How do i get rid ofa generic rootkit.d! rootkit

Question

KBDenson 0 Newbie Poster

14 Years Ago

I'm picking up this thread mostly where it left off. I appear to have the same basic rootkit on my system, which shows in McAfee scans with the same signatures given by nasserjah19. McAfee finds it on each scan and thinks it is removing it, but it's always still there. The code interferes with McAfee and lots of other things, but I'll post a later message describing the various symptoms and history of earlier attempts at removal.

Here I will post my results from running the 3 programs recommended by jholland1964, and request of the community suggestions for how to complete the (hopefully) final step of removing the remaining rootkit code.

Malwarebytes Anti-Malware

I didn't have any trouble downloading and installing MBA-M, but then nothing would happen when I tried running it. I followed crunchie's advice and renamed mbam.exe, and then I was able to run it by double-clicking the renamed file from an Explorer view (I run with Administrator privileges, so I didn't have the password problem). I have attached the log from MBA-M.

The synopsis is that it found several infected Registry keys and files, which it was able to remove. The (hopefully) last remaining piece is the Trojan.Agent in file \windows\system32\MSIVXcount. MBA-M tags the file to be removed at reboot, but it has been unable to remove it. Repeated scans show no remaining threats but the one file, which it finds during the Extras and heuristics scan phase.

ESET Online Scanner

I was able to download, install, and run this program from the web with no incidents/interference. I disabled all the McAfee anti-virus features during the scan (although it briefly turned back on anti-virus from a "timed" resumption, but I then shut it off until the scan finished).

ESET scanned every file on all my disk partitions, including archives and older Windows and DOS files, but it found no infected files, so I have not posted its log file. (I removed ESET after it finished, so I assume any log file it created was removed; I haven't looked.)

TrendMicro HiJackThis

For this one, the agent blocked the installation file from running after download, but when I renamed the install file, it installed fine and I was able to run it without further incident.

I have attached the HiJackThis log file. Nothing jumped out at me from the log file. Hopefully the experienced community will recognize something.

HiJackThis gave me the option to delete a file on reboot, so I specified the MSIVXcount file found by MBA-M, but HiJackThis had no better success removing the file during reboot. (I had to just type the name into the file box to specify it; Explorer views can't see the file, even when showing all hidden and system files; the DOS directory commands to show Hidden, System, or ReadOnly files also don't see it.)

Rootkit Revealer

For completeness, I'll mention that I earlier downloaded the RootkitRevealer program from the Microsoft TechNet website, at the suggestion of a posting in a McAfee forum. I was able to download and install the program, but when it would run, it would delay for a short time and then report that it got no response from the effort to start the process. I wasn't tremendously hopeful, since it looked like the program was from 2006, with no discernable recent updates; it was a bit difficult to sort through how it was now supposed to work, since it puts itself as a delayed process to try to get around execution blocking.

Current Status

So, I've got my (hopefully only remaining) nastie (Trojan.Agent in file \windows\system32\MSIVXcount) identified, but I haven't been able to get rid of it. Hopefully the community will have suggestions for how to clean it off.

If no one has any better suggestions, I'll try running the XP Recovery Console and see if I can delete the file from there. (A long time ago I had to use that mechanism to delete a "self replicating" Registry entry for some virus I've now forgotten what it did. That was the only other virus I've ever had to deal with until now; this one came courtesy of my careless college student.)

I already tried running McAfee from DOS in Safe Mode, with no effect. Later postings in a McAfee forum had indicated this type of rootkit wouldn't be removed in DOS mode. The last posting I saw in the McAfee forums was to run HiJackThis and post the log onto one of the highly technical Malware forum sites. (A side posting in this thread suggested giving RootkitRevealer a shot.)

Thanks in advance for any further suggestions from the community.

Ken

windows-virus

hijackthis.txt (13.69 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:16 AM, on 7/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
H:\Downloads\GetRidHJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O1 - Hosts: 216.91.32.72 s228130hz1ew08.apptix-01.savvis.net
O1 - Hosts: 216.91.32.73 s228130hz1ew09.apptix-01.savvis.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\bambam.exe" /runcleanupscript
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft Windows Visual V2.0] C:\WINDOWS\msiutil.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://passage.cna.com/vdesk/terminal/f5tunsrv.cab#version=6020,2008,0212,2007
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna.com/vdesk/terminal/InstallerControl.cab#version=6030,2008,1031,2119
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,1031,2107
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096380544828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246342493734
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://access.whitfieldschool.org/net6helper.cab
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://passage.cna.com/vdesk/terminal/vdeskctrl.cab#version=6020,2008,0212,2006
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950599.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\Edt32x20.ocx
O16 - DPF: {BAF8BCAE-D9D1-11D0-9B21-0080C79EFE90} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantree.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://passage.cna.com/vdesk/terminal/urxshost.cab#version=6020,2008,0212,2006
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1CC3791-D9DF-11D0-9B21-0080C79EFE90} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {DDFC7D44-F87D-11D0-BFF8-00A024CA8C68} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanrollup.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://savvis.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E0DB982A-E986-11D0-B

mbam-log-2009-07-24_(22-01-06).txt (3.09 KB)

