0

Every time I start my computer and get to my profile I am presented with the following popup

RunDLL

Error loading C:\Windows\TEMP\msxm192z.dll

This came after I used Malware Bytes so I figured I would start here to see how I stop this pop up from occuring.

4
Contributors
6
Replies
7
Views
7 Years
Discussion Span
Last Post by MPRadamacue
0

Error loading C:\Windows\TEMP\msxm192z.dll

If I am not mistaken, this is a WOW keylogger.
Looks like MBAM or another tool has removed it, hence the error when it tries to load.

-- Can you post your MBAM log?

Let's look to see if any other nasties remain:

-- Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.

-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choose to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.

THEN:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Please post the Kaspersky and DDS logs for me.

Will check back as time permits.

Cheers :)
PP

0

This one log:
Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6002 Service Pack 2

11/13/2009 8:19:04 PM
mbam-log-2009-11-13 (20-19-04).txt

Scan type: Full Scan (C:\|D:\|K:\|L:\|)
Objects scanned: 523487
Time elapsed: 3 hour(s), 16 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BtwSrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


This is another log:

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 6.0.6002 Service Pack 2

11/6/2009 9:43:54 PM
mbam-log-2009-11-06 (21-43-54).txt

Scan type: Full Scan (C:\|D:\|K:\|L:\|)
Objects scanned: 509749
Time elapsed: 2 hour(s), 8 minute(s), 5 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 14
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
C:\Windows\System32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
c:\Windows\System32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.
C:\Windows\System32\kbdnet.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f59fc2a.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\kbdnet.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\kbdnet.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.
C:\Windows\System32\BtwSrv.dllx (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\kbdnet.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4AT8N5X1\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4AT8N5X1\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RGW2EA4\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RGW2EA4\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1XHZX0B\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1XHZX0B\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VXE2UNTB\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VXE2UNTB\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
L:\Downloads\vsoConvertXtoDVD_4.0.3\Keygen.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Users\Michael\Favorites\Clone Cash System.url (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\irc.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\santa.bat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

0

Try updating it and running it again. Yours is out-of-date.

You need to post the other logs that PP asked for too.

Edited by crunchie: n/a

0

KAS 1 File:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Friday, December 25, 2009
 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Friday, December 25, 2009 01:08:45
 Records in database: 3409706
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\
    K:\
    L:\
    M:\

Scan statistics:
    Objects scanned: 361808
    Threats found: 6
    Infected objects found: 6
    Suspicious objects found: 11
    Scan duration: 15:00:24


File name / Threat / Threats count
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\009C363B-000006B7.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\14DD4726-0000069A.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\34026956-00000647.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\3F8C67ED-000006B2.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\5559141A-00000651.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\5A725798-00000660.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\602973B2-00000664.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\6332289B-000006DA.eml   Infected: Trojan-Spy.HTML.Fraud.hx  1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\6B1E0B69-00000899.eml   Infected: Packed.Win32.Krap.x   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\6D901404-000006A2.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\70A10C8A-0000069F.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\787E222F-00000654.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Users\Karyn\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\McAfee Anti 802\7B886E55-000006BD.eml   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
D:\mIRC\mirc.exe    Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
L:\Downloads\Lynda.com - After Effects CS3 Professional Essential Training\Lynda.com - After Effects CS3 Professional Essential Training.iso    Infected: Trojan.Win32.Monder.gen   1
L:\Downloads\Old\Tunebite Platinum 6.0.31668.6600 Incl.Serials.rar  Infected: Trojan-Downloader.Win32.VB.lxw    1
L:\Downloads\Old\Tunebite.Platinum.6.0.31668.6600.Incl.Serials\Tunebite.Platinum.6.0.31668.6600.Incl.Serials\tunebite.exe   Infected: Trojan-Downloader.Win32.VB.lxw    1

Selected area has been scanned.

