Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Ddayv.dll Wont Die!


  • Please log in to reply
12 replies to this topic

#1 thebeerinator

thebeerinator

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 05 September 2007 - 10:33 PM

whenever i get online a fake virus warning pops up an redirects me to a rouge virus scanner, than tells me its going to scan. none of my virus scanners worked and hijack this wouldnt kill it, neithr the vundofix or vundobegone (or whatever its called) didnt work. heres my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:39 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:48 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\jygvhcxd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Razer\razerhid.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Razer\razerofa.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\gjgh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O2 - BHO: (no name) - {3B758B38-CB03-4E79-9D65-B948DF618EA9} - C:\WINDOWS\system32\ddayv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\gobaeqji.dll
O2 - BHO: (no name) - {CF82EF11-31E8-4AEA-AD19-87814C6DBA7D} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] "C:\Program Files\Razer\razerhid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Updates] svehost.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files\Razer\Diamondback\razerhid.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\cvgokstq.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jygvhcxd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6871 bytes


ive gone to other sites but their directions are confusing, and some dont work, thanks for your help.

BC AdBot (Login to Remove)

 


m

#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:29 AM

Posted 05 September 2007 - 11:48 PM

Hello thebeerinator,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Posted Image

#3 thebeerinator

thebeerinator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 06 September 2007 - 06:50 AM

I ran it and heres the results, i have no clue what they mean. for now though im off to school ill be back around 3:00 to finish this up.


SDFix: Version 1.102

Run by cor on Thu 09/06/2007 at 06:38 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DomainService

ImagePath:
C:\WINDOWS\system32\vroipryr.exe /service

DomainService - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:ęTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\clxrsidx.exe"="C:\\WINDOWS\\system32\\clx"
"C:\\WINDOWS\\system32\\vgcsvgdy.exe"="C:\\WINDOWS\\system32\\vgc"
"C:\\WINDOWS\\system32\\jtvprrfb.exe"="C:\\WINDOWS\\system32\\jtv"
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\CNC3.exe"="C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\CNC3.exe:*:Enabled:Play Command & Conquer 3 Tiberium Wars"
"C:\\WINDOWS\\system32\\jygvhcxd.exe"="C:\\WINDOWS\\system32\\jyg"
"C:\\WINDOWS\\system32\\vroipryr.exe"="C:\\WINDOWS\\system32\\vro"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Program Files\Right Hemisphere\Deep Paint 3D\Resource\texture\companys\Freetextures.com\images\Thumbs.db
C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp
C:\WINDOWS\system32\vvvwa.tmp
C:\WINDOWS\system32\vyadd.tmp

Finished

#4 thebeerinator

thebeerinator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 06 September 2007 - 06:52 AM

oops i almost forgot heres the new hijack this! log. now im off to school.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:14 AM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Razer\razerhid.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\gjgh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O2 - BHO: (no name) - {38927241-2113-46EA-B16D-D0146F6C0520} - (no file)
O2 - BHO: (no name) - {3B758B38-CB03-4E79-9D65-B948DF618EA9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C880501-F19F-4CD7-B84E-D2450CD62C53} - (no file)
O2 - BHO: (no name) - {BB7222E8-2AF1-4349-A84E-DA699650F583} - C:\WINDOWS\system32\ddayv.dll
O2 - BHO: (no name) - {BC9D8373-D398-4C66-A79F-3B90273971F9} - (no file)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - (no file)
O2 - BHO: (no name) - {CF82EF11-31E8-4AEA-AD19-87814C6DBA7D} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] "C:\Program Files\Razer\razerhid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files\Razer\Diamondback\razerhid.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\hyasvfvc.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6862 bytes

#5 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:29 AM

Posted 06 September 2007 - 08:41 AM

Hello thebeerinator,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image

#6 thebeerinator

thebeerinator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 06 September 2007 - 03:19 PM

heres the combo fix log:


