• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
samuel forrester

new processes slowing down computer much

10 posts in this topic

Hello, I am running Windows XP and my son tried to hack PhotoshopCS2 but ended up causing some major havoc and there are some processes that take up a bunch of the computer. I scanned with Ad-Aware, Trojan Hunter and the McAfee things, but to no avail... here is my HijackThis log...

 

Logfile of HijackThis v1.99.1

Scan saved at 6:39:34 PM, on 5/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\McAfee\MSK\MskAgent.exe

C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

C:\WINDOWS\system32\xmlnbygm.exe

C:\WINDOWS\system32\smdlsset.exe

C:\WINDOWS\system32\liscrts.exe

C:\WINDOWS\system32\fxsmccpc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\Program Files\BigFix\bigfix.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\FoxyTunes\ForInternetExplorer\FoxyTunesEngine.exe

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\cnc3demo\TrojanHunter 4.6\THGuard.exe

C:\cnc3demo\Hijackthis\HijackThis.exe

c:\program files\mcafee\msc\mcuimgr.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [idmlcs] C:\WINDOWS\system32\xmlnbygm.exe

O4 - HKLM\..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\altjdcfv.dll",realset

O4 - HKLM\..\Run: [playscl] C:\WINDOWS\system32\xmlnbygm.exe

O4 - HKLM\..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe

O4 - HKLM\..\Run: [timelibw] fxsmccpc.exe

O4 - HKLM\..\Run: [buildsw] C:\WINDOWS\system32\xmlnbygm.exe

O4 - HKLM\..\Run: [THGuard] "C:\cnc3demo\TrojanHunter 4.6\THGuard.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [idmlcs] C:\WINDOWS\system32\xmlnbygm.exe

O4 - HKCU\..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe

O4 - HKCU\..\Run: [playscl] C:\WINDOWS\system32\xmlnbygm.exe

O4 - HKCU\..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe

O4 - HKCU\..\Run: [timelibw] fxsmccpc.exe

O4 - HKCU\..\Run: [buildsw] C:\WINDOWS\system32\xmlnbygm.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)

O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

 

Thank you very much for your time.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

 

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

 

Then, * Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

okay, I ran combofix once and a few seconds in, it said it detected a rootkit of some sort and rebooted, but nothing ever came on the screen, so I manually shut it down and it came back on with no log, so I ran it again and here is the log. Thanks 1,000,000 times

 

"Owner" - 2007-05-30 18:05:56 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\cnc3demo\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))

 

 

2007-05-30 17:27 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-05-30 17:26 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-25 21:48 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-05-24 16:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center

2007-05-23 08:26 45,610 --a------ C:\WINDOWS\htrrgrtgrgewfer.exe

2007-05-23 08:22 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\McAfee

2007-05-22 09:13 48,204 --a------ C:\WINDOWS\fwremkltgr.exe

2007-05-20 18:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\TrojanHunter

2007-05-20 15:49 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\Lavasoft

2007-05-20 15:48 <DIR> d-------- C:\Program Files\Lavasoft

2007-05-16 15:39 <DIR> d-------- C:\Program Files\Last.fm

2007-05-15 16:36 <DIR> d-------- C:\Program Files\FoxyTunes

2007-05-15 16:36 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\FoxyTunes

2007-05-03 20:15 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\WinRAR

2007-05-03 19:07 <DIR> d-------- C:\Andy's Pictures

2007-05-03 18:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2007-05-03 18:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems

2007-05-03 18:33 <DIR> d-------- C:\Program Files\iTunes

2007-05-03 18:33 <DIR> d-------- C:\Program Files\iPod

2007-05-03 18:33 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\Apple Computer

2007-05-03 18:32 <DIR> d-------- C:\Program Files\QuickTime

2007-05-03 18:32 <DIR> d-------- C:\Program Files\Apple Software Update

2007-05-03 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

2007-05-03 18:18 <DIR> d-------- C:\photoshop

2007-04-20 19:07 <DIR> d-------- C:\rodents_revenge

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-31 00:27:48 -------- d-----w C:\Program Files\McAfee

2007-05-25 15:46:47 -------- d-----w C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\SiteAdvisor

2007-05-24 00:57:55 -------- d-----w C:\Program Files\TestGen

2007-05-06 18:02:14 -------- d-----w C:\Program Files\Pure Networks

2007-05-06 18:02:14 -------- d-----w C:\Program Files\Google

2007-05-06 05:30:59 -------- d-----w C:\Program Files\Napster

2007-05-06 05:30:08 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-30 04:49:12 -------- d-----w C:\Program Files\AIM