DDS LOG:

DDS (Ver_09-12-01.01) - NTFSx86  
Run by Michael at 22:20:53.70 on Fri 12/25/2009
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2046.546 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
K:\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Users\Michael\AppData\Local\Temp\jkos-Michael\binaries\ScanningProcess.exe
C:\Users\Michael\AppData\Local\Temp\jkos-Michael\binaries\ScanningProcess.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\Windows\System32\mobsync.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\NOTEPAD.EXE
D:\TweetDeck\TweetDeck.exe
C:\Users\Michael\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - k:\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - d:\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - k:\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [igndlm.exe] d:\download manager\DLM.exe /windowsstart /startifwork
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [DAEMON Tools Lite] "d:\daemon tools lite\daemon.exe" -autorun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ter8m] RUNDLL32.EXE c:\windows\temp\msxm192z.dll,w
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "k:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: convergysworkathome.com\www
Trusted Zone: timewarner.com\careers
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\e608h9gc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\users\michael\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\michael\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: d:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\divx web player\npdivx32.dll
FF - plugin: d:\download manager\npfpdlm.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - k:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
k:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-12-09 17:12:29 24064   ----a-w-    c:\windows\system32\nshhttp.dll
2009-12-09 17:12:28 411648  ----a-w-    c:\windows\system32\drivers\http.sys
2009-12-09 17:12:28 30720   ----a-w-    c:\windows\system32\httpapi.dll
2009-12-09 10:22:48 243712  ----a-w-    c:\windows\system32\rastls.dll
2009-12-04 02:32:23 0   d-----w-    c:\users\michael\appdata\roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-11-28 14:39:41 0   d-----w-    c:\users\michael\appdata\roaming\Verizon

