I was infected recently - not sure exactly what but I did notice a fake spyware/antivirus program.
Also it took out my wallpaper on my XP Pro SP2 machine.
Initially I wasn't able to launch Malwarebytes, the mbam.exe was gone. Even when I tried to reinstall it it was missing.
Long story short I was able run by getting a copy of from my other machine on a flash drive.
So I was able to run Malwarebytes and it found some issues and fixed them.
However, I'm not sure if everything is gone and clean.
Could you please take a look at the logs and tell me if I need to take further action.
Thanks in advance for your time and effort.
Initial Malwarebytes log showing the infections:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
10/25/2009 10:00:05 PM
mbam-log-2009-10-25 (22-00-05).txt
Scan type: Full Scan (C:\|)
Objects scanned: 344482
Time elapsed: 2 hour(s), 41 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\99468238 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\99468238\99468238.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bawaruno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\doneluvo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kanolalo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\levujiku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Latest Malwarebytes Log
Malwarebytes' Anti-Malware 1.41
Database version: 3037
Windows 5.1.2600 Service Pack 3
10/26/2009 10:37:57 PM
mbam-log-2009-10-26 (22-37-57).txt
Scan type: Quick Scan
Objects scanned: 146787
Time elapsed: 9 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:37 PM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Name of App] C:\Program Files\Samsung\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\DOCUME~1\mazinga\LOCALS~1\temp\HSPERF~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\OSSSAC18\PK_2_~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\OSSSAC18\DIB89B~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\WLIV16MJ\AUDIO_~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\OSSSAC18\DIB89D~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\EJQNI2CP\WORDCL~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\OSSSAC18\DISPLA~3.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\OSSSAC18\L_2_~1.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\EJQNI2CP\DISPLA~4.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\OSSSAC18\DISPLA~4.SH! C:\DOCUME~1\Mazinga\LOCALS~1\TEMPOR~1\Content.IE5\EJQNI2CP\PARENT~1.SH!
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.filenori.co.kr
O15 - Trusted Zone: http://*.filenori.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://edownload.grisoft.cz/ewidoOnlineScan.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F2965546-AD6C-4C52-8A80-2A336FB50CA8} (FilenoriDownloadControl Control) - http://korea.filenori.com/app/FilenoriDownloadControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wbsys.dll kusitozo.dll
O21 - SSODL: mayuzapus - {1ef401c6-8dea-42e1-8d95-eee5fef8bf91} - (no file)
O21 - SSODL: jurenokez - {99ffb361-f1f6-461a-961f-2b56a3879424} - (no file)
O21 - SSODL: migulatab - {1dfc69e6-0654-414a-858e-8dc2dc26bb50} - (no file)
O21 - SSODL: gevikudur - {55eebeb2-bbd6-468f-a517-f2cce17dcf4c} - (no file)
O21 - SSODL: rasuvewol - {5ac92a2b-17db-465d-8936-6f7ebea710a8} - (no file)
O21 - SSODL: bugoruvaf - {d9f5e06e-975b-4422-a754-e00879e0328c} - (no file)
O21 - SSODL: kowodafob - {6e6d75fa-fe01-4959-ad1b-c448bcf828ff} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {1ef401c6-8dea-42e1-8d95-eee5fef8bf91} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {99ffb361-f1f6-461a-961f-2b56a3879424} - (no file)
O22 - SharedTaskScheduler: gahurihor - {1dfc69e6-0654-414a-858e-8dc2dc26bb50} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {55eebeb2-bbd6-468f-a517-f2cce17dcf4c} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {5ac92a2b-17db-465d-8936-6f7ebea710a8} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {d9f5e06e-975b-4422-a754-e00879e0328c} - (no file)
O22 - SharedTaskScheduler: jugezatag - {6e6d75fa-fe01-4959-ad1b-c448bcf828ff} - (no file)
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Service1 - Alorica Inc. - C:\Documents and Settings\Mazinga\Desktop\WindowsService1\WindowsService1\bin\Debug\windowsservice1.exe
--
End of file - 10591 bytes
Full Version: Is it clean now?
STEP 01
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.
STEP 02
Please click on START - RUN and type or copy/paste the following into the run line.
Please click on START - RUN and type or copy/paste the following into the run line.
Then post back what they say.
STEP 03
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.
