-23 19:30 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-09-23 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-23 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-09-23 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-23 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-09-23 19:29 . 2008-09-23 19:30 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-09-21 00:33 . 2008-09-21 00:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-20 03:00 . 2008-09-25 23:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-20 02:51 . 2008-09-20 02:51 2 --a------ C:\WINDOWS\msoffice.ini
2008-09-20 02:38 . 2008-09-20 00:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-09-20 02:38 . 2008-09-20 00:46 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\WINDOWS
2008-09-20 02:38 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\You've Got Pictures Screensaver
2008-09-20 02:38 . 2008-09-20 02:11 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\SampleView
2008-09-20 02:38 . 2008-09-29 22:01 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000
2008-09-20 02:30 . 2008-09-20 02:30 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-09-20 02:27 . 2008-09-20 02:27 333 --a------ C:\WINDOWS\system32\$ncsp$.inf
2008-09-20 02:27 . 2008-09-20 02:27 0 --a------ C:\WINDOWS\system32\Gateway_MX6931_Rev.1_RL000071267020059.MRK
2008-09-20 02:26 . 2006-03-23 12:12 139,264 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-20 02:25 . 2008-09-23 19:20 28,896 --a------ C:\WINDOWS\system32\Status.MPF
2008-09-20 02:20 . 2008-09-25 23:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-20 02:19 . 2008-09-25 23:28 <DIR> d-------- C:\Program Files\McAfee
2008-09-20 02:19 . 2008-09-20 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-09-20 02:19 . 2008-09-20 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-09-20 02:19 . 2008-09-23 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-20 02:17 . 2008-09-20 02:17 <DIR> d-------- C:\Program Files\gtw_logo
2008-09-20 02:17 . 2008-09-20 02:38 <DIR> d-------- C:\Documents and Settings\Owner
2008-09-20 02:17 . 2006-02-06 14:24 1,239,209 --a------ C:\WINDOWS\system32\gtw_logo.scr
2008-09-20 02:17 . 2003-07-03 17:48 23,552 --a------ C:\WINDOWS\system32\jesterss.dll
2008-09-20 02:17 . 2006-04-21 11:50 1,150 --a------ C:\WINDOWS\system32\gtw.ico
2008-09-20 02:15 . 2006-05-24 11:28 741,376 --a------ C:\WINDOWS\system32\BigFixSuppress.exe
2008-09-20 02:15 . 2006-05-24 11:28 741,376 --a------ C:\WINDOWS\system32\BigFixShortcutInStartup.exe
2008-09-20 02:14 . 2008-09-20 02:14 <DIR> d-------- C:\WINDOWS\tiinst
2008-09-20 02:12 . 2008-09-20 02:12 <DIR> d-------- C:\Program Files\Motorola
2008-09-20 02:11 . 2008-09-20 02:11 <DIR> d-------- C:\Program Files\SigmaTel
2008-09-20 02:11 . 2008-09-20 02:11 <DIR> d-------- C:\Program Files\Microsoft Money 2006
2008-09-20 02:11 . 2008-09-20 02:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-20 02:11 . 2006-06-15 15:28 1,179,784 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-09-20 02:11 . 2006-04-20 14:12 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-09-20 02:11 . 2005-12-27 10:20 413,696 --a------ C:\WINDOWS\stsystra.exe
2008-09-20 02:11 . 2006-06-15 15:24 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-09-20 02:11 . 2008-04-13 19:12 129,536 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-09-20 02:11 . 2006-06-15 15:25 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-09-20 02:11 . 2003-03-25 07:00 67,072 --a------ C:\WINDOWS\POWERCFG.EXE
2008-09-20 02:11 . 2008-04-13 13:45 60,160 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-09-20 02:11 . 2008-04-13 19:11 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-09-20 02:10 . 2008-09-20 02:10 <DIR> d-------- C:\Program Files\MSN Encarta Plus
2008-09-20 02:10 . 2008-09-20 02:10 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Real
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\QuickTime
2008-09-20 02:09 . 2008-09-20 02:58 <DIR> d-------- C:\Program Files\Pure Networks
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Common Files\Real
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-09-20 02:08 . 2008-09-28 20:29 <DIR> d-------- C:\Program Files\Napster
2008-09-20 02:08 . 2008-09-20 02:08 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-09-20 02:08 . 2008-09-20 02:51 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-20 02:08 . 2008-09-28 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Napster
2008-09-20 02:08 . 2008-09-20 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-09-20 02:08 . 2008-09-20 02:10 1,179 --ah----- C:\IPH.PH
2008-09-20 02:08 . 2008-09-20 02:08 335 --a------ C:\WINDOWS\nsreg.dat
2008-09-20 02:07 . 2008-09-20 02:07 <DIR> d-------- C:\ses2_client_bin_2_8_13g
2008-09-20 02:07 . 2008-09-20 02:20 <DIR> d-------- C:\Program Files\Intel
2008-09-20 02:07 . 2005-02-01 13:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-09-20 02:07 . 2008-09-20 02:07 4 --a------ C:\WINDOWS\Pix11.dat
2008-09-20 02:06 . 2008-09-20 02:07 <DIR> d-------- C:\Program Files\Microsoft Digital Image 2006
2008-09-20 02:06 . 2008-09-20 02:06 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-20 02:06 . 2003-03-18 23:05 89,088 -ra------ C:\WINDOWS\system32\atl71.dll
2008-09-20 02:05 . 2008-09-20 02:53 <DIR> d-------- C:\Program Files\WildTangent
2008-09-20 02:05 . 2008-09-20 02:53 <DIR> d-------- C:\Program Files\Gateway Games
2008-09-20 02:05 . 2008-09-20 02:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-09-20 02:04 . 2008-09-20 02:04 <DIR> d-------- C:\Program Files\Synaptics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 07:09 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-09-20 05:46 --------- d-----w C:\Program Files\Windows Plus
2008-09-20 05:46 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vgwugk"="C:\WINDOWS\system32\?ymantec\?vchost.exe" [?]
"Power2GoExpress"="NA" [X]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 573440]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 1101824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-20 98304]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Ealb - C:\DOCUME~1\OWNERD~1.000\APPLIC~1\SCURIT~1\regedit.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Mozilla\Firefox\Profiles\r0r6rp6l.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 19:25:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-30 19:26:32
ComboFix-quarantined-files.txt 2008-10-01 00:26:29