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-12 19:49:41 -------- d-----w C:\Program Files\SiteAdvisor

2007-03-31 08:02:49 -------- d-----w C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\MSN6

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2004-08-10 19:00:00 90,651 --sh--r C:\WINDOWS\system32\xmleljcj.exe

2004-08-10 19:00:00 89,244 --sh--r C:\WINDOWS\system32\fxsmccpc.exe

2004-08-10 19:00:00 48,204 --sh--r C:\WINDOWS\system32\xmlnbygm.exe

2004-08-10 19:00:00 48,204 --sh--r C:\WINDOWS\system32\umcudrye.exe

2004-08-10 19:00:00 48,204 --sh--r C:\WINDOWS\system32\umcgfbdp.exe

2004-08-10 19:00:00 48,204 --sh--r C:\WINDOWS\system32\sysgmzve.exe

2004-08-10 19:00:00 48,204 --sh--r C:\WINDOWS\system32\rdltxsix.exe

2004-08-10 19:00:00 48,204 --sh--r C:\WINDOWS\system32\drvdoelx.exe

2004-08-10 19:00:00 45,610 --sh--r C:\WINDOWS\system32\clizddjy.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 08:41]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{784D8FBC-4165-4D88-90FB-62907ACDD045}=C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll [2007-04-25 07:15]

{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]

{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-02-01 03:54]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" []

"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 18:44]

"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]

"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-01-15 01:05]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-02-08 19:39]

"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 01:04]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 14:59]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Power2GoExpress"=NA

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86b1fc85-fb86-11db-ae54-00038a000015}]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6e3718f-e76b-11da-91a6-806d6172696f}]

 

*Newly Created Service* -0283271180571274MCINSTCLEANUP

 

Contents of the 'Scheduled Tasks' folder

2007-05-22 16:31:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-02-27 22:13:15 C:\WINDOWS\tasks\McDefragTask.job

2007-02-27 22:13:14 C:\WINDOWS\tasks\McQcTask.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-30 18:07:24

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\0283271180571274mcinstcleanup]

"ImagePath"="C:\WINDOWS\TEMP\028327~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service"

 

Completion time: 2007-05-30 18:15:11

C:\ComboFix-quarantined-files.txt ... 2007-05-30 18:15

C:\ComboFix2.txt ... 2007-05-30 17:26

 

--- E O F ---

 

AND HijackThis

 

Logfile of HijackThis v1.99.1

Scan saved at 6:15:56 PM, on 5/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\McAfee\MSK\MskAgent.exe

C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BigFix\bigfix.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\cnc3demo\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab

O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: McAfee Application Installer Cleanup (0283271180571274) (0283271180571274mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\028327~1.EXE (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)

O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

 

thank you thank you thank you

Share this post


Link to post
Share on other sites

Hi,

 

I see you were running Combofix from a subfolder on your C:\

ComboFix 07-05.27.V - Running from: "C:\cnc3demo\"

 

Please move Combofix.exe from there and place it on your desktop as instructed.

 

Then,

 

Open notepad and copy/paste the text in the quotebox below into it:

 

File::

C:\WINDOWS\htrrgrtgrgewfer.exe

C:\WINDOWS\fwremkltgr.exe

C:\WINDOWS\system32\xmleljcj.exe

C:\WINDOWS\system32\fxsmccpc.exe

C:\WINDOWS\system32\xmlnbygm.exe

C:\WINDOWS\system32\umcudrye.exe

C:\WINDOWS\system32\umcgfbdp.exe

C:\WINDOWS\system32\sysgmzve.exe

C:\WINDOWS\system32\rdltxsix.exe

C:\WINDOWS\system32\drvdoelx.exe

C:\WINDOWS\system32\clizddjy.exe

 

 

Save this as ComboFix-Do.txt

 

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

 

Combo-Do.gif

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Share this post


Link to post
Share on other sites

sorry about that desktop thing... here it is:

 

"Owner" - 2007-06-02 20:02:46 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Owner.MIKERUBLE\"

Command switches used :: ""C:\Documents and Settings\Owner.MIKERUBLE\Desktop\ComboFix-Do.txt""

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

"C:\WINDOWS\htrrgrtgrgewfer.exe"

"C:\WINDOWS\fwremkltgr.exe"

"C:\WINDOWS\system32\xmleljcj.exe"

"C:\WINDOWS\system32\fxsmccpc.exe"

"C:\WINDOWS\system32\xmlnbygm.exe"

