Symptoms: "Warning codec failure...", a red circle with a white X now resides in the system tray that I cannot remove. It has also changed my screen resolution to 800x600 I'd say with about 16 colors.
Mcafee ServiceCenter is my main Anti-Virus. I have Spybot S&D and Malwarebytes' Anti Malware installed. Malwarebytes removed the wallpaper warning. The red circle remains, the screen resolution starts up normal for about 5 min before the screen converts to poor resolution and disruption occurs.
I have run combofix before I read deeper into the forums and learned to stop where I'm at and bring my problem to you for guidance. I have included the combofix notes below if it helps. (I had Mcafee firewall and anti virus disabled at that time.)
ALSO, I have downloaded and run - hijackthis - these notes are provided first. Then Combo after that.
Thank you for your help!
HIJACKTHIS NOTES:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:40, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\etSSBkgdupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\C21Agent\Local Settings\Temporary Internet Files\Content.IE5
\E1U0QILJ\winlogon[1].scr
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program
Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1
\mcafee\msk\mskapbho.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program
Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1
\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1
\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -
C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program
Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program
Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1
\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0
\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto
Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0
\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [etSSBkgdupdate] C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\etSSBkgdupdate.exe
O4 - HKLM\..\Run: [ett Shared\SSBkgdUpdate\etSSBkgdupdate] C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\etSSBkgdupdate.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-
Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\C21Agent\Application
Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
-scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [swg] "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [cdloader] "C:\Documents and
Settings\C21Agent\Application Data\mjusbsp\cdloader2.exe" MAGICJACK (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [QuickenScheduledUpdates]
C:\Program Files\Quicken\bagent.exe (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [ISUSPM] "C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
(User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
(User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program
Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12
\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3
\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program
Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32
\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200
-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mfr.MLXchange.com
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) -
http://mfr.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) -
http://forms.real.com/real/player/download.html?
f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) -
http://www.miniclip.com/games/ricochet-lost-worlds/en/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -
http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) -
http://mapguide.stpete.org/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
1247103034765
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -
http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) -
http://mfr.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) -
http://pro.mlxtempo.com/5.0.05.46/Control/IRCSharc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) -
http://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) -
http://mfr.mlxchange.com/Control/AspCustomCtrls.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1
\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile
Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program
Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program
Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1
\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1
\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1
\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1
\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program
Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program
Files\McAfee\MSK\MskSrver.exe
O23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company -
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program
Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9
\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9
\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0
\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 15218 bytes
**************
COMBOFIX NOTES:
**************
ComboFix 09-11-01.04 - C21Agent 11/02/2009 8:29.1.1 - NTFSx86 MINIMAL
Running from: c:\documents and settings\C21Agent\Desktop\Commy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-
DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( OtherDeletions )))))))))))))))))))))))))))))))))))