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/24/2009 10:01:06 PM
mbam-log-2009-07-24 (22-01-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297775
Time elapsed: 1 hour(s), 1 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{014da6c4-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AccessMV (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Eric\Start Menu\Programs\AccessMV (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\AccessMV (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Eric\my documents\videocodec.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\AccessMV\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\documents and settings\Eric\start menu\Programs\AccessMV\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

3 Contributors
16 Replies
313 Views
2 Days Discussion Span
Latest Post 14 Years Ago Latest Post by crunchie

All 16 Replies

crunchie 990 Most Valuable Poster

14 Years Ago

Your hijackthis log shows that you did not reboot after running MBA-M. You should do so in order for MBA-M to complete it's process.

You need to paste your logs into your reply too so that we do not have to download your files.

crunchie 990 Most Valuable Poster

14 Years Ago

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:

O4 - Global Startup: Digital Line Detect.lnk = ?

O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950599.cab

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

crunchie 990 Most Valuable Poster

14 Years Ago

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

crunchie 990 Most Valuable Poster

14 Years Ago

Any of the 016 entries can be deleted with hijackthis. I am leaving work now, so will check your logs more thoroughly later.

Logs look ok.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

KBDenson 0 Newbie Poster · Answer 1 · 2009-07-26T10:38:30+00:00

Sorry. The above was my first post here, and I didn't realize I was violating protocol by trying to "extend" another users post that was exhibiting the same basic symptoms I've been observing and had gone down the same steps I needed to follow, but hadn't yet covered the steps needed for a successful resolution. (It makes complete sense, after the fact, but I haven't found a way yet to easily reference another thread.)

For context, please see the post with the same name in this forum by nasserjah19. (My reply in that thread was automatically moved out to start this thread). Repeated below are the steps I was following and building upon.

Hi welcome to daniweb;
begin with this:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer
Next do this:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
And finally download HiJackThis and do a full system scan with it, save the log.
Judy
Post back here and copy/paste all three logs here.

There were further suggestions in later posts in the thread about overcoming problems when the rootkit agent interferes with execution of anti-malware programs.

Ken

KBDenson 0 Newbie Poster · Answer 2 · 2009-07-27T00:25:02+00:00

Thanks for your support and guidance.

I had run the MBA-M scan/reboot cycles multiple times. When I ran HijackThis, I had run MBA-M again to confirm the Trojan.Agent file was still there, but I hadn't rebooted.

Here's the log from a fresh scan by MBA-M. I let it reboot my computer following this scan.
----------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.39
Database version: 2500
Windows 5.1.2600 Service Pack 3

7/26/2009 12:41:06 PM
mbam-log-2009-07-26 (12-41-06).txt

Scan type: Quick Scan
Objects scanned: 148352
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
-------------------------------------------------------

Here's the log from running HijackThis immediately after the reboot:

-------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:27 PM, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
H:\Downloads\HiJackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O1 - Hosts: 216.91.32.72 s228130hz1ew08.apptix-01.savvis.net
O1 - Hosts: 216.91.32.73 s228130hz1ew09.apptix-01.savvis.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft Windows Visual V2.0] C:\WINDOWS\msiutil.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://passage.cna.com/vdesk/terminal/f5tunsrv.cab#version=6020,2008,0212,2007
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna.com/vdesk/terminal/InstallerControl.cab#version=6030,2008,1031,2119
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,1031,2107
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096380544828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246342493734
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://access.whitfieldschool.org/net6helper.cab
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://passage.cna.com/vdesk/terminal/vdeskctrl.cab#version=6020,2008,0212,2006
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950599.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\Edt32x20.ocx
O16 - DPF: {BAF8BCAE-D9D1-11D0-9B21-0080C79EFE90} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantree.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://passage.cna.com/vdesk/terminal/urxshost.cab#version=6020,2008,0212,2006
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1CC3791-D9DF-11D0-9B21-0080C79EFE90} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {DDFC7D44-F87D-11D0-BFF8-00A024CA8C68} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanrollup.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://savvis.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanviewer.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://passage.cna.com/vdesk/terminal/urxhost.cab#version=6020,2008,0212,2005
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2008,1031,2116
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\sscala32.cab
O16 - DPF: {FB779381-F865-11D0-BFF8-00A024CA8C68} (VanForecastGraph.VanForecastGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanfcast.cab
O16 - DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} (VanPipelineGraph.VanPipelineGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanpipeline.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FRTYZDL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\FRTYZDL.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe
O23 - Service: PFYPY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\PFYPY.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: UETUYCJWM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\UETUYCJWM.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 13842 bytes
------------------------------------------------------------------