- O15 - Trusted Zone: http://*.filenori.co.kr
- O15 - Trusted Zone: http://*.filenori.com
- O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
- O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
- O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://edownload.grisoft.cz/ewidoOnlineScan.cab
- O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
- O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx
- O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
- O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx
- O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
- O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
- O16 - DPF: {F2965546-AD6C-4C52-8A80-2A336FB50CA8} (FilenoriDownloadControl Control) - http://korea.filenori.com/app/FilenoriDownloadControl.cab
- O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL wbsys.dll kusitozo.dll
- O21 - SSODL: mayuzapus - {1ef401c6-8dea-42e1-8d95-eee5fef8bf91} - (no file)
- O21 - SSODL: jurenokez - {99ffb361-f1f6-461a-961f-2b56a3879424} - (no file)
- O21 - SSODL: migulatab - {1dfc69e6-0654-414a-858e-8dc2dc26bb50} - (no file)
- O21 - SSODL: gevikudur - {55eebeb2-bbd6-468f-a517-f2cce17dcf4c} - (no file)
- O21 - SSODL: rasuvewol - {5ac92a2b-17db-465d-8936-6f7ebea710a8} - (no file)
- O21 - SSODL: bugoruvaf - {d9f5e06e-975b-4422-a754-e00879e0328c} - (no file)
- O21 - SSODL: kowodafob - {6e6d75fa-fe01-4959-ad1b-c448bcf828ff} - (no file)
- O22 - SharedTaskScheduler: tokatiluy - {1ef401c6-8dea-42e1-8d95-eee5fef8bf91} - (no file)
- O22 - SharedTaskScheduler: kupuhivus - {99ffb361-f1f6-461a-961f-2b56a3879424} - (no file)
- O22 - SharedTaskScheduler: gahurihor - {1dfc69e6-0654-414a-858e-8dc2dc26bb50} - (no file)
- O22 - SharedTaskScheduler: mujuzedij - {55eebeb2-bbd6-468f-a517-f2cce17dcf4c} - (no file)
- O22 - SharedTaskScheduler: tokatiluy - {5ac92a2b-17db-465d-8936-6f7ebea710a8} - (no file)
- O22 - SharedTaskScheduler: kupuhivus - {d9f5e06e-975b-4422-a754-e00879e0328c} - (no file)
- O22 - SharedTaskScheduler: jugezatag - {6e6d75fa-fe01-4959-ad1b-c448bcf828ff} - (no file)
Then Quit All Browsers including the one you're reading this in now.
Then click on Fix checked and then quit HJT
STEP 02
Please click on START - RUN and type or copy/paste the following into the run line.
CODE
cmd /k schtasks /query /FO LIST /V
Please click on START - RUN and type or copy/paste the following into the run line.
CODE
cmd /k sc queryex Schedule
Then post back what they say.
STEP 03
Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr
Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- Save both reports to your desktop
- Please include the following logs in your next reply: DDS.txt and Attach.txt
cmd /k schtasks /query /FO LIST /V
HostName: XP
TaskName: AppleSoftwareUpdate
Next Run Time: 10:42:00, 10/30/2009
Status:
Last Run Time: 10:42:00, 10/23/2009
Last Result: 0
Creator: SYSTEM
Schedule: At 10:42 AM every Fri of every week, starting 3/29/2007
Task To Run: C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Scheduled Type: Weekly
Start Time: 10:42:00
Start Date: 3/29/2007
End Date: N/A
Days: FRIDAY
Months: N/A
Run As User: NT AUTHORITY\SYSTEM
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: Disabled
HostName: XP
TaskName: McDefragTask
Next Run Time: 01:00:00, 11/15/2009
Status:
Last Run Time: 01:00:00, 6/15/2009
Last Result: 0
Creator: Mazinga
Schedule: At 1:00 AM on day 15 of every month, starting 3/21/2009
Task To Run: c:\PROGRA~1\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f
Start In: N/A
Comment: Disk Defragmenter
Scheduled Task State: Enabled
Scheduled Type: Monthly
Start Time: 01:00:00
Start Date: 3/21/2009
End Date: N/A
Days: 15
Months: JAN,FEB,MAR,APR,MAY,JUN,JUL,AUG,SEP,OCT,NOV,DEC
Run As User: XP\Mazinga
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: Disabled
HostName: XP
TaskName: McQcTask
Next Run Time: 01:00:00, 11/1/2009
Status:
Last Run Time: 01:00:00, 7/1/2009
Last Result: 0
Creator: Mazinga
Schedule: At 1:00 AM on day 1 of every month, starting 3/21/2009
Task To Run: c:\PROGRA~1\mcafee\mqc\QcConsol.exe 14 0
Start In: c:\PROGRA~1\mcafee\mqc
Comment: McAfee McAfee QuickClean
Scheduled Task State: Enabled
Scheduled Type: Monthly
Start Time: 01:00:00
Start Date: 3/21/2009
End Date: N/A
Days: 1