.
c:\program files\alexa toolbar
c:\program files\alexa toolbar\uninstall.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
F:\autorun.inf
.
(((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))
.
2009-11-02 13:19 . 2009-11-02 13:22 -------- d-----w- C:\Commy
2009-11-02 03:26 . 2009-11-02 03:26 -------- d-sh--w- c:\documents and
settings\Administrator\IETldCache
2009-11-01 22:43 . 2009-11-01 22:43 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\Malwarebytes
2009-11-01 22:43 . 2009-11-01 22:43 -------- d-----w- c:\documents and
settings\All Users\Application Data\Malwarebytes
2009-11-01 22:03 . 2009-11-01 22:03 -------- d-----w- c:\program files\Enigma
Software Group
2009-11-01 21:22 . 2009-11-01 21:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 16:51 . 2009-11-01 16:51 -------- d-----w- c:\program files\MSECache
2009-10-30 21:59 . 2009-10-30 21:59 -------- d-----w- c:\documents and
settings\All Users\Application Data\HP Product Assistant
2009-10-30 21:54 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-10-30 21:47 . 2009-10-30 21:47 -------- d-----w- c:\program files\Common
Files\HP
2009-10-30 21:47 . 2009-10-30 21:47 -------- d-----w- c:\program files\Hewlett
-Packard
2009-10-30 21:43 . 2009-10-30 22:01 188843 ----a-w- c:\windows\hpwins22.dat
2009-10-30 21:43 . 2008-10-25 09:40 2979 ------w- c:\windows\hpwmdl22.dat
2009-10-25 02:10 . 2009-10-25 02:10 -------- d-----w- c:\windows\system32
\LogFiles
2009-10-15 09:00 . 2009-10-15 09:00 -------- d-----w- c:\windows\system32
\config\systemprofile\Application Data\SACore
2009-10-09 17:51 . 2009-10-09 17:51 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\HP
2009-10-09 13:09 . 2009-10-09 13:09 -------- d-----w- c:\documents and
settings\All Users\Application Data\WEBREG
2009-10-09 12:22 . 2009-10-15 00:26 -------- d-----w- c:\documents and
settings\LocalService\Application Data\SACore
2009-10-09 12:22 . 2009-11-02 12:44 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\HPAppData
2009-10-09 07:50 . 2009-10-09 07:50 -------- d-sh--w- c:\windows\system32
\config\systemprofile\IETldCache
2009-10-09 03:43 . 2009-10-09 03:43 -------- d-----w- c:\documents and
settings\C21Agent\Local Settings\Application Data\HP
2009-10-09 03:37 . 2009-10-30 21:59 -------- d-----w- c:\documents and
settings\All Users\Application Data\HP
2009-10-09 03:36 . 2009-10-09 03:37 -------- d-----w- c:\windows\hpojp8500a909
2009-10-09 03:18 . 2007-07-09 18:13 16496 ----a-r- c:\windows\system32
\drivers\HPZipr12.sys
2009-10-09 03:18 . 2007-07-09 18:13 49920 ----a-r- c:\windows\system32
\drivers\HPZid412.sys
2009-10-09 03:17 . 2007-07-09 18:13 21568 ----a-r- c:\windows\system32
\drivers\HPZius12.sys
2009-10-09 02:54 . 2009-10-09 02:54 -------- d-----w- c:\documents and
settings\All Users\Application Data\SiteAdvisor
2009-10-09 02:50 . 2009-09-16 14:22 40552 ----a-w- c:\windows\system32
\drivers\mfesmfk.sys
2009-10-09 02:50 . 2009-09-16 14:22 35272 ----a-w- c:\windows\system32
\drivers\mfebopk.sys
2009-10-09 02:50 . 2009-09-16 14:22 79816 ----a-w- c:\windows\system32
\drivers\mfeavfk.sys
2009-10-09 02:50 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32
\drivers\Mpfp.sys
2009-10-09 02:49 . 2009-10-09 02:50 -------- d-----w- c:\program files\Common
Files\McAfee
2009-10-09 02:49 . 2009-10-09 02:49 -------- d-----w- c:\program
files\McAfee.com
2009-10-09 02:19 . 2009-09-16 14:22 34248 ----a-w- c:\windows\system32
\drivers\mferkdk.sys
2009-10-08 01:12 . 2008-08-12 14:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2009-10-08 01:07 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-10-08 01:07 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-10-08 01:07 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-10-08 01:07 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2009-10-08 01:07 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2009-10-08 01:07 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32
\drivers\serscan.sys
2009-10-08 01:07 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32
\dllcache\serscan.sys
2009-10-08 00:40 . 2009-10-08 00:40 -------- d-----w- c:\program files\Common
Files\Hewlett-Packard
2009-10-08 00:33 . 2009-10-30 21:55 -------- d-----w- c:\program files\HP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 04:04 . 2005-05-10 21:07 92608 ----a-w- c:\documents and
settings\C21Agent\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 03:53 . 2009-07-03 17:18 -------- d-----w- c:\documents and
settings\All Users\Application Data\Microsoft Help
2009-11-02 03:51 . 2009-07-03 17:32 -------- d-----w- c:\program
files\Microsoft Works
2009-11-02 03:15 . 2007-06-29 20:30 -------- d---a-w- c:\documents and
settings\All Users\Application Data\TEMP
2009-11-02 02:06 . 2009-11-02 02:06 7396 ----a-w- c:\windows\system32
\drivers\pctcore.cat
2009-11-02 01:20 . 2009-06-22 12:48 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\mjusbsp
2009-11-01 22:28 . 2008-08-22 18:48 -------- d-----w- c:\program files\Windows
Live Safety Center
2009-11-01 21:22 . 2005-04-22 10:59 -------- d-----w- c:\program files\Java
2009-11-01 16:13 . 2009-01-22 14:04 256 ----a-w- c:\windows\system32\pool.bin
2009-10-26 04:11 . 2005-05-10 21:17 -------- d-----w- c:\program files\McAfee
2009-10-25 20:01 . 2008-09-03 14:56 -------- d-----w- c:\documents and
settings\All Users\Application Data\VisualTour
2009-10-25 14:08 . 2009-07-09 02:31 -------- d-----w- c:\program files\RegCure