[Interesting aside. I notice BHO in the hijackthis.log. I ran MBA-M for the first time on my laptop yesterday, which has been been clean in McAfee scans forever, and MBA-M found and removed various BHO Trojan Registry components and a (nonhidden) \windows\system32\cgmopenbho.dll file that had a 2003 date (I didnt' get my laptop until 2004). It was able to remove the file during reboot.]

Thanks

Ken

KBDenson 0 Newbie Poster · Answer 3 · 2009-07-27T09:40:43+00:00

I had HijackThis remove the two identified items, then rebooted. Here's the log following the reboot:

-------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:42 PM, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
H:\Downloads\HiJackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O1 - Hosts: 216.91.32.72 s228130hz1ew08.apptix-01.savvis.net
O1 - Hosts: 216.91.32.73 s228130hz1ew09.apptix-01.savvis.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft Windows Visual V2.0] C:\WINDOWS\msiutil.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://passage.cna.com/vdesk/terminal/f5tunsrv.cab#version=6020,2008,0212,2007
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna.com/vdesk/terminal/InstallerControl.cab#version=6030,2008,1031,2119
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,1031,2107
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096380544828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246342493734
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://access.whitfieldschool.org/net6helper.cab
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://passage.cna.com/vdesk/terminal/vdeskctrl.cab#version=6020,2008,0212,2006
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\Edt32x20.ocx
O16 - DPF: {BAF8BCAE-D9D1-11D0-9B21-0080C79EFE90} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantree.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://passage.cna.com/vdesk/terminal/urxshost.cab#version=6020,2008,0212,2006
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1CC3791-D9DF-11D0-9B21-0080C79EFE90} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {DDFC7D44-F87D-11D0-BFF8-00A024CA8C68} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanrollup.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://savvis.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanviewer.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://passage.cna.com/vdesk/terminal/urxhost.cab#version=6020,2008,0212,2005
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2008,1031,2116
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\sscala32.cab
O16 - DPF: {FB779381-F865-11D0-BFF8-00A024CA8C68} (VanForecastGraph.VanForecastGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanfcast.cab
O16 - DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} (VanPipelineGraph.VanPipelineGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanpipeline.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FRTYZDL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\FRTYZDL.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe
O23 - Service: PFYPY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\PFYPY.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: UETUYCJWM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\UETUYCJWM.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 13568 bytes
-------------------------------------------------------------

I downloaded and installed SpywareBlaster and enabled all protection.

To gauge whether the health of my PC had changed, I ran a MBA-M scan again. It still found the Trojan.Agent file; I let it try again to remove it during a reboot, but the MSIVXcount file remains. I ran another HijackThis scan after the additional MBA-M passes; although I didn't do a line-by-line comparison, the byte count of the hijackthis.log file remained the same as the one posted above, so I haven't bothered posting the second one (it is saved, however).

I haven't checked everything, but it looks like the symptoms remain, including the return of one (hanging the PC while trying to start my son's account) that I thought had been overcome (I had to disable the automatic startup of AIM for his account to keep his account from hanging; I haven't tackled that one again yet to see whether I need to go through the same steps.) This is the second attempt at entering this post. I made the mistake of checking the above before saving my post, and I wasn't able to get back to my account without powering down the computer and restarting.

Thanks

Ken

KBDenson 0 Newbie Poster · Answer 4 · 2009-07-27T14:04:31+00:00

I think we got it!

Below is the ComboFix log.

