Maximum PC

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

I was on Yahoo sports and my McAfee popped up a warning window, and then suddenly pop-ups start coming (I'm using Firefox and this is the first time that's happened.) Ran my virus scan and it found trojans (Artemis). Still getting pop-ups. Ran Ad-aware and Spybot, they really didn't help. Ran a hijack this scan this morning:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:15 AM, on 11/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Apoint\bak\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\DOCUME~1\NOAHGO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [yayabaloy] Rundll32.exe "c:\windows\system32\fozehuka.dll",a
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Shortcut to Apoint.lnk = C:\Program Files\Apoint\bak\Apoint.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119402988569
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: nobupize.dll c:\windows\system32\fozehuka.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O21 - SSODL: birovowoh - {526aa53a-befa-4f2d-9e45-7c8b43e8478f} - c:\windows\system32\fozehuka.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

Yeah, unfortunately, you are infected.

1. Fix with HijackThis
Please re-open HijackThis and put checkmarks next to the following entries:

O4 - HKLM\..\Run: [yayabaloy] Rundll32.exe "c:\windows\system32\fozehuka.dll",a

O20 - AppInit_DLLs: nobupize.dll c:\windows\system32\fozehuka.dll

O21 - SSODL: birovowoh - {526aa53a-befa-4f2d-9e45-7c8b43e8478f} - c:\windows\system32\fozehuka.dll

now click Fix Checked

2. Run SUPERAntiSpyware
Download and install SUPERAntiSpyware. Update the program and run a Complete System Scan. Please post the logfile here.

Let me know if you can't find the logfile or if the program doesn't work/doesn't install.

Please post the SUPERAntiSpyware logfile

popstop785 · Willamette Joined: 09 Aug 2006 Posts: 1192

The log file for SuperAntispyware should be with in the hidden folder, "Application Data", under documents and settings. Just offering my $.2

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

couldn't get superantispyware to work - kept freezing. is there a plan b out there? Confused

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

All right, lets try something different.

Lets try Combofix (please note that the infection will not be completely gone after running this tool!)

After the download, launch combofix.exe.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall. Also your screen may go blank at times, may flash, your Internet may disconnect, this is normal. After a reboot, everything should be restored.

If the program doesn't launch, try re-naming the file to something different, like something.exe

Post the logfile here if you get it running (located at C:\Combofix.txt)

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

here is the combofix logfile. i removed my name (and replaced it with xxxx )from any file names for privacy purposes. if my ip address is showing in any of this, please edit this post so it is no longer visible. thanks for all of your help!

