Dell Dimension 2400 w/ Nasties [HijackThis Log]

A friend of my wife has this system that is trashed with garbage, she does not have restore cd or I would just nuke it & start over! I have removed lots of stuff but still have a few hanging on. Here is the HJT run from root so should be correct. Any help would be greatly appreciated. I read this site almost daily as I use alot of the tips at work but this one is kicking my hiney so to say - not enough time in the day to gif through all of it. Here is HJT of July 15, 06:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:00 AM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5ce82d6fe07555fb9de241d0a5a80347\update\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,oagvffv.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C55C8E7-3360-4BD5-8A5E-3C765FB1B0AF} - C:\Program Files\Messenger\mefot.dll (file missing)
O2 - BHO: (no name) - {2F0253D9-C379-4600-B5B9-1456B098F30B} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmkjg.dll
O2 - BHO: ohb - {8037F7F0-80B6-453A-A7CB-5371A4A09BB8} - C:\WINDOWS\system32\nsrB.dll
O2 - BHO: (no name) - {9D6D4258-C6EF-4ED9-896C-42309CECDA5D} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmmftx] C:\WINDOWS\system32\mvinua.exe reg_run
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [ms030536591175] C:\WINDOWS\ms030536591175.exe
O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11
O4 - HKLM\..\Run: [mil.exe] C:\WINDOWS\system32\mil.exe
O4 - HKLM\..\Run: [mil.exeHTML 4.] C:\WINDOWS\system32\mil.exeHTML 4.
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [ijthv] C:\WINDOWS\system32\mvinua.exe reg_run
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\SYSTEM32\pmkjg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Welcome to WindowsBBS Forums.

You have a variant of QooLogic, along with bunches of other stuff. We have a specific fix for Qoo.

Can you please tell me what you used to remove things and what they were that you removed.

Download Qoofix from here to your desktop

• Create a new folder on your C called 'QooFix'
• Extract the files from the zip to this new folder.
• Navigate to this folder double click on the file named Qoofix.exe.
• Select 'Begin Removal' and the removal process will commence.

A reboot may be necessary if an infection is found.

After rebooting please DL and scan with Ewido.

First download Ewido Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
6. Under "Reports "
   • Select "Automatically generate report after every scan "
   • Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. ewido will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan a new HijackThis! logfile.

 

"Can you please tell me what you used to remove things and what they were that you removed. "

Thank you for replying so quickly!

I removed the hdd from her computer after making sure I had all the latest updates on my Adaware SE, Spybot S&D, & my VCOM system Suite professional which uses trend micro AV engine. Added her HDD as a slave into mine and scanned her hddwith these 3 programs,removed:
A Better Internet.Aurora
Hotsearch Bar
DyFuCA.Internet Optimizer
Deskwizz
DyFuCA
Media Motor 9

Spybot S&D:
ABetter Internet. Aurora 7 entries
Avenue A, INC 1 entry
ClimaxBucks.InternetOptimizer 1 entry
DeskWizz 3 entries
DyFuca.InternetOptimizer 14 entries
DyFuCA 14 entries
Hotsearch Bar 1 entry
Media Motor 11 entries
Media Plex 1 entry
Mirar 7 entries
Pacimedia 2 entries
Roings 1 entry
Rotue 1 entry
Sysprotect 1 entry
Webhancer 1 entry
Web-Nexus 4 entries
WebRebates.TopRebates 1 entry
Windows Security CenterAVoveride 1 entry
Windows Security Center.Firewall Overide 1 entry
Winfixer 2005 9 entries
Winsoftware.WinAntiVirusPro2006 61 entries
YazzleSudoku 7 entries

Adaware SE 337 items removed.

MY AV listed the following:

TROJ_QOOLOGIC.Al
TROJ_SMALL.AXZ
TROJ_SMALL.AAL
TROJ_SMALL.AXZ
TROJ_DROPPER.XV
TROJ_CLICKER.JZ
TROJ_VB.AMJ
TROJ_VB.ANA
TROJ_VB.AKK
TROJ_VB.AMQ
TROJ_QOOLOGIC.AL
TROJ_QOOLOGIC.AK
TROJ_QOOLOGIC.Al
TROJ_QOOLOGIC.AN
TROJ_QOOLOGIC.AO removed all of these either manually deleting files or automatically thru AV s/w
TROJ_VUNDO.Al removed with VundoFix
also ran VirtumundoBeGone to see if any were there., log said none found.
also ran Smit Remove just in case.

