something Reaking serious HAVOC on my computer

	Advanced Search

Welcome to Omgili,
Omgili (Oh My God I Love It ;) is a search engine for discussions. With Omgili you can find answers and solutions, debates, discussions, personal experiences, opinions and more... To learn more about Omgili click here.

This is a complete preview of the discussion as it was indexed by Omgili crawlers. Use this preview if the original discussion is unavailable.
Click here to view the original discussion.


	something Reaking serious HAVOC on my computer - Safer Networking Forums .. to be honest i dont even know how i got into my computer.. It was on a stop error screen i had to restart with f8 but my computer wouldn't open in safe mode.. I believe i got in by clicking the last known safe setting or something like that. Norton, mcAfee , and hijack will not run at all.. I tried downloading spybot (this is a new computer) and the file wont open.. Whatever is in here took over my security software and is giving me DLACRLW.EXE warning.. Its also downloaded something call system security with a gold and black shield and wants my Credit card info to "remove" spyware trohan rouge and backdoors.. Its saying i have 38 in all. I came home to my brother telling me he f'd up my computer and its JACKED! My screen saver is blinking in red saying to secure myself gfrom spyware and remove all infected files i have no idea where to start since nothing will run! HELP!!! o yea.. I've even tried renaming all the files so the zlob wouldn't reconize them but it still wont let me run or open ANYTHING okay.. After a gazillion hours of research i finaaly deleted a process that stopped the system security wallpaper which made my mcafee delete some ind of trojan.. Which lead me to post this log.. Copmuter is still running funny tho i know whatever is in here its not all the way out so here is my log.. also.. Whatever is in here it wont let me remove my limewire :(:( i'll keep trying to do so tonight so i can post a log without it. But anyhow this is the one i have now. 11:27:15 PM, on 7/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) v7.00 (7.00.6000.16850) Boot mode: Normal \WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox \firefox.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s F3 - REG:win.ini: load=C:\WINDOWS\system32\msdqqo.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\msuuqfyq.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe O2 - BHO: (no name) - {196DF78D-4104-47A8-9705-68C9FC1B664E} - C:\WINDOWS\system32\atioglx.dll (file missing) O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll O2 - BHO: Google plugin - {5CC2F638-99FF-45d2-97C7-E30E83CF04D2} - ipv6sp.dll (file missing) O2 - BHO: (no name) - {772dff15-50e6-4a49-97da-1008ee7e37b0} - C:\WINDOWS\system32\buzalevu.dll (file missing) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 964\memcard.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] "C:\Documents and Settings\Jason Mitchell\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install(2).exe" -startup -product IncrediMail O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net" O4 - HKLM\..\Run: [12867344] C:\Documents and Settings\All Users\Application Data\12867344\12867344.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe O4 - HKCU\..\Run: [A00FB23FD6.exe] C:\DOCUME~1\JASONM~1\LOCALS~1\Temp\_A00FB23FD6.exe O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\mslvoid.exe O4 - HKUS\S-1-5-19\..\Run: [hehewuzoso] Rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [hehewuzoso] Rundll32.exe "C:\WINDOWS\system32\kuwokilo.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - AppInit_DLLs: kerqqt.dll c:\windows\system32\tifukako.dll,C:\WINDOWS\system32\behipaya.dll O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll O20 - Winlogon Notify: __c00EB5F2 - C:\WINDOWS\system32\__c00EB5F2.dat (file missing) O20 - Winlogon Notify: __c00F9689 - C:\WINDOWS\system32\__c00F9689.dat (file missing) O21 - SSODL: Jehcaj - {F737AA27-262D-1FD5-50AA-C848D737A72C} - (no file) O21 - SSODL: Extoala - {D837FA27-272D-1DD5-05FA-A484D383A37A} - (no file) O21 - SSODL: Linsoebxup - {A050CA48-383F-3AA6-26CD-D515F504A48C} - (no file) O21 - SSODL: Apiwiapie - {F404DC84-838F-7AC2-62DD-F150A040C84F} - (no file) O21 - SSODL: Hlingicra - {D483FF73-722C-6CD1-50AF-C048D838F72C} - C:\WINDOWS\system32\gedopo.dll (file missing) O21 - SSODL: Jmfolinlo - {D737AA26-261D-1FF5-05AC-D483F373A27C} - C:\WINDOWS\system32\jejwirip.dll (file missing) O21 - SSODL: Eesicaku - {A272CC62-616F-5FA0-48CD-D838F727C62D} - (no file) O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Security Service (BLWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing) O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee , Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee , Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee , Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee , Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee , Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee , Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee , Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee , Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- End of file - 11775 bytes


	Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288 All advice given is taken at your own risk. Please make sure you have read this information so we are on the same page. You must have read and followed the " Before you Post " instructions. First, you need to know this is likely a backdoor trojan , perhaps this one: http://www.google.com/search?hl=en&q...&aq=f&oq=&aqi= You have a very nasty infection. A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user. One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451 When Should I Format, How Should I Reinstall http://www.dslreports.com/faq/10063 Let us know what you have decided to do in your next post. Thanks


	I would really rather not reinstall.. I would if that is the only possible way to handle this problem.. But if your willing to help me try to clean it out I'd rather go that route. Please let me know what I should do if you think we can try to clean it out! Thanks!


	Because malware can continue to download infections, please stay offline with the computer except when troubleshooting until we get you clean. 1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together. 2) Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link http://www.bleepingcomputer.com/forums/topic114351.html Remember to re-enable them afterwards. Click Yes to allow ComboFix to continue scanning for malware. Note: Do not mouseclick combofix's window while its running. That may cause it to stall When the tool is finished, it will produce a report for you. Post that report and a new HJT log A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use 3) Post also an uninstall list : Open Hijackthis. Click the "Open the Misc Tools" section Button. Click the "Open Uninstall Manager" Button. Click the "Save list..." Button. Save it to your desktop. Copy and paste the contents into your reply . Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg Thanks