2009-10-20 13:46 . 2005-05-11 19:28 -------- d-----w- c:\program files\Common
Files\Adobe
2009-10-09 12:21 . 2008-09-03 11:59 -------- d-----w- c:\program files\VNC4
2009-10-09 05:50 . 2005-11-30 04:20 -------- d-----w- c:\documents and
settings\All Users\Application Data\McAfee
2009-10-09 01:40 . 2008-01-28 15:57 -------- d-----w- c:\documents and
settings\All Users\Application Data\CA
2009-10-08 00:03 . 2008-06-25 18:25 -------- d-----w- c:\program files\Canon
2009-10-08 00:01 . 2008-06-25 19:09 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\Canon
2009-09-27 16:14 . 2006-05-11 21:08 -------- d--h--w- c:\program
files\InstallShield Installation Information
2009-09-27 16:14 . 2009-02-25 02:21 -------- d-----w- c:\program files\Linksys
2009-09-27 15:01 . 2009-09-27 15:01 86016 ----a-w- c:\windows\system32\netsh.exe
2009-09-26 22:17 . 2009-08-15 13:57 -------- d-----w- c:\documents and
settings\All Users\Application Data\DriverCure
2009-09-16 14:22 . 2009-07-08 17:44 214664 ----a-w- c:\windows\system32
\drivers\mfehidk.sys
2009-09-11 16:07 . 2006-05-11 21:08 -------- d-----w- c:\program
files\GeacInterealty
2009-09-11 16:07 . 2009-06-15 14:23 -------- d-----w- c:\program files\Quicken
2009-09-11 16:07 . 2009-06-12 03:07 -------- d-----w- c:\program files\Zoom
2009-09-11 16:07 . 2008-09-03 11:58 -------- d-----w- c:\program files\VTStudio
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 19:45 . 2009-08-27 19:45 60744 ----a-w- c:\documents and
settings\C21Agent\g2mdlhlpx.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-04 10:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 10:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-14
68856]
"cdloader"="c:\documents and settings\C21Agent\Application Data\mjusbsp\cdloader2.exe" [2009-08-
01 50520]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2007-05-07 87592]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24
206112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
[2006-09-28 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-
03 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto
Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[2009-04-11 236016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"etSSBkgdupdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\etSSBkgdupdate.exe"
[2009-11-01 66560]
"ett Shared\SSBkgdUpdate\etSSBkgdupdate"="c:\program files\Common Files\Scansoft
Shared\SSBkgdUpdate\etSSBkgdupdate.exe" [2009-11-01 66560]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma
Loader.exe [2008-9-17 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16
214360]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB600N\WUSB600N.exe [2008-1-9 6922240]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop
Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe
Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed
Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows
Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Getca
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcalwj0et37
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcelwj0et37
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMshcclwj0et37
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\Li
st]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CentraOne\\bin\\launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Documents and Settings\\C21Agent\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program
files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program
files\NeatWorks\exec\NeatWorksDatabaseController.exe [2009-06-10 351384]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys [x]
R3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1
\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys
[2007-12-14 551680]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]
reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat
Company\Neat ADF Scanner 2008" /s /f
.
Contents of the 'Scheduled Tasks' folder
2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-09 16:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-09 16:22]
2009-11-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-02 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-02 c:\windows\Tasks\WebReg Officejet Pro 8500 A909n Series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-10-16 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = gmail.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
Trusted Zone: MLXchange.com\mfr
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} -
hxxp://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://mfr.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} -
hxxp://pro.mlxtempo.com/5.0.05.46/Control/IRCSharc.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} -
hxxp://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-
Malware\mbam.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 08:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
Completion time: 2009-11-02 8:41
ComboFix-quarantined-files.txt 2009-11-02 13:40
Pre-Run: 21,821,952,000 bytes free
Post-Run: 21,880,664,064 bytes free
- - End Of File - - 919946A049E852BAA03286B0ACEFADF4
Mcafee ServiceCenter is my main Anti-Virus. I have Spybot S&D and Malwarebytes' Anti Malware installed. Malwarebytes removed the wallpaper warning. The red circle remains, the screen resolution starts up normal for about 5 min before the screen converts to poor resolution and disruption occurs.