-------------------------------------------------------------
ComboFix 09-07-26.01 - Ken.Denson 07/27/2009 0:13.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -5:00]
Running from: c:\documents and settings\Ken.Denson\Desktop\CF.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\26c81db4.msi
c:\windows\Installer\32b3d.msi
c:\windows\Installer\51082.msi
c:\windows\Installer\df16d.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\MSIVXstqloijrsbiecprmnadvucqiwubivgxm.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXfwtomeddxolxwlatbolmhjaqfghsubik.dll
c:\windows\system32\MSIVXsitieogfbwwkefwfvguddydxxusbpxlr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys

((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-26 21:19 . 2009-07-27 04:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-26 21:19 . 2009-07-26 21:20 -------- d-----w- c:\program files\SpywareBlaster
2009-07-26 00:00 . 2009-07-26 00:00 -------- d-----w- c:\program files\CCleaner
2009-07-25 00:25 . 2009-07-25 00:25 -------- d-----w- c:\documents and settings\Ken.Denson\Application Data\Malwarebytes
2009-07-25 00:20 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 00:20 . 2009-07-25 00:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-25 00:20 . 2009-07-25 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 00:20 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 19:53 . 2009-07-26 04:45 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-07-19 20:14 . 2009-07-19 20:14 -------- d-----w- c:\program files\OO Software
2009-07-19 20:14 . 2009-07-19 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\OO Software
2009-07-03 05:10 . 2009-07-03 12:15 -------- d-----w- C:\SDAT
2009-07-03 04:51 . 2009-07-03 04:51 112678027 ----a-w- C:\SDAT5664.EXE
2009-06-30 06:43 . 2009-05-14 04:25 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-06-30 06:43 . 2009-05-14 04:25 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-06-30 06:43 . 2009-05-14 04:25 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-06-30 06:42 . 2009-04-09 19:23 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-06-30 06:40 . 2009-06-30 06:42 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-30 06:40 . 2009-06-30 06:41 -------- d-----w- c:\program files\McAfee.com
2009-06-30 06:37 . 2009-05-14 04:24 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-30 06:09 . 2009-06-30 06:09 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-30 06:08 . 2009-06-30 06:08 -------- d-----w- c:\program files\MSBuild
2009-06-30 06:08 . 2009-06-30 06:08 -------- d-----w- c:\program files\Reference Assemblies
2009-06-30 06:07 . 2009-06-30 06:08 -------- d-----w- C:\00a71ffd19bd344d97
2009-06-30 06:07 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-30 06:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-30 06:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-30 06:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-30 06:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-30 06:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-30 06:07 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-30 06:07 . 2009-06-30 06:33 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-30 03:11 . 2009-05-12 21:08 266400 ----a-r- c:\documents and settings\Ken.Denson\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-06-28 03:51 . 2009-06-28 03:54 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-28 03:28 . 2009-06-15 20:15 264704 ------w- c:\documents and settings\Ken.Denson\Application Data\OfficeUpdate12\oudetect.dll
2009-06-28 03:27 . 2009-06-28 03:33 -------- d-----w- c:\documents and settings\Ken.Denson\Application Data\OfficeUpdate12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 11:27 . 2008-06-30 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-25 05:26 . 2002-11-15 20:19 147688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-21 19:25 . 2002-11-15 20:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 16:33 . 2006-02-22 01:37 -------- d-----w- c:\program files\Google
2009-07-03 13:00 . 2002-11-15 20:28 -------- d-----w- c:\program files\Viewpoint
2009-07-03 08:16 . 2005-05-18 02:55 -------- d-----w- c:\documents and settings\Ken.Denson\Application Data\Viewpoint
2009-07-03 08:16 . 2004-08-28 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-30 08:16 . 2008-02-15 01:54 -------- d-----w- c:\program files\McAfee
2009-06-30 06:48 . 2007-02-09 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-26 06:13 . 2009-06-26 06:13 49152 ----a-r- c:\documents and settings\Ken.Denson\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-06-26 06:13 . 2009-06-26 06:13 49152 ----a-r- c:\documents and settings\Ken.Denson\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-06-26 04:26 . 2009-06-26 04:26 -------- d-----w- c:\documents and settings\Ken.Denson\Application Data\McAfee