==================== Find3M  ====================

2009-12-24 11:20:49 189139  ----a-w-    c:\programdata\nvModes.dat
2009-12-03 21:14:06 38224   ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160   ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-11-21 06:40:20 916480  ----a-w-    c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680   ----a-w-    c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056  ----a-w-    c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632  ----a-w-    c:\windows\system32\ieUnatt.exe
2009-11-11 01:29:26 0   ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-06 14:16:31 86016   ----a-w-    c:\windows\inf\infstor.dat
2009-11-06 14:16:31 665600  ----a-w-    c:\windows\inf\drvindex.dat
2009-11-06 14:16:31 51200   ----a-w-    c:\windows\inf\infpub.dat
2009-11-06 14:16:31 143360  ----a-w-    c:\windows\inf\infstrng.dat
2009-11-06 14:16:18 0   ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-06 14:13:20 42504   ----a-w-    c:\windows\system32\uses32.dat
2009-11-06 03:09:06 78848   ----a-w-    c:\windows\system32\taskkill.exe
2009-11-06 03:09:06 163840  ----a-w-    c:\windows\system32\taskmgr.exe
2009-11-06 03:09:04 25600   ----a-w-    c:\windows\system32\Netplwiz.exe
2009-11-06 03:09:03 9216    ----a-w-    c:\windows\system32\LogonUI.exe
2009-11-06 03:09:00 151040  ----a-w-    c:\windows\notepad.exe
2009-11-05 18:05:32 22016   ----a-w-    c:\windows\system32\winrshost.exe
2009-11-05 18:01:46 69632   ----a-w-    c:\windows\system32\TWUNK_32.EXE
2009-11-05 17:57:06 87552   ----a-w-    c:\windows\system32\SearchFilterHost.exe
2009-11-05 17:57:06 185344  ----a-w-    c:\windows\system32\SearchProtocolHost.exe
2009-11-05 17:48:46 98304   ----a-w-    c:\windows\system32\netsh.exe
2009-11-05 17:48:34 89600   ----a-w-    c:\windows\system32\NetProj.exe
2009-11-05 17:48:21 176128  ----a-r-    c:\windows\system32\NeroCheck.exe
2009-11-05 17:46:50 73216   ----a-w-    c:\windows\system32\msiexec.exe
2009-11-05 17:44:04 41472   ----a-w-    c:\windows\system32\lpremove.exe
2009-11-05 17:35:44 247296  ----a-w-    c:\windows\system32\wbem\WmiPrvSE.exe
2009-11-05 17:35:42 625664  ----a-w-    c:\windows\system32\wbem\WMIC.exe
2009-11-05 17:35:18 117248  ----a-w-    c:\windows\system32\wbem\WMIADAP.exe
2009-11-05 17:35:17 77824   ----a-w-    c:\windows\system32\wbem\WinMgmt.exe
2009-11-05 17:35:04 174080  ----a-w-    c:\windows\system32\wbem\wbemtest.exe
2009-11-05 17:34:51 37888   ----a-w-    c:\windows\system32\wbem\unsecapp.exe
2009-11-05 17:34:38 40960   ----a-w-    c:\windows\system32\wbem\scrcons.exe
2009-11-05 17:34:37 19968   ----a-w-    c:\windows\system32\wbem\mofcomp.exe
2009-11-05 17:16:59 299520  ----a-w-    c:\windows\uninst.exe
2009-11-05 17:15:57 155648  ----a-w-    c:\windows\omcamcap.exe
2009-11-05 17:15:45 679936  ----a-w-    c:\windows\iun6002.exe
2009-11-05 17:15:32 326656  ----a-w-    c:\windows\IsUninst.exe
2009-11-05 16:31:57 1792512 ----a-w-    c:\windows\system32\mmc.exe
2009-11-05 16:13:48 36864   ----a-w-    c:\windows\system32\xcopy.exe
2009-11-05 16:13:34 140800  ----a-w-    c:\windows\system32\wusa.exe
2009-11-05 16:13:09 33792   ----a-w-    c:\windows\system32\wuapp.exe
2009-11-05 16:12:56 192000  ----a-w-    c:\windows\system32\wsqmcons.exe
2009-11-05 16:12:55 30720   ----a-w-    c:\windows\system32\WSManHTTPConfig.exe
2009-11-05 16:12:41 155648  ----a-w-    c:\windows\system32\wscript.exe
2009-11-05 16:12:28 9216    ----a-w-    c:\windows\system32\write.exe
2009-11-05 16:12:16 39424   ----a-w-    c:\windows\system32\wpnpinst.exe
2009-11-05 16:11:49 18944   ----a-w-    c:\windows\system32\wpcer.exe
2009-11-05 16:11:04 34304   ----a-w-    c:\windows\system32\wlrmdr.exe
2009-11-05 16:11:03 74240   ----a-w-    c:\windows\system32\wlanext.exe