Will post ewido & new hjt logs once they are complete on her system.

Found out from her son as Paul Harvey says "the rest of the story" turns out mom was gone & the teenage son decided to surf some places he should not have gone. I am going to get some sweat equity out of him!!!!!

 

QOOFIX LOGFILE:

Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/15/2006] at [9:32:10 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/15/2006] at [9:32:47 PM]

Note: Some registry keys may have been removed.

Will run Ewido & post logfile.

 

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:29:44 PM 7/15/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\pmkjg.dll -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.


::Report end

Will run HJT now & post as well

 

Latest HJT Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:58 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C55C8E7-3360-4BD5-8A5E-3C765FB1B0AF} - C:\Program Files\Messenger\mefot.dll (file missing)
O2 - BHO: (no name) - {2F0253D9-C379-4600-B5B9-1456B098F30B} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmkjg.dll
O2 - BHO: (no name) - {9D6D4258-C6EF-4ED9-896C-42309CECDA5D} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [ms030536591175] C:\WINDOWS\ms030536591175.exe
O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11
O4 - HKLM\..\Run: [mil.exe] C:\WINDOWS\system32\mil.exe
O4 - HKLM\..\Run: [mil.exeHTML 4.] C:\WINDOWS\system32\mil.exeHTML 4.
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\SYSTEM32\pmkjg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thanks again for all you help!

 

OK, cool, looking better, but not by much!!

Next special fix, even tho Ewido seems to ahve caught some of Vundo, we want to be sure.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

 

As you can see I ran this back on the 5th of july and again today:

VundoFix V4.2.84

Checking Java version...

Java version is 1.4.2.3

Scan started at 9:51:22 PM 7/5/2006

Listing files found while scanning....

C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.bak2

C:\WINDOWS\SYSTEM32\orutv.bak1
C:\WINDOWS\SYSTEM32\orutv.bak2
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\vturo.dll
Attempting to delete C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vturo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orutv.bak2
C:\WINDOWS\system32\orutv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.84

Checking Java version...

Java version is 1.4.2.3

Scan started at 10:06:39 PM 7/5/2006

Listing files found while scanning....


C:\WINDOWS\SYSTEM32\jjkkj.bak1
C:\WINDOWS\SYSTEM32\jjkkj.ini
C:\WINDOWS\SYSTEM32\jkkjj.dll
Attempting to delete C:\WINDOWS\SYSTEM32\jjkkj.bak1
C:\WINDOWS\SYSTEM32\jjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jjkkj.ini
C:\WINDOWS\SYSTEM32\jjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jkkjj.dll
C:\WINDOWS\SYSTEM32\jkkjj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.84

Checking Java version...

Java version is 1.4.2.3

Scan started at 9:17:11 PM 7/6/2006

Listing files found while scanning....

C:\WINDOWS\system32\mljgf.dll

C:\WINDOWS\SYSTEM32\gjkkj.bak1
C:\WINDOWS\SYSTEM32\gjkkj.bak2
C:\WINDOWS\SYSTEM32\gjkkj.tmp
C:\WINDOWS\SYSTEM32\gjkkj.ini
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\SYSTEM32\jkkjg.dll
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\SYSTEM32\gjkkj.bak2
C:\WINDOWS\SYSTEM32\gjkkj.tmp
C:\WINDOWS\SYSTEM32\gjkkj.ini
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\SYSTEM32\jkkjg.dll
Attempting to delete C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gjkkj.bak1
C:\WINDOWS\SYSTEM32\gjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gjkkj.bak2
C:\WINDOWS\SYSTEM32\gjkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gjkkj.tmp
C:\WINDOWS\SYSTEM32\gjkkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gjkkj.ini
C:\WINDOWS\SYSTEM32\gjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\SYSTEM32\gjkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jkkjg.dll
C:\WINDOWS\SYSTEM32\jkkjg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 4:42:13 PM 7/16/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

running new HJT will post when complete!