	ComboFix 09-07-14.07 - Jason Mitchell 07/19/2009 18:10.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.314 [GMT -7:00] Running from: c:\documents and settings\Jason Mitchell\Desktop\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall enabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Resident AV is active . Other Deletions . C:\bold.log c:\documents and settings\Jason Mitchell\Application Data\QUAD Backups c:\documents and settings\Jason Mitchell\Desktop\QUAD Registry Cleaner.lnk c:\documents and settings\Jason Mitchell\Favorites\VIDEOS.url c:\documents and settings\Jason Mitchell\Start Menu\Programs\QUAD Utilities c:\documents and settings\Jason Mitchell\Start Menu\Programs\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner website.lnk c:\documents and settings\Jason Mitchell\Start Menu\Programs\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.lnk c:\documents and settings\Jason Mitchell\Start Menu\Programs\QUAD Utilities\QUAD Registry Cleaner\Uninstall QUAD Registry Cleaner.lnk c:\documents and settings\LocalService\Application Data\wsnpoem c:\documents and settings\LocalService\Application Data\wsnpoem\audio.dll c:\documents and settings\NetworkService\Application Data\wsnpoem c:\documents and settings\NetworkService\Application Data\wsnpoem\audio.dll c:\program files\QUAD Utilities c:\program files\QUAD Utilities\QUAD Registry Cleaner\program.log c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner website.url c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Scheduler.exe c:\program files\QUAD Utilities\QUAD Registry Cleaner\Styles\Vista.cjstyles c:\program files\QUAD Utilities\QUAD Registry Cleaner\uninst.exe c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll c:\temp\iee c:\temp\tn3 c:\windows\kb913800.exe c:\windows\system32\ak c:\windows\system32\certstore.dat c:\windows\system32\CID c:\windows\system32\efhkj.ini c:\windows\system32\mcrh.tmp c:\windows\system32\o02PrEz c:\windows\system32\SvcNm c:\windows\system32\tb.dr c:\windows\system32\UACfukgvmkckvmdnicii.db c:\windows\system32\url1 c:\windows\system32\url2 c:\windows\system32\url3 c:\windows\system32\userini.exe c:\windows\system32\wiawow32.sys c:\windows\system32\WlQoTfaV.exe.a_a C:\xcrashdump.dat . Files Created from 2009-06-20 to 2009-07-20 . 2009-07-15 10:54 . 2009-07-15 11:00 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-07-15 09:56 . 2009-07-15 09:56 d w- c:\program files\iPod 2009-07-15 09:56 . 2009-07-15 09:56 d w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-15 09:54 . 2009-07-15 09:54 d w- c:\program files\Bonjour 2009-07-15 09:51 . 2009-07-15 09:51 d w- c:\documents and settings\Jason Mitchell\Local Settings\Application Data\Apple 2009-07-15 09:51 . 2009-07-15 09:51 d w- c:\program files\Apple Software Update 2009-07-15 09:51 . 2009-07-15 09:56 dc----w- c:\windows\system32\DRVSTORE 2009-07-15 09:50 . 2009-07-15 09:56 d w- c:\program files\Common Files\Apple 2009-07-15 09:50 . 2009-07-15 09:50 d w- c:\documents and settings\All Users\Application Data\Apple 2009-07-15 06:33 . 2009-07-20 00:54 d w- c:\program files\Spybot - Search & Destroy 2009-07-15 06:33 . 2009-07-15 07:12 d w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-07-14 03:42 . 2009-07-14 03:42 91 ----a-w- c:\windows\system32\geyekrcasfdilv.dat 2009-07-14 03:32 . 2009-07-14 03:32 45056 --sha-r- c:\windows\system32\flashd.dll 2009-07-14 03:32 . 2009-07-15 06:44 d w- c:\documents and settings\All Users\Application Data\12867344 2009-07-14 03:32 . 2009-07-14 03:42 1384 ----a-w- c:\windows\system32\geyekrprjabrng.dat 2009-07-14 03:32 . 2009-07-14 03:32 41472 ----a-w- c:\windows\system32\geyekrndqnfxuo.dll 2009-07-14 03:32 . 2009-07-14 03:32 67072 ----a-w- c:\windows\system32\drivers\geyekrkftqiknw.sys 2009-07-11 17:38 . 2009-07-15 10:23 d w- c:\documents and settings\Jason Mitchell\Application Data\TuneAid 2009-07-11 17:32 . 2009-07-11 17:32 d w- c:\program files\DigiDNA . Find3M Report . 2009-07-20 01:02 . 2006-04-12 03:32 d w- c:\program files\Dl_cats 2009-07-15 17:50 . 2009-05-21 01:01 d w- c:\documents and settings\LocalService\Application Data\SACore 2009-07-15 09:56 . 2006-06-15 09:03 d w- c:\program files\iTunes 2009-07-15 09:54 . 2006-04-05 16:18 d w- c:\program files\QuickTime 2009-07-15 09:53 . 2006-06-15 09:02 d w- c:\documents and settings\All Users\Application Data\Apple Computer 2009-07-10 23:53 . 2009-05-21 00:18 d w- c:\documents and settings\All Users\Application Data\McAfee 2009-07-10 23:17 . 2009-05-21 00:31 d w- c:\program files\McAfee 2009-06-16 14:36 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-03 19:09 . 2005-08-16 09:18 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-23 18:17 . 2009-05-23 18:17 d w- c:\windows\system32\config\systemprofile\Application Data\SACore 2009-05-21 03:30 . 2006-04-12 00:41 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-05-16 21:19 . 2006-04-18 03:59 27824 ----a-w- c:\documents and settings\Jenny Mitchell\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-13 06:27 . 2009-02-08 04:33 134648 ----a-w- c:\program files\mozilla firefox \components\brwsrcmp.dll 2008-09-12 01:23 . 2008-09-12 01:23 122880 ----a-w- c:\program files\mozilla firefox \components\GoogleDesktopMozilla.dll 2008-04-09 04:12 . 2006-04-12 00:41 56 --sh--r- c:\windows\system32\9314164A87.sys 2009-02-22 22:50 . 