ComboFix 09-11-07.02 - xxxx xxxx 11/07/2009 16:10.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.182 [GMT -5:00]
Running from: c:\documents and settings\xxxx xxxx\My Documents\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\dlh9jkd1q8.exe
c:\windows\system32\hjgruioucxmpjg.dat
c:\windows\system32\ketahope.dll
c:\windows\system32\litunude.dll
c:\windows\system32\mesemadu.dll
c:\windows\system32\vehotora.dll
c:\windows\system32\wepozara.dll
c:\windows\system32\yowefise.dll
c:\windows\system32\yozabagi.dll
c:\windows\Tasks\hojhekfb.job
c:\windows\winhp32.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-04 23:47 . 2009-11-04 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-04 23:45 . 2009-11-07 05:17 -------- d-----w- c:\documents and settings\xxxx xxxx\Application Data\SUPERAntiSpyware.com
2009-11-04 06:47 . 2009-11-04 06:49 16409960 ----a-w- C:\setup-spybotsd162.exe
2009-11-04 06:46 . 2009-11-04 06:46 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-11-04 06:46 . 2009-11-04 06:46 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-11-04 06:46 . 2009-11-04 06:46 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-11-04 06:46 . 2009-11-04 06:46 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 06:59 . 2006-11-06 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-04 06:54 . 2006-11-06 23:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-22 07:20 . 2007-04-19 20:12 -------- d-----w- c:\program files\McAfee
2009-09-25 05:49 . 2004-08-11 22:00 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-16 14:22 . 2007-04-19 20:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-04-19 20:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-04-19 20:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-04-19 20:14 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-04-19 20:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:33 . 2004-08-11 22:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-13 19:40 . 2009-09-18 02:48 43008 ----a-w- c:\documents and settings\xxxx xxxx\Application Data\Mozilla\Firefox\Profiles\c1232upa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-13 19:39 . 2009-09-18 02:48 340480 ----a-w- c:\documents and settings\xxxx xxxx\Application Data\Mozilla\Firefox\Profiles\c1232upa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-13 19:39 . 2009-09-18 02:48 346112 ----a-w- c:\documents and settings\xxxx xxxx\Application Data\Mozilla\Firefox\Profiles\c1232upa.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2006-11-09 01:16 . 2006-11-09 01:10 1972 ----a-w- c:\program files\SuperDAT.log
2006-11-09 01:09 . 2006-11-09 01:08 11563609 ----a-w- c:\program files\4891xdat.exe
2006-11-08 23:40 . 2006-11-08 23:40 8492394 ----a-w- c:\program files\dat-4891.zip
2006-06-11 19:44 . 2006-06-11 19:44 5779136 ----a-w- c:\program files\Shockwave_Installer_Full.exe
2005-08-15 19:24 . 2005-08-15 19:24 8715352 ----a-w- c:\program files\Install_AIM.exe
2005-06-22 14:38 . 2005-06-22 14:36 21904216 ----a-w- c:\program files\iTunesSetup.exe
1999-10-04 22:57 . 2005-06-22 20:44 1085437 ----a-w- c:\program files\jones.zip
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-06-15 00:41 . 2004-09-13 21:33 155648 c:\program files\Apoint\bak\Apoint.exe

2005-06-15 00:44 . 2004-12-04 02:00 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2004-07-27 21:50 . 2004-07-27 21:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2004-07-27 21:50 . 2004-07-27 21:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-09-26 00:03 . 2006-09-26 00:03 185784 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2005-06-15 00:46 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2005-06-15 00:44 . 2004-04-12 01:15 290816 c:\program files\Dell\Media Experience\bak\PCMService.exe

2005-06-15 00:45 . 2005-03-04 16:26 606208 c:\program files\Dell\QuickSet\bak\quickset.exe

2005-06-15 00:50 . 2004-07-19 12:51 306688 c:\program files\Dell Support\bak\DSAgnt.exe

2004-10-30 19:59 . 2004-10-30 19:59 385024 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe

2005-05-14 04:20 . 2005-05-14 04:20 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2005-05-14 04:20 . 2005-05-14 04:20 278528 c:\program files\iTunes\iTunesHelper.exe

2006-03-15 01:13 . 2005-11-10 18:03 36975 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

2005-06-15 01:00 . 2005-09-22 23:29 303104 c:\program files\McAfee.com\Agent\bak\mcagent.exe
2005-06-15 01:00 . 2009-09-17 18:29 645328 c:\program files\McAfee.com\Agent\mcagent.exe

2005-06-15 01:00 . 2006-01-11 17:05 212992 c:\program files\McAfee.com\Agent\bak\mcupdate.exe
2005-06-15 01:00 . 2009-09-17 18:29 562928 c:\program files\McAfee.com\Agent\mcupdate.exe

2005-06-15 00:52 . 2004-09-14 13:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe

2005-06-15 00:55 . 2005-06-22 14:42 98304 c:\program files\QuickTime\bak\qttask.exe
2006-09-01 20:57 . 2006-09-01 20:57 282624 c:\program files\QuickTime\qttask.exe