Pre-Run: 98,657,538,048 bytes free
Post-Run: 98,649,116,672 bytes free

243 --- E O F --- 2008-09-27 08:01:26


--------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:05 PM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\?ymantec\?vchost.exe
C:\DOCUME~1\OWNERD~1.000\APPLIC~1\SCURIT~1\regedit.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vgwugk] C:\WINDOWS\system32\?ymantec\?vchost.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B1EF891-B89A-486B-B2DB-F54744E4AB1A}: NameServer = 68.87.72.130,68.87.77.130
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7199 bytes

0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

Folder::
C:\WINDOWS\system32\?ymantec
C:\DOCUME~1\OWNERD~1.000\APPLIC~1\SCURIT~1

Registry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vgwugk"=-Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Ok, so here's the results from that last run,

ComboFix 08-09-30.03 - Owner 2008-10-02 8:49:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1689 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.

2008-09-30 19:18 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-30 19:18 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-09-30 19:18 . 2008-04-13 13:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-30 19:18 . 2008-04-13 13:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-09-29 22:10 . 2008-09-30 05:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-09-29 21:17 . 2008-09-29 21:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 21:17 . 2008-09-29 21:17 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Malwarebytes
2008-09-29 21:17 . 2008-09-29 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 21:17 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-29 21:17 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-29 20:29 . 2008-09-29 20:29 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-29 20:28 . 2008-09-29 20:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-28 23:11 . 2008-09-29 23:05 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-09-28 23:07 . 2008-09-29 23:05 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-28 10:45 . 2008-09-28 10:45 <DIR> d-------- C:\Program Files\OINAnalytics
2008-09-25 23:20 . 2008-09-25 23:20 <DIR> d-------- C:\Program Files\MSBuild
2008-09-25 23:16 . 2008-09-25 23:16 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-25 23:15 . 2008-09-25 23:15 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-25 23:14 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-25 23:11 . 2008-09-25 23:11 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Windows Desktop Search
2008-09-25 23:10 . 2008-09-25 23:10 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-25 23:10 . 2008-09-25 23:10 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-25 23:10 . 2008-03-07 12:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-25 23:10 . 2008-03-07 12:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-25 23:10 . 2008-03-07 12:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-25 23:09 . 2008-09-25 23:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-25 23:08 . 2008-09-25 23:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000.Darkfaithfull.000
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\Default User.Darkfaithfull.000
2008-09-25 23:07 . 2008-09-25 23:07 <DIR> d-------- C:\Documents and Settings\Administrator.Darkfaithfull.000
2008-09-25 23:07 . 2008-09-25 23:07 376,832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe
2008-09-25 23:07 . 2008-09-25 23:07 21,361 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-25 23:07 . 2008-09-25 23:07 21,361 --a------ C:\WINDOWS\AegisP.sys
2008-09-25 23:07 . 2008-09-25 23:07 13,984 --a------ C:\WINDOWS\AegisP.inf
2008-09-25 23:07 . 2008-09-25 23:07 10,640 --a------ C:\WINDOWS\AegisP.cat
2008-09-25 23:06 . 2008-09-25 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-09-25 23:06 . 2008-09-25 23:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-09-25 23:06 . 2007-08-27 10:12 2,777,088 --a------ C:\WINDOWS\system32\NETw4r32.dll
2008-09-25 23:06 . 2007-10-31 10:23 2,236,544 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2008-09-25 23:06 . 2007-08-27 10:12 745,472 --a------ C:\WINDOWS\system32\NETw4c32.dll
2008-09-25 23:05 . 2008-09-25 23:05 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Intel
2008-09-23 19:42 . 2008-09-28 10:53 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\Azureus
2008-09-23 19:42 . 2008-09-23 19:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-09-23 19:41 . 2008-09-23 19:41 <DIR> d-------- C:\Program Files\Vuze
2008-09-23 19:32 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-23 19:32 . 2008-10-02 08:51 9,657 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-23 19:30 . 2008-09-23 19:30 <DIR> d-------- C:\Program Files\McAfee.com
2008-09-23 19:30 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-23 19:30 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-09-23 19:30 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-23 19:30 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-09-23 19:30 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-23 19:30 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-09-23 19:29 . 2008-09-23 19:30 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-09-21 00:33 . 2008-09-21 00:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-09-20 03:00 . 2008-09-25 23:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-20 02:51 . 2008-09-20 02:51 2 --a------ C:\WINDOWS\msoffice.ini
2008-09-20 02:38 . 2008-09-20 00:46 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-09-20 02:38 . 2008-09-20 00:46 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\WINDOWS
2008-09-20 02:38 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\You've Got Pictures Screensaver
2008-09-20 02:38 . 2008-09-20 02:11 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000\Application Data\SampleView