2009-06-19 22:48 . 2007-01-12 01:03 -------- d-----w- c:\program files\AIM6
2009-05-14 04:25 . 2009-05-14 04:25 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-05-07 15:32 . 2001-08-18 13:00 345600 ------w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 23:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OODIIcon]
@="{14A94384-BBED-47ed-86C0-6BF63FD892D0}"
[HKEY_CLASSES_ROOT\CLSID\{14A94384-BBED-47ed-86C0-6BF63FD892D0}]
2008-06-24 08:04 111872 ----a-w- c:\program files\OO Software\DiskImage\oodishi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-02 376912]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"=myokent.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\sandra.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005\\RpcDataSrv.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\magicsword8\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\magicsword8\\half-life 2\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 1394VDEV;1394 Virtual Device;c:\windows\SYSTEM32\DRIVERS\1394vdev.sys [10/7/2004 9:20 AM 20096]
R0 oodisr;O&O DiskImage Snapshot/Restore Driver;c:\windows\SYSTEM32\DRIVERS\oodisr.sys [6/24/2008 3:08 AM 94728]
R0 oodisrh;oodisrh;c:\windows\SYSTEM32\DRIVERS\oodisrh.sys [6/24/2008 3:08 AM 28680]
R0 oodivd;O&O DiskImage Virtual Disk Driver;c:\windows\SYSTEM32\DRIVERS\oodivd.sys [6/24/2008 3:08 AM 128520]
R0 oodivdh;oodivdh;c:\windows\SYSTEM32\DRIVERS\oodivdh.sys [6/24/2008 3:09 AM 31240]
R0 PQV2i;PQV2i;c:\windows\SYSTEM32\DRIVERS\PQV2i.sys [9/12/2003 3:19 PM 132899]
R0 ub1394;Unibrain 1394 Class Driver;c:\windows\SYSTEM32\DRIVERS\UB1394.sys [11/3/2003 12:22 PM 115328]
R0 ubsbm;Unibrain 1394 SBM Driver;c:\windows\SYSTEM32\DRIVERS\UBSBM.sys [11/3/2003 12:25 PM 11776]
R1 PQIMount;PQIMount;c:\windows\SYSTEM32\DRIVERS\PQIMount.sys [9/12/2003 3:48 PM 46810]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/6/2009 11:43 PM 317440]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [1/28/2009 11:11 PM 13088]
R2 O&O DiskImage;O&O DiskImage;c:\program files\OO Software\DiskImage\oodiag.exe [6/24/2008 3:04 AM 1869056]
R2 PfDetNT;PfDetNT;c:\windows\SYSTEM32\DRIVERS\pfmodnt.sys [9/15/2004 9:45 PM 16168]
R2 PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;PowerQuest File System Monitor PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;c:\program files\PowerQuest\DataKeeper 5.0\PqFsmonNt.sys [7/12/2002 3:31 PM 49096]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\SYSTEM32\DRIVERS\UBUMAPI.sys [11/3/2003 12:24 PM 29568]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [11/26/2002 10:21 AM 9049]
R3 nv3;nv3;c:\windows\SYSTEM32\DRIVERS\nv3.sys [2/27/2006 10:35 AM 198144]
R3 ubsbp2;Unibrain SBP2 Bus Driver;c:\windows\SYSTEM32\DRIVERS\ubsbp2.sys [11/3/2003 12:21 PM 35792]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [11/26/2002 10:20 AM 115008]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 3CCMUSB;3Com HomeConnect Cable Modem External with USB Driver;c:\windows\SYSTEM32\DRIVERS\3ccmusb.sys [11/21/2002 2:32 AM 30096]
S3 CA500AI;SPCA500A Still Image Capture, Sunplus Version 1.00;c:\windows\SYSTEM32\DRIVERS\BulkUsb.sys [12/25/2003 12:36 PM 10647]
S3 CA500AV;CaptureView VGA;c:\windows\SYSTEM32\DRIVERS\Ca500av.sys [12/25/2003 12:36 PM 151820]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\Eric\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\Eric\LOCALS~1\Temp\cdiskdun.sys [?]
S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\SYSTEM32\DRIVERS\ceusbaud.sys [11/1/2003 3:19 PM 17920]
S3 FRTYZDL;FRTYZDL;c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\FRTYZDL.exe --> c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\FRTYZDL.exe [?]
S3 PFYPY;PFYPY;c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\PFYPY.exe --> c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\PFYPY.exe [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\SYSTEM32\DRIVERS\pixmcvc.sys [4/25/2004 8:12 AM 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\SYSTEM32\DRIVERS\pixmcva.sys [4/25/2004 8:13 AM 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\SYSTEM32\DRIVERS\pixmcvv.sys [4/25/2004 8:12 AM 21081]
S3 QF6_1394;QF6_1394;c:\windows\SYSTEM32\DRIVERS\QF6_1394.sys [10/7/2004 7:27 AM 92544]
S3 QF6_avs;QF6_avs;c:\windows\SYSTEM32\DRIVERS\QF6_avs.sys [10/7/2004 7:27 AM 24576]
S3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\SYSTEM32\DRIVERS\ubohci.sys [11/3/2003 12:20 PM 72832]
S3 UETUYCJWM;UETUYCJWM;c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\UETUYCJWM.exe --> c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\UETUYCJWM.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-09 23:27]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-30 13:57]