"C:\WINDOWS\system32\umcudrye.exe"

"C:\WINDOWS\system32\umcgfbdp.exe"

"C:\WINDOWS\system32\sysgmzve.exe"

"C:\WINDOWS\system32\rdltxsix.exe"

"C:\WINDOWS\system32\drvdoelx.exe"

"C:\WINDOWS\system32\clizddjy.exe"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))

 

 

2007-05-31 15:00 <DIR> d-------- C:\WINDOWS\LastGood

2007-05-30 17:26 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-05-25 21:48 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-05-24 16:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center

2007-05-23 08:22 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\McAfee

2007-05-20 18:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\TrojanHunter

2007-05-20 15:49 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\Lavasoft

2007-05-20 15:48 <DIR> d-------- C:\Program Files\Lavasoft

2007-05-16 15:39 <DIR> d-------- C:\Program Files\Last.fm

2007-05-15 16:36 <DIR> d-------- C:\Program Files\FoxyTunes

2007-05-15 16:36 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\FoxyTunes

2007-05-03 20:15 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\WinRAR

2007-05-03 19:07 <DIR> d-------- C:\Andy's Pictures

2007-05-03 18:39 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2007-05-03 18:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems

2007-05-03 18:33 <DIR> d-------- C:\Program Files\iTunes

2007-05-03 18:33 <DIR> d-------- C:\Program Files\iPod

2007-05-03 18:33 <DIR> d-------- C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\Apple Computer

2007-05-03 18:32 <DIR> d-------- C:\Program Files\Apple Software Update

2007-05-03 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

2007-05-03 18:18 <DIR> d-------- C:\photoshop

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-02 18:27:04 -------- d-----w C:\Program Files\McAfee

2007-05-25 15:46:47 -------- d-----w C:\DOCUME~1\OWNER~1.MIK\APPLIC~1\SiteAdvisor

2007-05-24 00:57:55 -------- d-----w C:\Program Files\TestGen

2007-05-06 18:02:14 -------- d-----w C:\Program Files\Pure Networks

2007-05-06 18:02:14 -------- d-----w C:\Program Files\Google

2007-05-06 05:30:59 -------- d-----w C:\Program Files\Napster

2007-05-06 05:30:08 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-30 04:49:12 -------- d-----w C:\Program Files\AIM

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-12 19:49:41 -------- d-----w C:\Program Files\SiteAdvisor

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 08:41]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{784D8FBC-4165-4D88-90FB-62907ACDD045}=C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll [2007-04-25 07:15]

{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]

{CA6319C0-31B7-401E-A518-A07C3DB8F777}=c:\windows\system32\BAE.dll [2006-02-01 03:54]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" []

"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 18:44]

"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []

"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]

"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-01-15 01:05]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30]

"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-02-08 19:39]

"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 01:04]

"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 14:59]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Power2GoExpress"=NA

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86b1fc85-fb86-11db-ae54-00038a000015}]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6e3718f-e76b-11da-91a6-806d6172696f}]

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-22 16:31:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-02-27 22:13:15 C:\WINDOWS\tasks\McDefragTask.job

2007-02-27 22:13:14 C:\WINDOWS\tasks\McQcTask.job

 

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-02 20:04:56

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-06-02 20:05:19

C:\ComboFix-quarantined-files.txt ... 2007-06-02 20:05

C:\ComboFix2.txt ... 2007-05-30 18:15

C:\ComboFix3.txt ... 2007-05-30 17:26

 

--- E O F ---

 

 

and

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:06:45 PM, on 6/2/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\SiteAdvisor\6066\SAService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\Digital Media Reader\readericon45G.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\McAfee\MSK\MskAgent.exe

C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\BigFix\bigfix.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\FoxyTunes\ForInternetExplorer\FoxyTunesEngine.exe

C:\cnc3demo\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab

O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)

O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

 

thanks!!!!!!!!

Share this post


Link to post
Share on other sites

Hi,

 

Your log looks clean again. How are things now?

Share this post


Link to post
Share on other sites

Everything works fine except somehow my ipod does not connect as the IpodService quits as soon as I connect, but that is relatively unimportant, and I don't expect you to do anything with that. Thanks for everything!

Share this post


Link to post
Share on other sites

Hi,

 

Everything works fine except somehow my ipod does not connect as the IpodService quits as soon as I connect, but that is relatively unimportant, and I don't expect you to do anything with that.
For that you have to reinstall the ipodsoftware again, because I see the service is missing from your log:

 

O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

 

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here

This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0