ComboFix 07-08-30.3 - "cor" 2007-09-06 14:59:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.27.1033.18.1500 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\cor\APPLIC~1\macromedia\Flash Player\#SharedObjects\74JHCAVR\www.broadcaster.com
C:\DOCUME~1\cor\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\cor\Desktop\internet explorer.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\DOWNLO~1.\ODCTOOLS
C:\WINDOWS\system32\amubvtub.dll
C:\WINDOWS\system32\bgsmhjcc.exe
C:\WINDOWS\system32\bobgfhaa.exe
C:\WINDOWS\system32\boncokpu.exe
C:\WINDOWS\system32\bopgejni.exe
C:\WINDOWS\system32\csjnwxoq.exe
C:\WINDOWS\system32\cvfvsayh.ini
C:\WINDOWS\system32\eaqfttgs.exe
C:\WINDOWS\system32\ebkmderm.ini
C:\WINDOWS\system32\ejrnodtf.exe
C:\WINDOWS\system32\eqblqxcw.exe
C:\WINDOWS\system32\evttvxud.exe
C:\WINDOWS\system32\ghisyape.exe
C:\WINDOWS\system32\herulkiw.exe
C:\WINDOWS\system32\hhqoowpa.exe
C:\WINDOWS\system32\htcwongm.exe
C:\WINDOWS\system32\hyasvfvc.dll
C:\WINDOWS\system32\iinucttn.exe
C:\WINDOWS\system32\jygvhcxd.exe
C:\WINDOWS\system32\lbnqphvg.exe
C:\WINDOWS\system32\lhmbelrs.exe
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\lvrsooap.dll
C:\WINDOWS\system32\mredmkbe.dll
C:\WINDOWS\system32\paoosrvl.ini
C:\WINDOWS\system32\pgvtcrlj.exe
C:\WINDOWS\system32\prncksbu.exe
C:\WINDOWS\system32\qoinndta.dll
C:\WINDOWS\system32\qpnxyulk.exe
C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.bak2
C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\rcplxxre.exe
C:\WINDOWS\system32\rmgioedt.exe
C:\WINDOWS\system32\rtoskqjq.exe
C:\WINDOWS\system32\rumchrqd.dll
C:\WINDOWS\system32\scansmuj.exe
C:\WINDOWS\system32\spnqnaly.exe
C:\WINDOWS\system32\svngfaiq.exe
C:\WINDOWS\system32\tluavekv.exe
C:\WINDOWS\system32\vncfhxeo.exe
C:\WINDOWS\system32\vroipryr.exe
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\vvvwa.tmp
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.ini
C:\WINDOWS\system32\wwwibmfu.dll
C:\WINDOWS\system32\wxyxgjha.exe
C:\WINDOWS\system32\wygsboti.exe
C:\WINDOWS\system32\xmbqwdgb.exe
C:\WINDOWS\system32\yelnfhbw.exe