2009-06-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-30 13:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vandropbox.cab
DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\VANFIND.cab
DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vangrid.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\Edt32x20.ocx
DPF: {BAF8BCAE-D9D1-11D0-9B21-0080C79EFE90} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vantree.cab
DPF: {D1CC3791-D9DF-11D0-9B21-0080C79EFE90} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vantfind.cab
DPF: {DDFC7D44-F87D-11D0-BFF8-00A024CA8C68} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vanrollup.cab
DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vanviewer.cab
DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\sscala32.cab
DPF: {FB779381-F865-11D0-BFF8-00A024CA8C68} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vanfcast.cab
DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} - file://c:\docume~1\KEN~1.DEN\LOCALS~1\Temp\vanpipeline.cab
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODI03.00.00.01PRO"="BE0E8B375E61C68223CF47AC96CFA70E6B53C164544C51EE727DEE1C99ABB19E00B9C1E37ED58BE60C36EF52958CA4D44DB409C4A8C143C519685436BDFA7A8215620FA0724FC5E6B895E6EAA266F5219ADD57716213EEF794A5C617C3F7B127B20E806273BFBBC971B376B71D603054D1F6D417A577D69EB85F6A7137A8E8809F07D906901DAAFA919C9C5C3703DBF1836BDD41EAA5F0F66B82195AF197A1A5365C8E4A2963C20B8B9E8D6277D8F6A3D36C02E1FDDB286325C05CCEA5D0D250E75EC854F411A72DE14D2D34B8F172B77EEC824EFDD8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A6A0AC4980AC7933C038D530D6EB345259A6E7223B92FD2BDAD37C76680BB5C4C36FA8E562438141FD3E9DE4451750BE69E9EC932D24DF3E50BCD7D013CBB7399BE871D6EDC2EC4B62671266A6363C68C8DF0F8D5BFD759EA722D5EC7A5F32748F35451D9FDE59460E6B5F974AA202444F924CBA656312F409AA29D519F3BB4F36B3A845EE4EC55B24828125C6BA23ED5034B48B9DFBDAEC111F96DB1D19C1A61964B5A1882C81B8BB8608806442F4040D16EB3209554AB5D26BF6936C4602DBB6EE9CC7CCF431105F779661A261212940B2A9A564DE3101D021B8549DD212D2819B9D8FD18CCE978DF662C1B023A6839325BB211C6D300A85F45B3B7AFDD8F35F5A91175E3826873BCCB95F75F7D5BE29AC8224D3B93F0ADC3FF52805E612AB29BBDF3F6F24D81FCDE3793C8A31550893ACF0F1E2DFA94039FDB0BE70164EEC2EF5072DB6DCD91FA14A169F3C071F93DBAE0F91D2DF0D73EE51C8E7227270A830E29BC81655F34D83B396908D947F187DDDFA4EE19F5D6748FD104FB7C9B05B658043412964C2F3B9779661B35B1ACEE70A633703655F6B7FEE6BE4004E9AFEF6EF36073AC4385FF70FC3A118BBE3767F270D1EDC5EAF4BC7ADD4DC7F150E948378C44E4B1418E1EB1AE328D67E26549DCDD09CC91CBC5E466DD830EB973FA19C03D0128FD4FA52B25C4C0FC3CF002C8C381A0CD79149F992039899323335AE499E508DF06DCD0860BA6933E3BE62C88DC76A0D4B986CF9BA664A9A70294CC7037BCC438AA85263FBC2B83A6EBC127AD2805401986C0FBE40B5B5777C9FB47E37EFE578AEB59CC200A15007D3242B1286888190EAADF2AC96B03A37DB1E716649774EB4DFA4958F5B29554434AE99E7C42DADA522DFA82928BBC6A64B935A198E2ECA4658ECF9B0F0D28361667C9F561BDE2870CD6D9722D0E162D5B8529AB15057353E83EA5A1499B8AA10F10F533B8FB057E238A1798563CE2698490D33D2CDD6FD7281D91B2C9E192EC595509DF91BD932B5D82DDF48A3533F87D45F77213839A57AA85DF5EEBFD6"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\myokent.dll

- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\myokent.dll
.
Completion time: 2009-07-27 0:31
ComboFix-quarantined-files.txt 2009-07-27 05:31

Pre-Run: 10,009,993,216 bytes free
Post-Run: 10,089,635,840 bytes free

224 --- E O F --- 2009-07-15 08:01
-------------------------------------------------------------

When I ran HijackThis immediately after ComboFix finished (it had to reboot during the process to delete the 2 dll and 1 driver file), it reported an error in a registry call (I let it upload info about that error to TrendMicro). I saved that log file, but I rebooted and re-ran HijackThis, and the log file of the run after the reboot is what is posted below. Let me know if you would like to see the log file from immediately after ComboFix finished. I didn't examine the first log, but the byte counts were different.

-------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:03 AM, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\WINDOWS\system32\wuauclt.exe
H:\Downloads\HiJackThis\HJT.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O1 - Hosts: 216.91.32.72 s228130hz1ew08.apptix-01.savvis.net
O1 - Hosts: 216.91.32.73 s228130hz1ew09.apptix-01.savvis.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3D82A12A-C1FA-11D0-9B21-0080C79EFE90} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://passage.cna.com/vdesk/terminal/f5tunsrv.cab#version=6020,2008,0212,2007
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna.com/vdesk/terminal/InstallerControl.cab#version=6030,2008,1031,2119
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,1031,2107
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {60046ED9-8E77-11D0-9B21-0080C79EFE90} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096380544828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246342493734
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://access.whitfieldschool.org/net6helper.cab
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://passage.cna.com/vdesk/terminal/vdeskctrl.cab#version=6020,2008,0212,2006
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\Edt32x20.ocx
O16 - DPF: {BAF8BCAE-D9D1-11D0-9B21-0080C79EFE90} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantree.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://passage.cna.com/vdesk/terminal/urxshost.cab#version=6020,2008,0212,2006
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1CC3791-D9DF-11D0-9B21-0080C79EFE90} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {DDFC7D44-F87D-11D0-BFF8-00A024CA8C68} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanrollup.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://savvis.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanviewer.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://passage.cna.com/vdesk/terminal/urxhost.cab#version=6020,2008,0212,2005
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2008,1031,2116
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\sscala32.cab
O16 - DPF: {FB779381-F865-11D0-BFF8-00A024CA8C68} (VanForecastGraph.VanForecastGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanfcast.cab
O16 - DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} (VanPipelineGraph.VanPipelineGraphCtrl) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vanpipeline.cab
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FRTYZDL - Unknown owner - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\FRTYZDL.exe (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe
O23 - Service: PFYPY - Unknown owner - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\PFYPY.exe (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: UETUYCJWM - Unknown owner - C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\UETUYCJWM.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 13312 bytes
-------------------------------------------------------------

As I indicated at the top of the post, I think ComboFix got the rootkit:

I ran another MBA-M quick scan and it showed clean (let me know if you'd like me to post the log).
I ran a McAfee quick scan and it completed without incident (the rootkit had been causing the first scan after a reboot to error out) and showed clean. (Trying to go to the Internet after a McAfee scan would sometimes lock the computer.)
I was able to switch to the other family members' accounts (FastSwitching would be disabled after every reboot, and I would have to disable and re-enable the feature each time) and my son's account started without incident, including AIM.
We appear to have stopped getting Vimax ads inserted into almost every website (this one included).
It appears to have stopped interferring with Google. (The first time we'd try to follow a link from a search, it would typically intercept and send to some semi-random, but sometimes similar, website.

Let me know if there's anything else from the HijackThis log you think I should get rid of. I'm inclined to get rid of the following:

O16 - DPF: ...akamai.net...qttime...
O16 - DPF: (Crucial CpcScan)
perhaps
O16 - DPF: (FarPoint DateTime Control) and
O16 - DPF: (SSDateCombo Control)
All the entries for the suspicious looking items now marked (file missing)

After any further clean ups, I plan to run CCleaner to purge all the Temporary Internet files, flush all System Restore Points, save a Snapshot in SpywareBlaster, and do an image backup of the system disk.

Thanks only begins to cover it!

Ken

KBDenson 0 Newbie Poster · Answer 5 · 2009-07-27T20:29:42+00:00

I'll get ATF Cleaner (and ditch CCleaner, which I haven't run yet). Can you confirm that I need to delete all our Cookies?

Also, I've run a full McAfee scan, and it found the quarantined versions of the two MSIVX dll files (one identified as a DNS Changer and the other a Fake Alert), as well as presumably versions of the same files (different names) in the System Volume Information\_Restore.

I'm now running a full MBA-M scan, so we'll see what it now finds, but I haven't yet deleted the earlier, non-rootkit, files it found.

Should I have the tools delete all the quarantined files, or is there any post-mortem analysis that should be done with all the nasties?

Thanks

Ken

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2009-07-28T02:40:39+00:00

I would delete the cookies, but it is up to you. They are harmless.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Have MBA-M delete what it finds. Let me know how things are.

kaninelupus 275 Practically a Posting Shark · Answer 7 · 2009-07-28T08:49:09+00:00

Would also query this line

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html

Raises a few suspicions may not be leaving an entry point for well know malware "MyWebSearch". What are your thoughts Crunchie??

Would also be ditching McAfee for something more serious.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2009-07-28T08:53:59+00:00

Good spotting. Missed that one. May want to look in add/remove too to make sure there are no entries for mysearch or mywebsearch etc and uninstall if found.