 

HJT 07162006 1707 Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 5:07:43 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C55C8E7-3360-4BD5-8A5E-3C765FB1B0AF} - C:\Program Files\Messenger\mefot.dll (file missing)
O2 - BHO: (no name) - {2F0253D9-C379-4600-B5B9-1456B098F30B} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmkjg.dll
O2 - BHO: ohb - {8037F7F0-80B6-453A-A7CB-5371A4A09BB8} - C:\WINDOWS\system32\nsuD.dll
O2 - BHO: (no name) - {9D6D4258-C6EF-4ED9-896C-42309CECDA5D} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [ms030536591175] C:\WINDOWS\ms030536591175.exe
O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11
O4 - HKLM\..\Run: [mil.exe] C:\WINDOWS\system32\mil.exe
O4 - HKLM\..\Run: [mil.exeHTML 4.] C:\WINDOWS\system32\mil.exeHTML 4.
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\SYSTEM32\pmkjg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

TIA
cpumedic aka Ron

 

OK, looks like we may have some new stuff, so lets get some file scans and do some fixing.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Before we proceed we need to disable Spybot's TeaTimer. It will interfere with any fixes we make. Disable TeaTimer by doing the following:

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts

You can reenable TeaTimer once your system is clean.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
C:\Program Files\Messenger\mefot.dll<<<--this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Be patient as this site is usually very busy.

Also please submit the file to Norman Sandbox File Submission. A valid email is required but there is no worry as the site is fully trustful. They will send you back a details analysis of the file and please post contents of the analysis back here.

Please go to Add/Remove, and if found, uninstall the following:
Web Rebates
Viewpoint <<<--Usually bundled with AIM, 99% of users don't need it.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: (no name) - {2C55C8E7-3360-4BD5-8A5E-3C765FB1B0AF} - C:\Program Files\Messenger\mefot.dll (file missing)

O2 - BHO: (no name) - {2F0253D9-C379-4600-B5B9-1456B098F30B} - C:\WINDOWS\system32\jkkjj.dll (file missing)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmkjg.dll

O2 - BHO: ohb - {8037F7F0-80B6-453A-A7CB-5371A4A09BB8} - C:\WINDOWS\system32\nsuD.dll

O2 - BHO: (no name) - {9D6D4258-C6EF-4ED9-896C-42309CECDA5D} - C:\WINDOWS\system32\jkkjg.dll (file missing)


O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe

O4 - HKLM\..\Run: [ms030536591175] C:\WINDOWS\ms030536591175.exe

O4 - HKLM\..\Run: [is11] C:\WINDOWS\system32\is11

O4 - HKLM\..\Run: [mil.exe] C:\WINDOWS\system32\mil.exe

O4 - HKLM\..\Run: [mil.exeHTML 4.] C:\WINDOWS\system32\mil.exeHTML 4.


O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.h tm


O20 - Winlogon Notify: pmkjg - C:\WINDOWS\SYSTEM32\pmkjg.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\WebRebates4<<<<---folder
C:\Program Files\Viewpoint<<<<---folder
C:\WINDOWS\system32\jkkjj.dll <<<--file
C:\WINDOWS\system32\pmkjg.dll<<<--file
C:\WINDOWS\system32\nsuD.dll<<<--file
C:\WINDOWS\system32\jkkjg.dll <<<--file
C:\WINDOWS\CheckS02.exe<<<--file
C:\WINDOWS\ms030536591175.exe<<<--file
C:\WINDOWS\system32\is11<<<--file
C:\WINDOWS\system32\mil.exeHTML 4.<<<--file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

Before we proceed we need to disable Spybot's TeaTimer.
Tea Timer was disabled.

virusscan.jotti.org scan results:
File: mefot
Status: OK
MD5 3f6b262730a9a4159d53bf58725e60c1
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Will scan & post others as I get them done. It may be tomorrow before I get them back in as I must be at the JOB at 0600

 

Well here is the scan results from Sandbox:

Norman Scanner Engine 5.90. 7
Sandbox 05.90, dated 11/06-2006

Your message ID (for later reference): 20060717-188

Hello,

Thanks for taking the time to submit your samples to the Norman Sandbox Information Center. Customer delight is our top priority at Norman. With that in mind we have developed Sandbox Solutions for organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

The sandbox only run Windows 32-bit executable code.