2009-02-22 22:50 2713 --sh--w- c:\windows\system32\gomuliwe.dll . Reg Loading Points . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-12 29744] "dlcjmon.exe"="c:\program files\Dell Photo AIO Printer 964\dlcjmon.exe" [2005-08-12 430080] "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 964\memcard.exe" [2005-08-10 286720] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 57344] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-26 645328] "DLCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll" [2005-08-15 73728] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-4-5 156784] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-5 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{C80A0BE8-AF3C-B1D2-C901-A0C041D91972}"= "c:\windows\system32\flashd.dll" [2009-07-14 45056] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-05-21 00:00 10536 ----a-w- c:\program files\Citrix\GoToAssist\516\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WinDefend"=2 (0x2) "SiteAdvisor Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword: 1 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword: 1 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword: 1 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"= "c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"= "c:\\WINDOWS\\system32\\dwwin.exe"= "c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjserv.exe"= "c:\\WINDOWS\\system32\\WgaTray.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"= "c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"= "c:\\Program Files\\Mozilla Firefox \\firefox.exe"= "c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"= "c:\\WINDOWS\\ehome\\ehSched.exe"= "c:\\Program Files\\McAfee\\MSC\\mcupdui.exe"= "c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"= "c:\\WINDOWS\\system32\\drwtsn32.exe"= "c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"= "c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"= "c:\\Program Files\\McAfee\\MSC\\mcsvrcnt.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\PhotoshopElementsFileAgent.exe"= "c:\\Program Files\\Digital Line Detect\\DLG.exe"= "c:\\WINDOWS\\ehome\\ehtray.exe"= "c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\MMDiag.exe"= "c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mim.exe"= "c:\\WINDOWS\\ehome\\ehmsas.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe"= "c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"= "c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"= "c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\iTunes\\iTunesHelper.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/20/2009 5:36 PM 210216] S2 BLWF;Security Service;c:\windows\system32\svcd\svchost.exe --> C:\windows\system32\svcd\svchost.exe [?] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/5/2006 9:26 AM 29744] S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [10/5/2006 10:11 PM 13592] . Contents of the 'Scheduled Tasks' folder 2009-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-05-21 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-21 17:53] 2009-05-21 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-21 17:53] 2008-10-12 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-10-06 05:11] . - - - - ORPHANS REMOVED - - - - BHO-{196DF78D-4104-47A8-9705-68C9FC1B664E} - c:\windows\system32\atioglx.dll BHO-{772dff15-50e6-4a49-97da-1008ee7e37b0} - c:\windows\system32\buzalevu.dll HKCU-Run-QUAD Windows service - c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe HKCU-Run-QUAD Scheduler - c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Scheduler.exe HKLM-Run-net - c:\windows\system32\net.net SSODL-<NO NAME>- - (no file) SSODL-Jehcaj-{F737AA27-262D-1FD5-50AA-C848D737A72C} - (no file) SSODL-Extoala-{D837FA27-272D-1DD5-05FA-A484D383A37A} - (no file) SSODL-Linsoebxup-{A050CA48-383F-3AA6-26CD-D515F504A48C} - (no file) SSODL-Apiwiapie-{F404DC84-838F-7AC2-62DD-F150A040C84F} - (no file) SSODL-Hlingicra-{D483FF73-722C-6CD1-50AF-C048D838F72C} - c:\windows\system32\gedopo.dll SSODL-Jmfolinlo-{D737AA26-261D-1FF5-05AC-D483F373A27C} - c:\windows\system32\jejwirip.dll SSODL-Eesicaku-{A272CC62-616F-5FA0-48CD-D838F727C62D} - (no file) . Supplementary Scan . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Jason Mitchell\Application Data\Mozilla\Firefox\Profiles\u7eb3t4f.default\ FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox \components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Mozilla Firefox \plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-19 18:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16 scanning hidden files ... scan completed successfully hidden files: 0 . DLLs Loaded Under Running Processes - - - - - - - > 'winlogon.exe'(664) c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll - - - - - - - > 'explorer.exe'(4476) c:\program files\McAfee\SiteAdvisor\saHook.dll c:\windows\system32\flashd.dll . Other Running Processes . c:\windows\system32\ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\ehome\mcrdsvc.exe c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe c:\windows\system32\dllhost.exe c:\windows\ehome\ehmsas.exe c:\windows\system32\dlcjcoms.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\program files\McAfee\MPF\MpfSrv.exe .