KBDenson 0 Newbie Poster · Answer 9 · 2009-07-28T12:32:39+00:00

Your timing was excellent.

I had just deleted the unneeded-looking DPF and Services with HijackThis, so I got rid of the "mysearch" item, as well. (There had been an Adware.MyWebSearch in the set of items that had been found and removed in the first pass of cleanup.)
I ran ComboFix / u, and it completed without incident. (I'll post the log if you want to see it.)
I got ATF Cleaner and purged everything, Cookies included.
I ran a fresh, full scan with MBA-M, which was clean, and then I deleted all the quarantined items.
I deleted with McAfee the two quarantined (by ComboFix) DLLs and the _Restore versions.
I turned off System Restore and rebooted, to flush the restore points and complete the Services removal by HijackThis. I've re-enabled System Restore. (I have to keep poking around to remember how to get the System Restore utilities to save a restore point.)
I checked for SpywareBlaster updates (none since 7/14/09) and saved a Snapshot. Interestingly, when I started SpyareBlaster this time, one of the Restricted Sites (AntiMalwareGuard) had become unchecked since I ran it earlier today. I re-enabled everything, but that will bear keeping an eye on.

In the process of cleaning up, I found that the rootkit had been blocking CHKDSK and Defrag, because they had failed to run when I was in the midst of trying to get rid of the rootkit. They both errored out on all my partitions (I have a bunch), not just the system drive partition. PartitionMagic also failed to start, reporting a problem with the drive. All three run fine now, and my file system doesn't report any problems.

I'll kick off an image backup of my system disk shortly.

Here's the latest HijackThis log for my system (I see a DPF I missed):

-----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:59 AM, on 7/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\OO Software\DiskImage\oodiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\dllhost.exe
H:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\KEN~1.DEN\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://passage.cna.com/vdesk/terminal/f5tunsrv.cab#version=6020,2008,0212,2007
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://passage.cna.com/vdesk/terminal/InstallerControl.cab#version=6030,2008,1031,2119
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://passage.cna.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2008,1031,2107
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096380544828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246342493734
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://passage.cna.com/vdesk/terminal/vdeskctrl.cab#version=6020,2008,0212,2006
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://passage.cna.com/vdesk/terminal/urxshost.cab#version=6020,2008,0212,2006
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://savvis.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://passage.cna.com/vdesk/terminal/urxhost.cab#version=6020,2008,0212,2005
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://passage.cna.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2008,1031,2116
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 10766 bytes
-----------------------------------------------------------------

Let me know if there's anything else you think I should do.

crunchie, I can't begin to thank you enough for all your help in reclaiming my system. You are simply awesome.

kaninelupus, thanks for taking a look and picking up additional stuff.
If you want to suggest a different AV, I'll listen. I've just used McAfee forever. It's always been adequate for me (and my wife); my son is more "adventurous". Hopefully between SpywareBlaster and the rude awakening of how much nastiness is now out there, he'll be OK; he'll be back at college soon enough. I'd like to wean him away from toolbars; McAfee had been periodically finding and nuking copies of Artemis associated with toolbars. (We need to check out his Vista laptop; his college dictates and provides the anti-virus the students have to run; I think it's TrendMicro.)

Abundant thanks,

Ken

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2009-07-28T15:57:16+00:00

Log looks ok :).

Give McAfee the flick and consider installing free Avast, or if you want to pay, NOD32 or Kaspersky.

kaninelupus 275 Practically a Posting Shark · Answer 11 · 2009-07-28T17:08:57+00:00

Log looks ok :).
Give McAfee the flick and consider installing free Avast, or if you want to pay, NOD32 or Kaspersky.

Would prob lean more toward Avira than Avast, but that's just my own preference. Crunchie - do either offer bundled firewall though on free versions??

Personally and using Comodo's free Internet Security (using AV and Firewall, but disabled system protection as really don't need it this end), but will switch back to Symantec Endpoint Protection when been made fully compatible with Win7.

Possibility for your end is to use either Avast or Avira for AV/anti-malware, and just install the firewall element of Comodo. Double the level of protection by covering both sides of the spectrum

NB: Read here for a decent comparison of products. Just thought too, Microsoft NEW free AV suite is actually get some pretty damned good reviews (unlike OneCare!!), so there's another option - wasn't available at the time this comparison was compiled, so ignore reference on that link, as refers to OneCare.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2009-07-28T17:13:57+00:00

I'm using the Comodo suite myself, but used Avast for the past two years with no problems.

How do i get rid ofa generic rootkit.d! rootkit

Recommended Answers Collapse Answers

All 16 Replies

Recommended Answers