We try to decompress most archives and use a list of passwords (norman,infected,virus etc). If you are certain you submitted something containing binary code (Windows executables) try to repack the file with one of the passwords given and resend it.
2139 mail.dat Mail
381 mefot DOS COM
551 zhwpbihxcqumavuvfuku44bb06ed77437.zip ZIP

(C) 2004-2006 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.

Sent by cpumedic@pgtc.com to sandbox.
Received 17.July 2006 at 05.54 - processed 17.July 2006 at 05.56.

Will post the HJT log as requested once I get that machine going again in a few minutes. Once I search & delete the files as instructed.

Thank you for hanging in here with me, it has been a very long day in my IT world.

 

OK, I'm going to do some more digging on this infection. That file is in the database for removal and should be gone.

I know there was a manual method for removal, but want to be sure about its use.

Also, if the above log file was generated in safe mode, please give me a new one, run in normal mode.

And I don't evergive up.

 

OK, I want to run this tool and see what it finds.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

Thank you

Will run a new HJT in Normal mode.

This combo fix should it be in normal or safe?

will be here at work till ~7PM CST will post all tonight when I get home.

I dont give up either thats why I am still pounding on this little dell celeron

I am so glad it is not on my personal machine

 

Thanks........normal mode for combo fix.

 

Here is HJT in normal mode. Ewido was all over the pmkjg.dll file then a new one popped in awtst.dll.

Logfile of HijackThis v1.99.1
Scan saved at 9:19:10 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [ijthv] C:\WINDOWS\system32\mvinua.exe reg_run
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

will run combofix and post that in a few.

 

combo fix logfile:
Start Time= Tue 07/18/2006 21:32:16.20
Running from: C:\Documents and Settings\Matt Ray\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

21:33:36.76

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19 304944 C:\WINDOWS\system32\WgaTray.exe
2006-05-29 10:30 1494016 C:\WINDOWS\system32\shdocvw.dll
2006-05-10 00:23 658432 C:\WINDOWS\system32\wininet.dll
2006-05-10 00:23 474112 C:\WINDOWS\system32\shlwapi.dll
2006-05-18 00:24 450560 C:\WINDOWS\system32\jscript.dll
2006-05-10 00:22 357888 C:\WINDOWS\system32\dxtmsft.dll
2006-05-10 00:22 251392 C:\WINDOWS\system32\iepeers.dll
2006-05-10 00:22 205312 C:\WINDOWS\system32\dxtrans.dll
2006-06-22 05:47 181248 C:\WINDOWS\system32\rasmans.dll
2006-06-01 13:47 163840 C:\WINDOWS\system32\jgdw400.dll
2006-05-10 00:22 151040 C:\WINDOWS\system32\cdfview.dll
2006-05-10 00:23 39424 C:\WINDOWS\system32\pngfilt.dll
2006-06-01 13:47 27648 C:\WINDOWS\system32\jgpl400.dll
2006-05-10 00:22 16384 C:\WINDOWS\system32\jsproxy.dll
2006-05-19 10:08 3052544 C:\WINDOWS\system32\mshtml.dll
2006-05-10 00:23 613888 C:\WINDOWS\system32\urlmon.dll
2006-05-10 00:23 532480 C:\WINDOWS\system32\mstime.dll
2006-05-19 07:59 148480 C:\WINDOWS\system32\dnsapi.dll
2006-05-10 00:22 96256 C:\WINDOWS\system32\inseng.dll
2006-05-10 00:22 55808 C:\WINDOWS\system32\extmgr.dll
2006-05-10 00:22 1054208 C:\WINDOWS\system32\danim.dll
2006-07-18 21:10 573492 C:\WINDOWS\system32\awtst.dll
2006-04-24 12:20 151552 C:\WINDOWS\system32\nsp16.dll
2006-04-24 12:20 151552 C:\WINDOWS\system32\nsr2C.dll
2006-04-24 12:20 151552 C:\WINDOWS\system32\nsi10.dll
2006-04-24 12:20 151552 C:\WINDOWS\system32\nsd13.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