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-06 15:10 1,989,302 ---hs---- C:\WINDOWS\system32\vyadd.bak1
2007-09-06 14:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-06 06:33 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-05 23:28 <DIR> d-------- C:\VundoFix Backups
2007-09-05 20:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-09-05 17:54 164 --a------ C:\install.dat
2007-09-03 12:43 244,832 --------- C:\WINDOWS\system32\ddayv.dll
2007-09-02 00:15 6,488 ---hs---- C:\WINDOWS\system32\sstwa.bak1
2007-09-01 18:51 6,488 ---hs---- C:\WINDOWS\system32\gfhkj.bak1
2007-09-01 17:24 6,448 ---hs---- C:\WINDOWS\system32\qstwa.bak1
2007-09-01 16:09 6,488 ---hs---- C:\WINDOWS\system32\kjllm.bak1
2007-09-01 15:10 6,448 ---hs---- C:\WINDOWS\system32\nqtwa.bak1
2007-09-01 14:13 6,448 ---hs---- C:\WINDOWS\system32\edeeg.bak1
2007-09-01 08:09 1,884,932 ---hs---- C:\WINDOWS\system32\utstv.bak2
2007-08-31 20:08 6,448 ---hs---- C:\WINDOWS\system32\utstv.bak1
2007-08-31 18:44 6,488 ---hs---- C:\WINDOWS\system32\acbeg.bak1
2007-08-31 17:22 <DIR> d-------- C:\DOCUME~1\cor\APPLIC~1\WinRAR
2007-08-31 17:13 6,448 ---hs---- C:\WINDOWS\system32\jjkmp.bak1
2007-08-31 14:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-08-31 12:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-29 15:13 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2007-08-29 15:13 <DIR> d-------- C:\Program Files\Razer
2007-08-28 18:49 <DIR> d-------- C:\Program Files\Right Hemisphere
2007-08-27 21:29 <DIR> d-------- C:\System32
2007-08-23 17:46 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-23 17:46 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-22 21:31 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-08-22 05:03 <DIR> d-------- C:\Program Files\Apophysis 2.0
2007-08-19 19:26 <DIR> d-------- C:\Program Files\Marvell
2007-08-18 22:22 <DIR> d-------- C:\Program Files\Common Files\ChaosGroup
2007-08-14 18:04 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-14 10:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\WTablet
2007-08-14 10:35 <DIR> d-------- C:\DOCUME~1\cor\APPLIC~1\WTablet
2007-08-14 10:23 124,464 --a------ C:\WINDOWS\system32\Wintab32.dll
2007-08-14 10:23 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2007-08-14 10:23 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2007-08-14 10:23 1,189,424 --a------ C:\WINDOWS\system32\Tablet.exe
2007-08-14 10:23 <DIR> d-------- C:\Program Files\Tablet
2007-08-12 14:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-12 14:09 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-12 14:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-08-12 13:37 <DIR> d-------- C:\Program Files\QuickTime
2007-08-10 17:13 60,888 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-08-06 21:39 <DIR> d-------- C:\Program Files\XCC
2007-08-06 17:05 26 --a------ C:\WINDOWS\winstart.bat
2007-08-06 17:05 123 --a------ C:\WINDOWS\tmpcpyis.bat
2007-08-06 17:05 122 --a------ C:\WINDOWS\tmpdelis.bat
2007-08-06 01:06 69,632 --a------ C:\WINDOWS\UNINSTCC.EXE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 15:10 75328 --a------ C:\WINDOWS\system32\shbpeord.exe
2007-09-06 06:07 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\uTorrent
2007-09-05 16:02 --------- d-------- C:\Program Files\McAfee
2007-09-04 23:57 --------- d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-08-31 17:21 --------- d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2007-08-29 17:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 16:03 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-08-22 21:57 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-22 21:49 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-08-01 22:52 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\dvdcss
2007-08-01 18:11 --------- d-------- C:\Program Files\Common Files\McAfee
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 17:06 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\U3
2007-07-28 01:48 --------- d-------- C:\Program Files\MakeHuman
2007-07-25 12:10 --------- d-------- C:\Program Files\AirStrike II
2007-07-25 02:27 --------- d-------- C:\Program Files\RADVideo
2007-07-24 12:02 33800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-24 07:40 79304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-24 04:51 --------- d-------- C:\Program Files\hott notes 4
2007-07-24 04:51 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\hott notes 4
2007-07-22 03:15 --------- d-------- C:\Program Files\Cryptic AR
2007-07-21 09:08 40488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-21 09:08 35240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-21 09:08 201288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-19 16:35 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-07-18 21:12 --------- d-------- C:\Program Files\Common Files\DirectX
2007-07-18 20:57 --------- d-------- C:\Program Files\Codemasters
2007-07-18 20:56 --------- d-------- C:\Program Files\D-Tools
2007-07-17 12:33 --------- d-------- C:\Program Files\WinAce
2007-07-16 19:59 --------- d-------- C:\Program Files\Starcraft
2007-07-15 05:32 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-14 02:25 --------- d-------- C:\Program Files\Electronic Arts
2007-07-13 09:20 113952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-07-02 01:40 81920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-07-02 01:40 233472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 09:07 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-06-23 09:07 249856 --------- C:\WINDOWS\Setup1.exe
2007-06-21 15:43 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-06-21 15:43 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-06-21 15:43 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-15 23:10 278528 --a------ C:\WINDOWS\IsUninst.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 00:19 796672 --a------ C:\WINDOWS\GPInstall.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38927241-2113-46EA-B16D-D0146F6C0520}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B758B38-CB03-4E79-9D65-B948DF618EA9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C880501-F19F-4CD7-B84E-D2450CD62C53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC9D8373-D398-4C66-A79F-3B90273971F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF82EF11-31E8-4AEA-AD19-87814C6DBA7D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE7A0BCF-E3D4-43D2-BAC3-9B4BDA82AAF2}]
2007-09-03 12:43 244832 --------- C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 05:39 C:\WINDOWS\SOUNDMAN.EXE]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"nwiz"="nwiz.exe" [2006-11-17 19:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]

C:\DOCUME~1\cor\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 22:16:50]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cor^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\cor\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

R0 SI3132;SiI-3132 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3132.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R2 DomainService;DomainService;C:\WINDOWS\system32\shbpeord.exe /service
R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe

*Newly Created Service* - DOMAINSERVICE
*Newly Created Service* - PGFILTER

Contents of the 'Scheduled Tasks' folder
2007-09-02 14:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-15 07:08:43 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-09-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 15:12:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 15:12