Months: JAN,FEB,MAR,APR,MAY,JUN,JUL,AUG,SEP,OCT,NOV,DEC
Run As User: XP\Mazinga
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: Disabled
HostName: XP
TaskName: shutdown
Next Run Time: Never
Status:
Last Run Time: 05:32:00, 11/1/2007
Last Result: -1073741510
Creator: Mazinga
Schedule: At 5:32 AM on 11/1/2007
Task To Run: C:\Documents and Settings\Mazinga\Desktop\shutdown.bat
Start In: C:\Documents and Settings\Mazinga\Desktop
Comment: N/A
Scheduled Task State: Enabled
Scheduled Type: One Time Only
Start Time: 05:32:00
Start Date: 11/1/2007
End Date: N/A
Days: N/A
Months: N/A
Run As User: XP\Mazinga
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: No Start On Batteries, Stop On Battery Mode
C:\Documents and Settings\Mazinga>
cmd /k sc queryex Schedule
SERVICE_NAME: Schedule
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 888
FLAGS :
DDS.txt
DDS (Ver_09-10-26.01) - NTFSx86
Run by Mazinga at 19:57:42.20 on 10/29/2009 Thu
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1015.370 [GMT -7:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\Mazinga\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\mazinga\locals~1\temp\hsperf~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\pk_2_~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\dib89b~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\wliv16mj\audio_~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\dib89d~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\ejqni2cp\wordcl~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\displa~3.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\l_2_~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\ejqni2cp\displa~4.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\displa~4.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\ejqni2cp\PARENT~1.SH!
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [CHotkey] mHotkey.exe
mRun: [ledpointer] CNYHKey.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Name of App] c:\program files\samsung\fw liveupdate\Liveupdate.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [NPSStartup]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - c:\program files\yamaha\midradio player\MidRadio.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli takihiru.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\mazinga\applic~1\mozilla\firefox\profiles\59f0gg4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mazinga\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\mazinga\application data\mozilla\plugins\npAbacast.dll
FF - plugin: c:\documents and settings\mazinga\application data\mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
============= SERVICES / DRIVERS ===============
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2007-2-23 33920]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-2-4 233472]
R2 GLOGODrv;GLOGODrv;c:\windows\system32\drivers\GLOGODrv.sys [2004-10-4 13332]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-22 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-21 203280]
R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-10-3 1385664]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-2-4 36608]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
=============== Created Last 30 ================
2009-10-27 04:49:56 0 d-----w- c:\program files\Trend Micro
2009-10-26 06:47:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-26 05:17:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 05:17:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 22:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\jumidani
2009-10-25 22:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\gitoribo
2009-10-25 22:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\fefiyiri
2009-10-23 05:02:39 2713 --sh--w- c:\windows\system32\wurizuto.exe
==================== Find3M ====================
2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-09-09 00:14:36 42496 ----a-w- c:\program files\pidca.dll
2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-06-13 17:51:44 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-16 07:05:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
============= FINISH: 19:58:49.81 ===============
Attach.txt
I zipped it up and attached it.