C:\qoobox\riypy.dll.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\shlwapi.dll
C:\WINDOWS\system32\jscript.dll
C:\WINDOWS\system32\dxtmsft.dll
C:\WINDOWS\system32\iepeers.dll
C:\WINDOWS\system32\dxtrans.dll
C:\WINDOWS\system32\rasmans.dll
C:\WINDOWS\system32\jgdw400.dll
C:\WINDOWS\system32\cdfview.dll
C:\WINDOWS\system32\pngfilt.dll
C:\WINDOWS\system32\jgpl400.dll
C:\WINDOWS\system32\jsproxy.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\mstime.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\inseng.dll
C:\WINDOWS\system32\extmgr.dll
C:\WINDOWS\system32\danim.dll
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\nsp16.dll
C:\WINDOWS\system32\nsr2C.dll
C:\WINDOWS\system32\nsi10.dll
C:\WINDOWS\system32\nsd13.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-18 21:36 1,292 C:\WINDOWS\system32\tstwa.ini
2006-07-18 21:10 573,492 C:\WINDOWS\system32\awtst.dll
2006-07-18 21:08 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-15 21:40 <DIR> C:\Program Files\ewido anti-malware
2006-07-15 21:05 441,808 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-05 21:43 376 C:\WINDOWS\odbc.ini
2006-07-05 21:43 <DIR> C:\Documents and Settings\Matt Ray\Application Data\microsoft
2006-07-02 23:00 <DIR> C:\Program Files\vafv
2006-07-02 22:53 <DIR> C:\Program Files\windows nt
2006-07-02 22:53 <DIR> C:\Program Files\common files
2006-07-02 19:33 <DIR> C:\Program Files\internet explorer
2006-07-02 15:44 <DIR> C:\Documents and Settings\Matt Ray\Application Data\mcafee.com personal firewall
2006-07-02 15:15 <DIR> C:\Documents and Settings\Matt Ray\Application Data\lavasoft
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-12 23:55 291 C:\WINDOWS\lqoul.dll
2006-06-12 23:07 <DIR> C:\Program Files\lavasoft
2006-06-12 22:13 <DIR> C:\Program Files\spybot - search & destroy
2006-06-07 12:55 3,626 C:\Program Files\Common Files\mekef.html
2006-05-19 07:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 07:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 07:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-05-02 14:43 <DIR> C:\Program Files\messenger
2006-05-02 09:21 1,244,840 C:\WINDOWS\system32\mil.exe
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nswb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsvb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nssb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nssa.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsrb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsr2c.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsp16.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsoe.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsn9.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsia.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsi10.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nshb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsgb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsef.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsed.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsdb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsd13.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nscb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsbd.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsac.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsaa.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsa8.dll
2006-04-16 17:11 <DIR> C:\Documents and Settings\Matt Ray\Application Data\macromedia
2006-04-16 08:11 <DIR> C:\Program Files\Common Files\sysprotect
2006-04-14 03:01 <DIR> C:\Program Files\outlook express
2006-04-14 03:01 <DIR> C:\Program Files\Common Files\system
2006-04-05 10:31 <DIR> C:\Program Files\privacyeraser computing
2006-04-05 10:31 <DIR> C:\Program Files\Common Files\aol
2006-04-05 10:31 <DIR> C:\Program Files\aol
2006-04-03 11:00 <DIR> C:\Program Files\dell aio printer a920
2006-03-15 15:07 <DIR> C:\Program Files\installshield installation information
2006-03-15 15:07 <DIR> C:\Program Files\google
2006-03-10 22:17 <DIR> C:\Program Files\Common Files\installshield