I have run combofix before I read deeper into the forums and learned to stop where I'm at and bring my problem to you for guidance. I have included the combofix notes below if it helps. (I had Mcafee firewall and anti virus disabled at that time.)
ALSO, I have downloaded and run - hijackthis - these notes are provided first. Then Combo after that.
Thank you for your help!
HIJACKTHIS NOTES:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:40, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\etSSBkgdupdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\C21Agent\Local Settings\Temporary Internet Files\Content.IE5
\E1U0QILJ\winlogon[1].scr
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program
Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1
\mcafee\msk\mskapbho.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program
Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1
\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1
\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -
C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program
Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program
Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1
\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0
\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto
Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0
\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [etSSBkgdupdate] C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\etSSBkgdupdate.exe
O4 - HKLM\..\Run: [ett Shared\SSBkgdUpdate\etSSBkgdupdate] C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\etSSBkgdupdate.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-
Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\C21Agent\Application
Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
-scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [swg] "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [cdloader] "C:\Documents and
Settings\C21Agent\Application Data\mjusbsp\cdloader2.exe" MAGICJACK (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [QuickenScheduledUpdates]
C:\Program Files\Quicken\bagent.exe (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [ISUSPM] "C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User '?')
O4 - HKUS\S-1-5-21-2020890953-1735307694-737598863-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
(User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
(User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program
Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12
\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3
\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program
Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32
\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200
-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mfr.MLXchange.com
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) -
http://mfr.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) -
http://forms.real.com/real/player/download.html?
f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) -
http://www.miniclip.com/games/ricochet-lost-worlds/en/ReflexiveWebGameLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -
http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) -
http://mapguide.stpete.org/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?
1247103034765
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -
http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) -
http://mfr.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) -
http://pro.mlxtempo.com/5.0.05.46/Control/IRCSharc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) -
http://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) -
http://mfr.mlxchange.com/Control/AspCustomCtrls.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1
\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile
Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program
Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program
Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1
\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1
\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1
\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1
\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program
Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program
Files\McAfee\MSK\MskSrver.exe
O23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company -
C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program
Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9
\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9
\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0
\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
--
End of file - 15218 bytes
**************
COMBOFIX NOTES:
**************
ComboFix 09-11-01.04 - C21Agent 11/02/2009 8:29.1.1 - NTFSx86 MINIMAL
Running from: c:\documents and settings\C21Agent\Desktop\Commy.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-
DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( OtherDeletions )))))))))))))))))))))))))))))))))))
.
c:\program files\alexa toolbar
c:\program files\alexa toolbar\uninstall.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
F:\autorun.inf
.
(((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))