2005-06-15 00:58 . 2004-12-06 06:05 127035 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [N/A]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-14 278528]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"yayabaloy"="c:\windows\system32\visegobu.dll" [N/A]

c:\documents and settings\xxxx xxxx\Start Menu\Programs\Startup\
Shortcut to Apoint.lnk - c:\program files\Apoint\bak\Apoint.exe [2005-6-14 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-6-14 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-14 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\sspipes.scr"=
"c:\\Program Files\\Common Files\\McAfee\\MSC\\McUICnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 4:15 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-19 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-19 16:22]

2009-11-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
FF - ProfilePath - c:\documents and settings\xxxx xxxx\Application Data\Mozilla\Firefox\Profiles\c1232upa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\xxxx xxxx\Application Data\Mozilla\Firefox\Profiles\c1232upa.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{d391ac1d-a9d6-4e44-af2d-0ee37aa20875} - biruwuta.dll
SharedTaskScheduler-{b75ea8f2-cfac-4ff9-8bb8-c412adabed7c} - c:\windows\system32\visegobu.dll
SSODL-suhowanus-{b75ea8f2-cfac-4ff9-8bb8-c412adabed7c} - c:\windows\system32\visegobu.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-HijackThis - c:\docume~1\XXXXXX~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-11-07 16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-07 21:43

Pre-Run: 11,585,921,024 bytes free
Post-Run: 11,264,962,560 bytes free

- - End Of File - - A08895A7A9135160C4D18FAD21F8B0AC

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

Don't worry, your IP address doesn't show up in a Combofix logfile Wink

.

Anyways, I do see one file that needs to be removed.

1. Delete File with Pocket Killbox
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\windows\system32\visegobu.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Let me know if you get any errors or prompts on reboot

After the reboot, try running SUPERAntiSpyware again. If you can run it, please run a Complete System Scan and post the logfile here (or PM if you don't want people seeing your user account name). If it doesn't work, also let me know.

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

that link to killbox isn't working

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

Okay, ran Killbox. Got one "PendingFileRenameOperations Registry Data has been removed by External process!" pop-up. The computer did not restart by itself, so I had to do that manually. Upon restart, got an error window - "error loading
c:\windows\system32\visegobu.dll - the specific module could not be found"

going to try SUPERAntiSpyware again now. Please let me know if there's anything else I should do in the interim

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

pm sent. no problems running SUPERAntiSpyware this time!

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

Are you still getting pop-ups?

Have you restarted the computer since you ran the scan? If not, please do so and let me know the results.

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

no more pop-ups!!

just restarted, still got the "error loading
c:\windows\system32\visegobu.dll - the specific module could not be found".

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

All right.

Please download and install Comodo System Cleaner.

Run the disk, privacy and registry cleaner. Make sure you keep them in safe deletion mode and fix everything they say is safe to fix.

After running all three tools, restart (you will have to restart individually, make sure you restart after the final registry cleaner again).

Let me know if the error comes back up after that.

screechingweasel96 · 8086 Joined: 21 Apr 2007 Posts: 12

i think comodo ran all 3 scans at once ,because that came up with a list of over 4000 things. i have no idea what was all in that list or what was deleted, do you need to see a log? the visegobu error did not pop-up, but "apoint.exe - could not load dll" popped up upon restart... which is my laptop's touchpad (i can't scroll using the sides of it). do I just have to search for that file and run it, or is it more complex than that??

LondoJowo · Bitchin' Fast 3D Z8000 Joined: 27 Oct 2004 Posts: 3909

Just reinstall your laptop's touchpad software again, it should be available at the manufacturer's webpage for drivers/support on your laptop.

SpiritWind · 8086 Joined: 08 Nov 2009 Posts: 10

Hi :

When using HijackThis, best to use the latest version, which at this point in
time is 2.0.2 .

And the ComboFix Log showed an outdated version of Sun's Java, a
serious security risk . Should ONLY have 1 "Update/Version" of this
program on a computer and although Sun says they now uninstall ALL
"old" Versions/Updates, I recommend using the FREE "JavaRa" program
available at http://raproducts.org to "remove" all "old" Versions PRIOR
to going to www.java.com to get the latest "Version" .