2009-11-05 16:10:50 244224  ----a-w-    c:\windows\system32\wisptis.exe
2009-11-05 16:10:38 8704    ----a-w-    c:\windows\system32\winver.exe
2009-11-05 16:10:34 3217408 ----a-w-    c:\windows\system32\WinSAT.exe
2009-11-05 16:10:33 33792   ----a-w-    c:\windows\system32\winrs.exe
2009-11-05 16:10:07 218112  ----a-w-    c:\windows\system32\WindowsAnytimeUpgrade.exe
2009-11-05 16:09:53 88064   ----a-w-    c:\windows\system32\wiaacmgr.exe
2009-11-05 16:09:53 43520   ----a-w-    c:\windows\system32\whoami.exe
2009-11-05 16:09:53 36352   ----a-w-    c:\windows\system32\where.exe
2009-11-05 16:09:40 163840  ----a-w-    c:\windows\system32\wevtutil.exe
2009-11-05 16:09:21 56320   ----a-w-    c:\windows\system32\wermgr.exe
2009-11-05 16:09:08 860160  ----a-w-    c:\windows\system32\WerFaultSecure.exe
2009-11-05 16:08:56 217088  ----a-w-    c:\windows\system32\WerFault.exe
2009-11-05 16:08:42 1143296 ----a-w-    c:\windows\system32\wercon.exe
2009-11-05 16:08:41 163328  ----a-w-    c:\windows\system32\wecutil.exe
2009-11-05 16:08:40 34816   ----a-w-    c:\windows\system32\waitfor.exe
2009-11-05 16:08:39 65024   ----a-w-    c:\windows\system32\w32tm.exe
2009-11-05 16:08:26 93696   ----a-w-    c:\windows\system32\vssadmin.exe
2009-11-05 16:08:26 112640  ----a-w-    c:\windows\system32\verifier.exe
2009-11-05 16:08:13 9216    ----a-w-    c:\windows\system32\verclsid.exe
2009-11-05 16:08:00 19968   ----a-w-    c:\windows\system32\vdsldr.exe
2009-11-05 16:07:35 638976  ----a-w-    c:\windows\system32\Utilman.exe
2009-11-05 16:07:22 25088   ----a-w-    c:\windows\system32\userinit.exe
2009-11-05 16:07:09 22528   ----a-w-    c:\windows\system32\upnpcont.exe
2009-11-05 16:07:08 33792   ----a-w-    c:\windows\system32\unlodctr.exe
2009-11-05 16:07:08 310784  ----a-w-    c:\windows\system32\unregmp2.exe
2009-11-05 16:07:08 28160   ----a-w-    c:\windows\system32\unattendedjoin.exe
2009-11-05 16:06:55 83456   ----a-w-    c:\windows\system32\unam4ie.exe
2009-11-05 16:06:22 81920   ----a-w-    c:\windows\system32\SystemPropertiesPerformance.exe
2009-11-05 16:06:10 81920   ----a-w-    c:\windows\system32\SystemPropertiesHardware.exe
2009-11-05 16:05:58 81920   ----a-w-    c:\windows\system32\SystemPropertiesDataExecutionPrevention.exe
2009-11-05 16:05:45 81920   ----a-w-    c:\windows\system32\SystemPropertiesComputerName.exe
2009-11-05 16:05:32 81920   ----a-w-    c:\windows\system32\SystemPropertiesAdvanced.exe
2009-11-05 16:05:32 76288   ----a-w-    c:\windows\system32\systeminfo.exe
2009-11-05 16:05:12 27648   ----a-w-    c:\windows\system32\syskey.exe
2009-11-05 16:05:12 27136   ----a-w-    c:\windows\system32\sxstrace.exe
2009-11-05 16:05:11 13824   ----a-w-    c:\windows\system32\subst.exe
2009-11-05 16:04:57 289280  ----a-w-    c:\windows\system32\StikyNot.exe
2009-11-05 16:04:45 294912  ----a-w-    c:\windows\system32\ssText3d.scr
2009-11-05 16:04:33 8139264 ----a-w-    c:\windows\system32\ssBranded.scr
2009-11-05 16:04:19 112640  ----a-w-    c:\windows\system32\spreview.exe
2009-11-05 16:04:06 289792  ----a-w-    c:\windows\system32\spinstall.exe
2009-11-05 16:03:52 19968   ----a-w-    c:\windows\system32\sort.exe
2009-11-05 16:03:52 127488  ----a-w-    c:\windows\system32\SoundRecorder.exe
2009-11-05 16:03:27 197632  ----a-w-    c:\windows\system32\SndVol.exe
2009-11-05 16:03:14 361984  ----a-w-    c:\windows\system32\SLUI.exe
2009-11-05 16:03:01 185856  ----a-w-    c:\windows\system32\SLLUA.exe
2009-11-05 16:02:45 67584   ----a-w-    c:\windows\system32\sigverif.exe
2009-11-05 16:02:44 29696   ----a-w-    c:\windows\system32\shutdown.exe
2009-07-07 20:46:35 245760  --sha-w-    c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 22:23:52.58 ===============

Edited by Nick Evan: Fixed formatting

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.