HostName: XP
TaskName: AppleSoftwareUpdate
Next Run Time: 10:42:00, 10/30/2009
Status:
Last Run Time: 10:42:00, 10/23/2009
Last Result: 0
Creator: SYSTEM
Schedule: At 10:42 AM every Fri of every week, starting 3/29/2007
Task To Run: C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Scheduled Type: Weekly
Start Time: 10:42:00
Start Date: 3/29/2007
End Date: N/A
Days: FRIDAY
Months: N/A
Run As User: NT AUTHORITY\SYSTEM
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: Disabled
HostName: XP
TaskName: McDefragTask
Next Run Time: 01:00:00, 11/15/2009
Status:
Last Run Time: 01:00:00, 6/15/2009
Last Result: 0
Creator: Mazinga
Schedule: At 1:00 AM on day 15 of every month, starting 3/21/2009
Task To Run: c:\PROGRA~1\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f
Start In: N/A
Comment: Disk Defragmenter
Scheduled Task State: Enabled
Scheduled Type: Monthly
Start Time: 01:00:00
Start Date: 3/21/2009
End Date: N/A
Days: 15
Months: JAN,FEB,MAR,APR,MAY,JUN,JUL,AUG,SEP,OCT,NOV,DEC
Run As User: XP\Mazinga
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: Disabled
HostName: XP
TaskName: McQcTask
Next Run Time: 01:00:00, 11/1/2009
Status:
Last Run Time: 01:00:00, 7/1/2009
Last Result: 0
Creator: Mazinga
Schedule: At 1:00 AM on day 1 of every month, starting 3/21/2009
Task To Run: c:\PROGRA~1\mcafee\mqc\QcConsol.exe 14 0
Start In: c:\PROGRA~1\mcafee\mqc
Comment: McAfee McAfee QuickClean
Scheduled Task State: Enabled
Scheduled Type: Monthly
Start Time: 01:00:00
Start Date: 3/21/2009
End Date: N/A
Days: 1
Months: JAN,FEB,MAR,APR,MAY,JUN,JUL,AUG,SEP,OCT,NOV,DEC
Run As User: XP\Mazinga
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: Disabled
HostName: XP
TaskName: shutdown
Next Run Time: Never
Status:
Last Run Time: 05:32:00, 11/1/2007
Last Result: -1073741510
Creator: Mazinga
Schedule: At 5:32 AM on 11/1/2007
Task To Run: C:\Documents and Settings\Mazinga\Desktop\shutdown.bat
Start In: C:\Documents and Settings\Mazinga\Desktop
Comment: N/A
Scheduled Task State: Enabled
Scheduled Type: One Time Only
Start Time: 05:32:00
Start Date: 11/1/2007
End Date: N/A
Days: N/A
Months: N/A
Run As User: XP\Mazinga
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:0
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
Idle Time: Disabled
Power Management: No Start On Batteries, Stop On Battery Mode
C:\Documents and Settings\Mazinga>
cmd /k sc queryex Schedule
SERVICE_NAME: Schedule
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 888
FLAGS :
DDS.txt
DDS (Ver_09-10-26.01) - NTFSx86
Run by Mazinga at 19:57:42.20 on 10/29/2009 Thu
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.1015.370 [GMT -7:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\Mazinga\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\mazinga\locals~1\temp\hsperf~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\pk_2_~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\dib89b~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\wliv16mj\audio_~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\dib89d~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\ejqni2cp\wordcl~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\displa~3.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\l_2_~1.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\ejqni2cp\displa~4.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\osssac18\displa~4.sh! c:\docume~1\mazinga\locals~1\tempor~1\content.ie5\ejqni2cp\PARENT~1.SH!
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [CHotkey] mHotkey.exe
mRun: [ledpointer] CNYHKey.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Name of App] c:\program files\samsung\fw liveupdate\Liveupdate.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [NPSStartup]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - c:\program files\yamaha\midradio player\MidRadio.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli takihiru.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\mazinga\applic~1\mozilla\firefox\profiles\59f0gg4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mazinga\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\mazinga\application data\mozilla\plugins\npAbacast.dll
FF - plugin: c:\documents and settings\mazinga\application data\mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
============= SERVICES / DRIVERS ===============
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2007-2-23 33920]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-2-4 233472]
R2 GLOGODrv;GLOGODrv;c:\windows\system32\drivers\GLOGODrv.sys [2004-10-4 13332]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-22 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-21 203280]
R3 cmudax;C-Media Azalia Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-10-3 1385664]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-2-4 36608]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
=============== Created Last 30 ================
2009-10-27 04:49:56 0 d-----w- c:\program files\Trend Micro
2009-10-26 06:47:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-26 05:17:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 05:17:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-25 22:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\jumidani
2009-10-25 22:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\gitoribo
2009-10-25 22:30:17 0 d-----w- c:\docume~1\alluse~1\applic~1\fefiyiri
2009-10-23 05:02:39 2713 --sh--w- c:\windows\system32\wurizuto.exe
==================== Find3M ====================
2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-09-09 00:14:36 42496 ----a-w- c:\program files\pidca.dll
2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-06-13 17:51:44 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-09-16 07:05:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat
============= FINISH: 19:58:49.81 ===============
Attach.txt
I zipped it up and attached it.