	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:29:22 PM, on 7/19/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dlcjcoms.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Jason Mitchell\Desktop\Hijack.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe" O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 964\memcard.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-21-1868668823-4002051380-3016071579-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-1868668823-4002051380-3016071579-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?') O4 - HKUS\S-1-5-21-1868668823-4002051380-3016071579-1008\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - S-1-5-21-1868668823-4002051380-3016071579-1008 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User '?') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file) O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Security Service (BLWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing) O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee , Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee , Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee , Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee , Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee , Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee , Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee , Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- End of file - 8906 bytes


	And the uninstall list.. 964plc32 ABBYY FineReader 6.0 Sprint Ad-Aware Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Flash Player 10 Plugin Adobe Flash Player 9 ActiveX Adobe Flash Player ActiveX Adobe Help Center 2.0 Adobe Photoshop Elements 4.0 Adobe Reader 7.0 America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20040229.1 en) AOL Connectivity Services AOLIcon Apple Mobile Device Support Apple Software Update ArcSoft PhotoStudio 5.5 ATI Control Panel ATI Display Driver Bejeweled 2 Deluxe Bonjour Canon Camera Support Core Library Canon Camera Window DC_DV 5 for ZoomBrowser EX Canon Camera Window DS for ZoomBrowser EX Canon Camera Window MC 5 for ZoomBrowser EX Canon EOS Kiss_N REBEL_XT 350D WIA Driver Canon MovieEdit Task for ZoomBrowser EX Canon PhotoRecord Canon RAW Image Task for ZoomBrowser EX Canon Utilities Digital Photo Professional 1.6.1 Canon Utilities EOS Capture 1.3 Canon Utilities PhotoStitch 3.1 Canon ZoomBrowser EX CCleaner (remove only) Conexant D850 56K V.9x DFVc Modem Corel Paint Shop Pro X Dell CinePlayer Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Game Console Dell Photo AIO Printer 964 Dell Support Center (Support Software) DellSupport Digital Content Portal Digital Line Detect DivX Content Uploader DivX Web Player EarthLink setup files EducateU ELIcon ESPNMotion GemMaster Mystic Get High Speed Internet! Google Desktop Google Toolbar for Internet Explorer GoToAssist 8.0.0.516 High Definition Audio Driver Package - KB835221 HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows XP (KB952287) Intel(R) PRO Network Connections Drivers Intel(R) PROSet for Wired Connections iTunes Java 2 Runtime Environment, SE v1.4.2_03 Java(TM) 6 Update 2 Learn2 Player (Uninstall Only) McAfee SecurityCenter MCU Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Basic Edition 2003 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Modem Helper Mozilla Firefox (3.0.11) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MultipleIEs Musicmatch for Windows Media Player Musicmatch® Jukebox Neonatal Resuscitation DVD-ROM NetWaiting NetZeroInstallers Otto Polar Bowler Print to Fax Qualxserve Service Agreement QuickTime RealPlayer Basic Roxio DLA Roxio MyDVD LE Roxio RecordNow Audio Roxio RecordNow Copy Roxio RecordNow Data Search Assist Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB973346) Sonic Activation Module Sonic Encoders Spybot - Search & Destroy TuneAid 3.0 Update for Windows Media Player 10 (KB910393) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update Rollup 2 for Windows XP Media Center Edition 2005 URL Assistant WD Diagnostics WebCyberCoach 3.2 Dell Windows Defender Windows Media Format Runtime Windows Media Player 10 Windows Media Player 10 Hotfix - KB895316 Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information] Windows XP Media Center Edition 2005 KB908246 Windows XP Service Pack 3