2006-03-10 16:38 <DIR> C:\Program Files\hunting unlimited
2006-02-23 15:05 <DIR> C:\Program Files\america online 9.0
2006-02-18 04:02 <DIR> C:\Program Files\windows media player
2006-01-23 11:16 <DIR> C:\Program Files\mystery case files huntsville
2006-01-16 13:34 <DIR> C:\Program Files\reflexivearcade
2006-01-15 17:20 <DIR> C:\Program Files\real
2005-12-07 17:13 <DIR> C:\Program Files\aod
2005-06-23 16:18 <DIR> C:\Program Files\country justice
2005-05-12 09:08 <DIR> C:\Program Files\_arcadedownloadfolder
2005-03-05 19:24 <DIR> C:\Program Files\usa bass
2005-03-05 19:22 <DIR> C:\Program Files\drevenge
2005-02-27 18:06 <DIR> C:\Program Files\dell a920
2005-02-15 08:49 <DIR> C:\Program Files\ubisoft
2005-02-01 21:25 <DIR> C:\Program Files\directx
2004-12-07 23:08 <DIR> C:\Program Files\Common Files\adobe
2004-11-13 21:18 <DIR> C:\Program Files\Common Files\nsv
2004-11-08 18:56 <DIR> C:\Program Files\yahoo!
2004-11-05 23:15 <DIR> C:\Program Files\bardes 2004 interactive
2004-10-21 21:41 <DIR> C:\Program Files\ncbuy
2004-10-21 21:41 <DIR> C:\Program Files\Common Files\swf studio
2004-10-21 19:33 <DIR> C:\Program Files\Common Files\microsoft shared
2004-10-21 19:27 <DIR> C:\Program Files\Common Files\designer
2004-10-21 19:26 <DIR> C:\Program Files\snapshot viewer
2004-10-21 19:26 <DIR> C:\Program Files\microsoft office
2004-10-17 18:24 <DIR> C:\Program Files\abbyy finereader 6.0
2004-10-17 18:24 <DIR> C:\Program Files\abbyy finereader 5.0 sprint
2004-10-08 15:58 <DIR> C:\Program Files\adobe
2004-10-08 15:57 <DIR> C:\Program Files\Common Files\borland shared
2004-10-08 15:56 <DIR> C:\Program Files\wordperfect office 12
2004-10-08 15:56 <DIR> C:\Program Files\Common Files\corel
2004-10-08 15:55 <DIR> C:\Program Files\dell
2004-10-08 15:54 <DIR> C:\Program Files\musicmatch
2004-10-08 15:53 <DIR> C:\Program Files\mcafee.com
2004-10-08 15:52 <DIR> C:\Program Files\your company name
2004-10-08 15:52 <DIR> C:\Program Files\jasc software inc
2004-10-08 15:52 <DIR> C:\Documents and Settings\Matt Ray\Application Data\jasc software inc
2004-10-08 15:51 <DIR> C:\Program Files\dell computer
2004-10-08 15:51 <DIR> C:\Program Files\Common Files\dell
2004-10-08 15:50 <DIR> C:\Documents and Settings\Matt Ray\Application Data\sonic
2004-10-08 15:48 <DIR> C:\Program Files\microsoft encarta
2004-10-08 15:48 <DIR> C:\Program Files\learn2.com
2004-10-08 15:48 <DIR> C:\Program Files\earthlink setup
2004-10-08 15:48 <DIR> C:\Program Files\Common Files\aolshare
2004-10-08 15:48 <DIR> C:\Program Files\aol companion
2004-10-08 15:47 <DIR> C:\Program Files\quicktime
2004-10-08 15:47 <DIR> C:\Program Files\Common Files\real
2004-10-08 15:47 <DIR> C:\Program Files\Common Files\nullsoft
2004-10-08 15:46 <DIR> C:\Program Files\sonic
2004-10-08 15:46 <DIR> C:\Program Files\Common Files\sonic
2004-10-08 15:44 <DIR> C:\Program Files\digital line detect
2004-10-08 15:43 <DIR> C:\Program Files\java
2004-10-08 15:43 <DIR> C:\Program Files\Common Files\java
2004-10-08 15:43 <DIR> C:\Program Files\broadcom management programs
2004-10-08 15:43 <DIR> C:\Documents and Settings\Matt Ray\Application Data\sun
2004-10-08 15:32 <DIR> C:\Program Files\conexant
2004-10-08 15:19 <DIR> C:\Program Files\xerox
2004-10-08 15:19 <DIR> C:\Program Files\windowsupdate
2004-10-08 15:19 <DIR> C:\Program Files\uninstall information
2004-10-08 15:19 <DIR> C:\Program Files\online services
2004-10-08 15:19 <DIR> C:\Program Files\netmeeting
2004-10-08 15:19 <DIR> C:\Program Files\msn gaming zone
2004-10-08 15:19 <DIR> C:\Program Files\msn
2004-10-08 15:19 <DIR> C:\Program Files\movie maker
2004-10-08 15:19 <DIR> C:\Program Files\microsoft frontpage
2004-10-08 15:19 <DIR> C:\Program Files\complus applications
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\speechengines
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\services
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\odbc
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\mssoap
2004-10-08 15:19 <DIR> C:\Documents and Settings\Matt Ray\Application Data\identities