.
2009-11-02 13:19 . 2009-11-02 13:22 -------- d-----w- C:\Commy
2009-11-02 03:26 . 2009-11-02 03:26 -------- d-sh--w- c:\documents and
settings\Administrator\IETldCache
2009-11-01 22:43 . 2009-11-01 22:43 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\Malwarebytes
2009-11-01 22:43 . 2009-11-01 22:43 -------- d-----w- c:\documents and
settings\All Users\Application Data\Malwarebytes
2009-11-01 22:03 . 2009-11-01 22:03 -------- d-----w- c:\program files\Enigma
Software Group
2009-11-01 21:22 . 2009-11-01 21:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-01 16:51 . 2009-11-01 16:51 -------- d-----w- c:\program files\MSECache
2009-10-30 21:59 . 2009-10-30 21:59 -------- d-----w- c:\documents and
settings\All Users\Application Data\HP Product Assistant
2009-10-30 21:54 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-10-30 21:47 . 2009-10-30 21:47 -------- d-----w- c:\program files\Common
Files\HP
2009-10-30 21:47 . 2009-10-30 21:47 -------- d-----w- c:\program files\Hewlett
-Packard
2009-10-30 21:43 . 2009-10-30 22:01 188843 ----a-w- c:\windows\hpwins22.dat
2009-10-30 21:43 . 2008-10-25 09:40 2979 ------w- c:\windows\hpwmdl22.dat
2009-10-25 02:10 . 2009-10-25 02:10 -------- d-----w- c:\windows\system32
\LogFiles
2009-10-15 09:00 . 2009-10-15 09:00 -------- d-----w- c:\windows\system32
\config\systemprofile\Application Data\SACore
2009-10-09 17:51 . 2009-10-09 17:51 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\HP
2009-10-09 13:09 . 2009-10-09 13:09 -------- d-----w- c:\documents and
settings\All Users\Application Data\WEBREG
2009-10-09 12:22 . 2009-10-15 00:26 -------- d-----w- c:\documents and
settings\LocalService\Application Data\SACore
2009-10-09 12:22 . 2009-11-02 12:44 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\HPAppData
2009-10-09 07:50 . 2009-10-09 07:50 -------- d-sh--w- c:\windows\system32
\config\systemprofile\IETldCache
2009-10-09 03:43 . 2009-10-09 03:43 -------- d-----w- c:\documents and
settings\C21Agent\Local Settings\Application Data\HP
2009-10-09 03:37 . 2009-10-30 21:59 -------- d-----w- c:\documents and
settings\All Users\Application Data\HP
2009-10-09 03:36 . 2009-10-09 03:37 -------- d-----w- c:\windows\hpojp8500a909
2009-10-09 03:18 . 2007-07-09 18:13 16496 ----a-r- c:\windows\system32
\drivers\HPZipr12.sys
2009-10-09 03:18 . 2007-07-09 18:13 49920 ----a-r- c:\windows\system32
\drivers\HPZid412.sys
2009-10-09 03:17 . 2007-07-09 18:13 21568 ----a-r- c:\windows\system32
\drivers\HPZius12.sys
2009-10-09 02:54 . 2009-10-09 02:54 -------- d-----w- c:\documents and
settings\All Users\Application Data\SiteAdvisor
2009-10-09 02:50 . 2009-09-16 14:22 40552 ----a-w- c:\windows\system32
\drivers\mfesmfk.sys
2009-10-09 02:50 . 2009-09-16 14:22 35272 ----a-w- c:\windows\system32
\drivers\mfebopk.sys
2009-10-09 02:50 . 2009-09-16 14:22 79816 ----a-w- c:\windows\system32
\drivers\mfeavfk.sys
2009-10-09 02:50 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32
\drivers\Mpfp.sys
2009-10-09 02:49 . 2009-10-09 02:50 -------- d-----w- c:\program files\Common
Files\McAfee
2009-10-09 02:49 . 2009-10-09 02:49 -------- d-----w- c:\program
files\McAfee.com
2009-10-09 02:19 . 2009-09-16 14:22 34248 ----a-w- c:\windows\system32
\drivers\mferkdk.sys
2009-10-08 01:12 . 2008-08-12 14:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll
2009-10-08 01:07 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-10-08 01:07 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-10-08 01:07 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-10-08 01:07 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll
2009-10-08 01:07 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll
2009-10-08 01:07 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32
\drivers\serscan.sys
2009-10-08 01:07 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32
\dllcache\serscan.sys
2009-10-08 00:40 . 2009-10-08 00:40 -------- d-----w- c:\program files\Common
Files\Hewlett-Packard
2009-10-08 00:33 . 2009-10-30 21:55 -------- d-----w- c:\program files\HP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 04:04 . 2005-05-10 21:07 92608 ----a-w- c:\documents and
settings\C21Agent\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 03:53 . 2009-07-03 17:18 -------- d-----w- c:\documents and
settings\All Users\Application Data\Microsoft Help
2009-11-02 03:51 . 2009-07-03 17:32 -------- d-----w- c:\program
files\Microsoft Works
2009-11-02 03:15 . 2007-06-29 20:30 -------- d---a-w- c:\documents and
settings\All Users\Application Data\TEMP
2009-11-02 02:06 . 2009-11-02 02:06 7396 ----a-w- c:\windows\system32
\drivers\pctcore.cat
2009-11-02 01:20 . 2009-06-22 12:48 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\mjusbsp
2009-11-01 22:28 . 2008-08-22 18:48 -------- d-----w- c:\program files\Windows
Live Safety Center
2009-11-01 21:22 . 2005-04-22 10:59 -------- d-----w- c:\program files\Java
2009-11-01 16:13 . 2009-01-22 14:04 256 ----a-w- c:\windows\system32\pool.bin
2009-10-26 04:11 . 2005-05-10 21:17 -------- d-----w- c:\program files\McAfee
2009-10-25 20:01 . 2008-09-03 14:56 -------- d-----w- c:\documents and
settings\All Users\Application Data\VisualTour
2009-10-25 14:08 . 2009-07-09 02:31 -------- d-----w- c:\program files\RegCure