	I am posting a lot of information, in no way am I suggesting for you to rush, please take the time you need to complete the instructions safely, stop and ask if you do not understand anything. In the first HJT log HJT was located correctly: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe in the second log it has been moved to an unsafe location, why did you move it? C:\Documents and Settings\Jason Mitchell\Desktop\Hijack.exe Please follow these directions to return it to the safe location: Download Trend Micro Hijack This to your Desktop http://download.bleepingcomputer.com...HJTInstall.exe Doubleclick the HJTInstall.exe to start it. By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut. HijackThis will open after install. Press the Scan button below. This will start the scan and open a log. <<< close HJT until I ask for a new log. Uninstall list: I look for malware and security issues and will not know all of your programs, but you should. Hackers are using out of date programs to infect folks more and more, Here is a small free tool that lets you know when something needs an update if you are interested: http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check. Adobe Flash Player 9 ActiveX <<< Out of date and unsafe: Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 http://www.adobe.com/support/securit...apsb09-01.html Adobe Reader 7.0 <<< Out of date and unsafe: http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433 http://blogs.adobe.com/psirt/2009/04...der_issue.html http://www.adobe.com/support/securit...apsb09-07.html http://www.filehippo.com/download_adobe_reader/ (if you want a smaller program, look at this one) Foxit Reader 3.0 for Windows (make sure to uncheck any toolbars) http://www.foxitsoftware.com/pdf/rd_intro.php Java 2 Runtime Environment, SE v1.4.2_03 << VERY old Java(TM) 6 Update 2 both are out of date and unsafe: http://forums.spybot.info/showpost.p...80&postcount=2 Be aware of this information so you can opt out of anything you do not want. Microsoft Does MSN Toolbar Distribution Deal With Java: http://searchengineland.com/microsof...java-15413.php http://raproducts.org/ <<< If you have problems removing the old verion, this tool will help. Please follow these directions in the numbered order. 1) Please download ATF Cleaner by Atribune http://www.atribune.org/public-beta/ATF-Cleaner.exe Save it to your Desktop . We will use this later. 2) Open notepad and copy/paste the text in the codebox below into it: Code: Driver:: geyekrkftqiknw File:: c:\windows\system32\geyekrcasfdilv.dat c:\windows\system32\flashd.dll c:\windows\system32\geyekrprjabrng.dat c:\windows\system32\geyekrndqnfxuo.dll c:\windows\system32\drivers\geyekrkftqiknw.sys c:\windows\system32\9314164A87.sys c:\windows\system32\gomuliwe.dll Registry:: [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{C80A0BE8-AF3C-B1D2-C901-A0C041D91972}"=- Folder:: C:\Program Files\LimeWire c:\documents and settings\All Users\Application Data\12867344 Save this as CFScript Referring to the picture above, drag CFScript into ComboFix.exe. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. ( wait until you finish to post the logs ) 3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: O4 - S-1-5-21-1868668823-4002051380-3016071579-1008 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User '?') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O23 - Service: Security Service (BLWF) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing) Close all programs but HJT and all browser windows, then click on "Fix Checked" 4) Run ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. Click Exit on the Main menu to close the program. Cleaning Prefetch may result in a few slow starts until the folder is repopulated: http://www.windowsnetworking.com/art...efetch-XP.html 5) Download Malwarebytes' Anti-Malware to your Desktop http://www.malwarebytes.org/ Double-click mbam-setup.exe and follow the prompts to install the program. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform FULL SCAN, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt * Please post the log from CFScript, the log from MBAM and a new HJT log in your next reply . Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Tutorial if needed: http://thespykiller.co.uk/index.php/topic,5946.0.html How is the computer running? Thanks


	Due to the lack of feedback this Topic is closed. If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter. If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Everyone else please begin a New Topic.

Discussion Title: something Reaking serious HAVOC on my computer
Title Keywords: something Reaking serious HAVOC computer Safer Networking Forums

Omgili Home

About

FAQ

Plugins

Usenet

something Reaking serious HAVOC on my computer - Safer Networking Forums