Please run the following online scanner and post back the log.
Please temporarily disable your current Anti-Virus in order to run this Online Scanner.
Using Internet Explorer:
- Vista and Windows 7 users need to right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
- Click here to run the Eset Online Scanner using Internet Explorer.
- Click on the ESET Online Scanner button.
- Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
- By default the ActiveX installer will be blocked by Internet Explorer. You should see a yellow banner at the top of the Window.
- Click the top of the Window and select "Run ActiveX Control" and then click the Run button on the next dialog box.
- Click the Retry button if prompted to resend the request to load and run the ActiveX control from ESET
- Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
- Click on the Advanced settings selection in the middle and place a checkmark on the following items
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory
- Then click on the Start button and it will start downloading signature database files to update the program
- Once the database files are downloaded it should automatically start scanning your system for threats.
- When the scanner is done please click on the List of found threats and click on Export to text file...
- Save the file as NOD32_SCAN.TXT to your Desktop
- Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
- The next screen is advertisement to purchase the product. You can just close that window for now.
- If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
- Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply
Using Another Browser
- Please click here to launch the application which installs and launches ESET Online Scanner in a separate window.
- You will first need to save the file to your Desktop and double-click on it to run it. Vista and Windows 7 users need to right-click and choose "Run as Administrator"
- You will should be prompted with "Do you want to run this file?", click on the Run button.
- Click on the checkbox Yes, I accpet the Terms of Use and click on the Start button.
- The program will download further files to use with the scanner and allow you to change options.
- Make sure you Uncheck the Remove found threats checkbox in case we need you to submit a copy of any files found.
- Click on the Advanced settings selection in the middle and place a checkmark on the following items
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
- Under Current scan targets: click the Change... item and make sure it's set to Local drives and the Operating memory
- Then click on the Start button and it will start downloading signature database files to update the program
- Once the database files are downloaded it should automatically start scanning your system for threats.
- When the scanner is done please click on the List of found threats and click on Export to text file...
- Save the file as NOD32_SCAN.TXT to your Desktop
- Click the << Back button. For now do not uninstall the program or delete the quarantine files, just click the Finish button.
- The next screen is advertisement to purchase the product. You can just close that window for now.
- If we need to run the program later on it can be ran from here: C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
- Open the file you saved to your Desktop as NOD32_SCAN.TXT and select all and copy/paste it back on your next reply
Thanks for all your help.
I ran the scan and it found no threats.
I ran the scan and it found no threats.
Okay please go ahead and uninstall NOD32 and download the following tool and run it. When asked to reboot please do.
http://oldtimer.geekstogo.com/OTC.exe
Then run this one more time and we should be done.
Update and Scan with Malwarebytes' Anti-Malware
Then post back the MBAM log
http://oldtimer.geekstogo.com/OTC.exe
Then run this one more time and we should be done.
Update and Scan with Malwarebytes' Anti-Malware
- Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
- Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
- When the update is complete, select the Scanner tab
- Select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log
I think we're looking good! (crossing my fingers)
Malwarebytes' Anti-Malware 1.41
Database version: 3064
Windows 5.1.2600 Service Pack 3
10/30/2009 11:38:51 PM
mbam-log-2009-10-30 (23-38-51).txt
Scan type: Quick Scan
Objects scanned: 147859
Time elapsed: 9 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.41
Database version: 3064
Windows 5.1.2600 Service Pack 3
10/30/2009 11:38:51 PM
mbam-log-2009-10-30 (23-38-51).txt
Scan type: Quick Scan
Objects scanned: 147859
Time elapsed: 9 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Great, all looks good now.
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
I'll close your post soon so that other don't post into it and leave you with this information and suggestions.
So how did I get infected in the first place?
At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:
Here are some free programs I recommend that could help you improve your computer's security.
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.
The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free
A little outdated but good reading on how to prevent Malware
Keep safe online and happy surfing.
Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.
The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
Thank you very much...can't say it enough.
You're quite welcome. Take care and stay safe out there. Please tell your friends and family about Malwarebytes
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.