2009-10-20 13:46 . 2005-05-11 19:28 -------- d-----w- c:\program files\Common
Files\Adobe
2009-10-09 12:21 . 2008-09-03 11:59 -------- d-----w- c:\program files\VNC4
2009-10-09 05:50 . 2005-11-30 04:20 -------- d-----w- c:\documents and
settings\All Users\Application Data\McAfee
2009-10-09 01:40 . 2008-01-28 15:57 -------- d-----w- c:\documents and
settings\All Users\Application Data\CA
2009-10-08 00:03 . 2008-06-25 18:25 -------- d-----w- c:\program files\Canon
2009-10-08 00:01 . 2008-06-25 19:09 -------- d-----w- c:\documents and
settings\C21Agent\Application Data\Canon
2009-09-27 16:14 . 2006-05-11 21:08 -------- d--h--w- c:\program
files\InstallShield Installation Information
2009-09-27 16:14 . 2009-02-25 02:21 -------- d-----w- c:\program files\Linksys
2009-09-27 15:01 . 2009-09-27 15:01 86016 ----a-w- c:\windows\system32\netsh.exe
2009-09-26 22:17 . 2009-08-15 13:57 -------- d-----w- c:\documents and
settings\All Users\Application Data\DriverCure
2009-09-16 14:22 . 2009-07-08 17:44 214664 ----a-w- c:\windows\system32
\drivers\mfehidk.sys
2009-09-11 16:07 . 2006-05-11 21:08 -------- d-----w- c:\program
files\GeacInterealty
2009-09-11 16:07 . 2009-06-15 14:23 -------- d-----w- c:\program files\Quicken
2009-09-11 16:07 . 2009-06-12 03:07 -------- d-----w- c:\program files\Zoom
2009-09-11 16:07 . 2008-09-03 11:58 -------- d-----w- c:\program files\VTStudio
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 19:45 . 2009-08-27 19:45 60744 ----a-w- c:\documents and
settings\C21Agent\g2mdlhlpx.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-04 10:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 10:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-14
68856]
"cdloader"="c:\documents and settings\C21Agent\Application Data\mjusbsp\cdloader2.exe" [2009-08-
01 50520]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2007-05-07 87592]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24
206112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
[2006-09-28 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-01 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-
03 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto
Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[2009-04-11 236016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"etSSBkgdupdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\etSSBkgdupdate.exe"
[2009-11-01 66560]
"ett Shared\SSBkgdUpdate\etSSBkgdupdate"="c:\program files\Common Files\Scansoft
Shared\SSBkgdUpdate\etSSBkgdupdate.exe" [2009-11-01 66560]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma
Loader.exe [2008-9-17 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16
214360]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB600N\WUSB600N.exe [2008-1-9 6922240]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop
Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe
Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed
Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows
Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Getca
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcalwj0et37
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcelwj0et37
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMshcclwj0et37
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\Li
st]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CentraOne\\bin\\launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Documents and Settings\\C21Agent\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program
files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program
files\NeatWorks\exec\NeatWorksDatabaseController.exe [2009-06-10 351384]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\DRIVERS\ADSFilter.sys [x]
R3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1
\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys
[2007-12-14 551680]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]
reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat
Company\Neat ADF Scanner 2008" /s /f
.
Contents of the 'Scheduled Tasks' folder
2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-09 16:22]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-09 16:22]
2009-11-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-02 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-02 c:\windows\Tasks\WebReg Officejet Pro 8500 A909n Series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-10-16 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = gmail.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
Trusted Zone: MLXchange.com\mfr
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} -
hxxp://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://mfr.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} -
hxxp://pro.mlxtempo.com/5.0.05.46/Control/IRCSharc.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} -
hxxp://207.207.60.50/SiteRoots/main/Install/CentraDownloader.cab
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-
Malware\mbam.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 08:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
.
Completion time: 2009-11-02 8:41
ComboFix-quarantined-files.txt 2009-11-02 13:40
Pre-Run: 21,821,952,000 bytes free
Post-Run: 21,880,664,064 bytes free
- - End Of File - - 919946A049E852BAA03286B0ACEFADF4