--- E O F ---


and the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:43 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Razer\razerhid.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\shbpeord.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\gjgh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O2 - BHO: (no name) - {38927241-2113-46EA-B16D-D0146F6C0520} - (no file)
O2 - BHO: (no name) - {3B758B38-CB03-4E79-9D65-B948DF618EA9} - (no file)
O2 - BHO: (no name) - {7C880501-F19F-4CD7-B84E-D2450CD62C53} - (no file)
O2 - BHO: (no name) - {BC9D8373-D398-4C66-A79F-3B90273971F9} - (no file)
O2 - BHO: (no name) - {CF82EF11-31E8-4AEA-AD19-87814C6DBA7D} - (no file)
O2 - BHO: (no name) - {EE7A0BCF-E3D4-43D2-BAC3-9B4BDA82AAF2} - C:\WINDOWS\system32\ddayv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] "C:\Program Files\Razer\razerhid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files\Razer\Diamondback\razerhid.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\shbpeord.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6172 bytes

hope this helps ya get down to the cause, and thanks for the help.

#7 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:29 AM

Posted 06 September 2007 - 05:35 PM

Hello thebeerinator,

A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {38927241-2113-46EA-B16D-D0146F6C0520} - (no file)
    O2 - BHO: (no name) - {3B758B38-CB03-4E79-9D65-B948DF618EA9} - (no file)
    O2 - BHO: (no name) - {7C880501-F19F-4CD7-B84E-D2450CD62C53} - (no file)
    O2 - BHO: (no name) - {BC9D8373-D398-4C66-A79F-3B90273971F9} - (no file)
    O2 - BHO: (no name) - {CF82EF11-31E8-4AEA-AD19-87814C6DBA7D} - (no file)
    O2 - BHO: (no name) - {EE7A0BCF-E3D4-43D2-BAC3-9B4BDA82AAF2} - C:\WINDOWS\system32\ddayv.dll
    O23 - Service: DomainService - - C:\WINDOWS\system32\shbpeord.exe


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vyadd.bak1
C:\install.dat
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\shbpeord.exe
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\shbpeord.exe

Folder::
C:\DOCUME~1\cor\APPLIC~1\U3
C:\System32
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Posted Image

#8 thebeerinator

thebeerinator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 06 September 2007 - 06:37 PM

heres the combofix log:

ComboFix 07-08-30.3 - "cor" 2007-09-06 18:14:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.27.1033.18.1519 [GMT -5:00]