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-18 21:10 573,492 C:\WINDOWS\system32\awtst.dll
2006-07-18 21:10 1,343 C:\WINDOWS\system32\tstwa.ini
2006-07-18 21:05 266,407,936 C:\hiberfil.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe "
"PCMService "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"dla "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"UpdateManager "= "\ "C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r "
"RealTray "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"VSOCheckTask "= "\ "c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask "
"MCAgentExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe "
"MCUpdateExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe "
"mmtask "= "c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe "
"MMTray "= "C:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mm_tray.exe "
"DwlClient "= "c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe "
"VirusScan Online "= "c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe "
"MPFExe "= "C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe "
"Dell AIO Printer A920 "= "\ "C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\" "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "
"McRegWiz "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags "=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "C:\\Program Files\\Windows NT\\pomohoveq.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source "= "C:\\Program Files\\Common Files\\mekef.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source "= "C:\\WINDOWS\\system32\\ad.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ec,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{20D57A66-F7DF-467d-907B-9B7F4A118AB7} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sscan.sys


Contents of the 'Scheduled Tasks' folder

Completion time: Tue 07/18/2006 21:37:03.75
ComboFix ver 06.07.19 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

 

Well, ComboFix sure did find a bunch of goodies.

Lets get a bunch of these and see what remains.

First thing we need to do is stop Firewall service service:
Go to: Start > Run > type " services.msc ", then click OK

Scroll down to the Firewall service service.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.


Please go to Add/Remove, and if found, uninstall the following:
WinAntiVirus Pro 2006
OIN or PurityScan or ClickSpring

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\mil.exe
C:\WINDOWS\system32\nswb.dll
C:\WINDOWS\system32\nsvb.dll
C:\WINDOWS\system32\nssb.dll
C:\WINDOWS\system32\nssa.dll
C:\WINDOWS\system32\nsrb.dll
C:\WINDOWS\system32\nsr2c.dll
C:\WINDOWS\system32\nsp16.dll
C:\WINDOWS\system32\nsoe.dll
C:\WINDOWS\system32\nsn9.dll
C:\WINDOWS\system32\nsia.dll
C:\WINDOWS\system32\nsi10.dll
C:\WINDOWS\system32\nshb.dll
C:\WINDOWS\system32\nsgb.dll
C:\WINDOWS\system32\nsef.dll
C:\WINDOWS\system32\nsed.dll
C:\WINDOWS\system32\nsdb.dll
C:\WINDOWS\system32\nsd13.dll
C:\WINDOWS\system32\nscb.dll
C:\WINDOWS\system32\nsbd.dll
C:\WINDOWS\system32\nsac.dll
C:\WINDOWS\system32\nsaa.dll
C:\WINDOWS\system32\nsa8.dll
C:\Program Files\Common Files\mekef.html
C:\WINDOWS\lqoul.dll
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\mvinua.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O4 - HKCU\..\Run: [ijthv] C:\WINDOWS\system32\mvinua.exe reg_run


O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

Reboot into Normal mode and post a new HJT log back into this thread please.