2008-09-20 02:38 . 2008-09-29 22:01 <DIR> d-------- C:\Documents and Settings\Owner.Darkfaithfull.000
2008-09-20 02:30 . 2008-09-20 02:30 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-09-20 02:27 . 2008-09-20 02:27 333 --a------ C:\WINDOWS\system32\$ncsp$.inf
2008-09-20 02:27 . 2008-09-20 02:27 0 --a------ C:\WINDOWS\system32\Gateway_MX6931_Rev.1_RL000071267020059.MRK
2008-09-20 02:26 . 2006-03-23 12:12 139,264 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-20 02:25 . 2008-09-23 19:20 28,896 --a------ C:\WINDOWS\system32\Status.MPF
2008-09-20 02:20 . 2008-09-25 23:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-20 02:19 . 2008-09-25 23:28 <DIR> d-------- C:\Program Files\McAfee
2008-09-20 02:19 . 2008-09-20 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-09-20 02:19 . 2008-09-20 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-09-20 02:19 . 2008-09-23 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-20 02:17 . 2008-09-20 02:17 <DIR> d-------- C:\Program Files\gtw_logo
2008-09-20 02:17 . 2008-09-20 02:38 <DIR> d-------- C:\Documents and Settings\Owner
2008-09-20 02:17 . 2006-02-06 14:24 1,239,209 --a------ C:\WINDOWS\system32\gtw_logo.scr
2008-09-20 02:17 . 2003-07-03 17:48 23,552 --a------ C:\WINDOWS\system32\jesterss.dll
2008-09-20 02:17 . 2006-04-21 11:50 1,150 --a------ C:\WINDOWS\system32\gtw.ico
2008-09-20 02:15 . 2006-05-24 11:28 741,376 --a------ C:\WINDOWS\system32\BigFixSuppress.exe
2008-09-20 02:15 . 2006-05-24 11:28 741,376 --a------ C:\WINDOWS\system32\BigFixShortcutInStartup.exe
2008-09-20 02:14 . 2008-09-20 02:14 <DIR> d-------- C:\WINDOWS\tiinst
2008-09-20 02:12 . 2008-09-20 02:12 <DIR> d-------- C:\Program Files\Motorola
2008-09-20 02:11 . 2008-09-20 02:11 <DIR> d-------- C:\Program Files\SigmaTel
2008-09-20 02:11 . 2008-09-20 02:11 <DIR> d-------- C:\Program Files\Microsoft Money 2006
2008-09-20 02:11 . 2008-09-20 02:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-20 02:11 . 2006-06-15 15:28 1,179,784 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-09-20 02:11 . 2006-04-20 14:12 1,069,056 --a------ C:\WINDOWS\system32\stlang.dll
2008-09-20 02:11 . 2005-12-27 10:20 413,696 --a------ C:\WINDOWS\stsystra.exe
2008-09-20 02:11 . 2006-06-15 15:24 217,088 --a------ C:\WINDOWS\system32\stacapi.dll
2008-09-20 02:11 . 2008-04-13 19:12 129,536 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-09-20 02:11 . 2006-06-15 15:25 117,248 --a------ C:\WINDOWS\system32\staco.dll
2008-09-20 02:11 . 2003-03-25 07:00 67,072 --a------ C:\WINDOWS\POWERCFG.EXE
2008-09-20 02:11 . 2008-04-13 13:45 60,160 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-09-20 02:11 . 2008-04-13 19:11 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-09-20 02:10 . 2008-09-20 02:10 <DIR> d-------- C:\Program Files\MSN Encarta Plus
2008-09-20 02:10 . 2008-09-20 02:10 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Viewpoint
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Real
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\QuickTime
2008-09-20 02:09 . 2008-09-20 02:58 <DIR> d-------- C:\Program Files\Pure Networks
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Common Files\Real
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-09-20 02:09 . 2008-09-20 02:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-09-20 02:08 . 2008-09-28 20:29 <DIR> d-------- C:\Program Files\Napster
2008-09-20 02:08 . 2008-09-20 02:08 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-09-20 02:08 . 2008-09-20 02:51 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-09-20 02:08 . 2008-09-28 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Napster
2008-09-20 02:08 . 2008-09-20 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-09-20 02:08 . 2008-09-20 02:10 1,179 --ah----- C:\IPH.PH
2008-09-20 02:08 . 2008-09-20 02:08 335 --a------ C:\WINDOWS\nsreg.dat
2008-09-20 02:07 . 2008-09-20 02:07 <DIR> d-------- C:\ses2_client_bin_2_8_13g
2008-09-20 02:07 . 2008-09-20 02:20 <DIR> d-------- C:\Program Files\Intel
2008-09-20 02:07 . 2005-02-01 13:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-09-20 02:07 . 2008-09-20 02:07 4 --a------ C:\WINDOWS\Pix11.dat
2008-09-20 02:06 . 2008-09-20 02:07 <DIR> d-------- C:\Program Files\Microsoft Digital Image 2006
2008-09-20 02:06 . 2008-09-20 02:06 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-20 02:06 . 2003-03-18 23:05 89,088 -ra------ C:\WINDOWS\system32\atl71.dll
2008-09-20 02:05 . 2008-09-20 02:53 <DIR> d-------- C:\Program Files\WildTangent
2008-09-20 02:05 . 2008-09-20 02:53 <DIR> d-------- C:\Program Files\Gateway Games
2008-09-20 02:05 . 2008-09-20 02:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2008-09-20 02:04 . 2008-09-20 02:04 <DIR> d-------- C:\Program Files\Synaptics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 07:09 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-09-20 05:46 --------- d-----w C:\Program Files\Windows Plus
2008-09-20 05:46 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-30_19.26.14.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-30 10:29:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-02 13:50:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-30 10:29:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-02 13:50:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-30 10:29:17 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-02 13:50:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vgwugk"="C:\WINDOWS\system32\?ymantec\?vchost.exe" [?]
"Power2GoExpress"="NA" [X]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 573440]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 1101824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-20 98304]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 08:53:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\searchindexer.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-02 8:56:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-02 13:56:04
ComboFix2.txt 2008-10-01 00:26:33

Pre-Run: 99,366,281,216 bytes free
Post-Run: 99,356,639,232 bytes free

255 --- E O F --- 2008-09-27 08:01:26

---------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:20 AM, on 10/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vgwugk] C:\WINDOWS\system32\?ymantec\?vchost.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B1EF891-B89A-486B-B2DB-F54744E4AB1A}: NameServer = 68.87.72.130,68.87.77.130
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7143 bytes

0

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O4 - HKCU\..\Run: [Vgwugk] C:\WINDOWS\system32\?ymantec\?vchost.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Thanks very much Crunchie, I apreciate the help with fixing the bugs on my laptop. This is the first time I've been able to really use it in a week outside of running Malwarebytes' combofix, etc. It seems to be doing ok and I will be removing all file sharing programs to prevent this from happening again...... hopefully. I'm posting a new Hijackthis log, I don't know what else theremight be lurking in it.


-------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:01 PM, on 10/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.Darkfaithfull.000\Desktop\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B1EF891-B89A-486B-B2DB-F54744E4AB1A}: NameServer = 68.87.72.130,68.87.77.130
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7151 bytes

0

Let's get rid of Combofix now that we are finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.






When shown the disclaimer, Select "2"


The above procedure will: Delete the following: ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

===================

Congratulations! Your log looks clean.

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Close when finished.

====

An alternative to Ccleaner is ATF Cleaner.
Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

====

Use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera, which in my opinion, is better still.

====

Use a firewall. It is an essential part of your computers security. There is a link to a good, free firewall in my signature.

====

Install and keep updated,
Spybot S&D.
Run it on a regular basis, following the maker's recommendations.

====

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

====

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

=====

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Attachments th_CF_Cleanup.png 9.98 KB
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.