FILE::
C:\WINDOWS\system32\vyadd.bak1
C:\install.dat
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\shbpeord.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\cor\APPLIC~1\U3
C:\DOCUME~1\cor\APPLIC~1\U3\temp\cleanup.exe
C:\install.dat
C:\System32
C:\System32\Tablet.dat
C:\VundoFix Backups
C:\VundoFix Backups\ogdapmeq.dll.bad
C:\VundoFix Backups\qempadgo.ini.bad
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\acbeg.bak1
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\plfksfuy.ini
C:\WINDOWS\system32\qstwa.bak1
C:\WINDOWS\system32\shbpeord.exe
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\xbjjcuhy.dll
C:\WINDOWS\system32\yufskflp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-06 14:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-06 06:33 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-05 20:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-08-31 17:22 <DIR> d-------- C:\DOCUME~1\cor\APPLIC~1\WinRAR
2007-08-31 14:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-08-31 12:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-29 15:13 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2007-08-29 15:13 <DIR> d-------- C:\Program Files\Razer
2007-08-28 18:49 <DIR> d-------- C:\Program Files\Right Hemisphere
2007-08-23 17:46 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-08-23 17:46 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-22 21:31 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-08-22 05:03 <DIR> d-------- C:\Program Files\Apophysis 2.0
2007-08-19 19:26 <DIR> d-------- C:\Program Files\Marvell
2007-08-18 22:22 <DIR> d-------- C:\Program Files\Common Files\ChaosGroup
2007-08-14 18:04 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-14 10:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\WTablet
2007-08-14 10:35 <DIR> d-------- C:\DOCUME~1\cor\APPLIC~1\WTablet
2007-08-14 10:23 124,464 --a------ C:\WINDOWS\system32\Wintab32.dll
2007-08-14 10:23 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2007-08-14 10:23 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2007-08-14 10:23 1,189,424 --a------ C:\WINDOWS\system32\Tablet.exe
2007-08-14 10:23 <DIR> d-------- C:\Program Files\Tablet
2007-08-12 14:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-12 14:09 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-12 14:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-08-12 13:37 <DIR> d-------- C:\Program Files\QuickTime
2007-08-10 17:13 60,888 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-08-06 21:39 <DIR> d-------- C:\Program Files\XCC
2007-08-06 17:05 26 --a------ C:\WINDOWS\winstart.bat
2007-08-06 17:05 123 --a------ C:\WINDOWS\tmpcpyis.bat
2007-08-06 17:05 122 --a------ C:\WINDOWS\tmpdelis.bat
2007-08-06 01:06 69,632 --a------ C:\WINDOWS\UNINSTCC.EXE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 17:37 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\uTorrent
2007-09-05 16:02 --------- d-------- C:\Program Files\McAfee
2007-09-04 23:57 --------- d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-08-31 17:21 --------- d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2007-08-29 17:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 16:03 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-08-22 21:57 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-08-22 21:49 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-08-01 22:52 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\dvdcss
2007-08-01 18:11 --------- d-------- C:\Program Files\Common Files\McAfee
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-28 01:48 --------- d-------- C:\Program Files\MakeHuman
2007-07-25 12:10 --------- d-------- C:\Program Files\AirStrike II
2007-07-25 02:27 --------- d-------- C:\Program Files\RADVideo
2007-07-24 12:02 33800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-24 07:40 79304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-24 04:51 --------- d-------- C:\Program Files\hott notes 4
2007-07-24 04:51 --------- d-------- C:\DOCUME~1\cor\APPLIC~1\hott notes 4
2007-07-22 03:15 --------- d-------- C:\Program Files\Cryptic AR
2007-07-21 09:08 40488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-21 09:08 35240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-21 09:08 201288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-19 16:35 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-07-18 21:12 --------- d-------- C:\Program Files\Common Files\DirectX
2007-07-18 20:57 --------- d-------- C:\Program Files\Codemasters
2007-07-18 20:56 --------- d-------- C:\Program Files\D-Tools
2007-07-17 12:33 --------- d-------- C:\Program Files\WinAce
2007-07-16 19:59 --------- d-------- C:\Program Files\Starcraft
2007-07-15 05:32 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-14 02:25 --------- d-------- C:\Program Files\Electronic Arts
2007-07-13 09:20 113952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-07-02 01:40 81920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-07-02 01:40 233472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-23 09:07 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-06-23 09:07 249856 --------- C:\WINDOWS\Setup1.exe
2007-06-21 15:43 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-06-21 15:43 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-06-21 15:43 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-15 23:10 278528 --a------ C:\WINDOWS\IsUninst.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 00:19 796672 --a------ C:\WINDOWS\GPInstall.exe


((((((((((((((((((((((((((((( snapshot_2007-09-06_151156.53 )))))))))))))))))))))))))))))))))))))))))

----a-w 276,992 2006-10-19 04:47:08 C:\WINDOWS\system32\audiodev.dll
----a-w 249,856 2006-10-19 03:00:46 C:\WINDOWS\system32\drmupgds.exe
----a-w 61,952 2006-10-17 18:58:20 C:\WINDOWS\system32\icardie.dll
----a-w 26,112 2006-06-29 15:05:44 C:\WINDOWS\system32\idndl.dll
----a-w 180,736 2006-11-08 04:03:36 C:\WINDOWS\system32\ieui.dll
----a-w 212,992 2006-10-19 04:47:14 C:\WINDOWS\system32\MFPLAT.dll
----a-w 259,072 2006-10-19 04:47:14 C:\WINDOWS\system32\MP43DECD.dll
----a-w 317,440 2006-10-19 04:47:14 C:\WINDOWS\system32\MP4SDECD.dll
----a-w 259,072 2006-10-19 04:47:14 C:\WINDOWS\system32\MPG4DECD.dll
----a-w 312,128 2006-10-02 22:28:42 C:\WINDOWS\system32\msdelta.dll
----a-w 12,288 2006-10-17 18:58:32 C:\WINDOWS\system32\msfeedssync.exe
----a-w 24,576 2006-06-29 00:59:26 C:\WINDOWS\system32\nlsdl.dll
----a-w 23,552 2006-06-29 15:05:44 C:\WINDOWS\system32\normaliz.dll
----a-w 284,160 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceApi.dll
----a-w 101,888 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceClassExtension.dll
----a-w 166,912 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceTypes.dll
----a-w 132,096 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
----a-w 199,168 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceWMDRM.dll
----a-w 14,640 2006-09-26 00:58:48 C:\WINDOWS\system32\spmsg.dll
----a-w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
----a-w 8,704 2006-10-19 04:58:00 C:\WINDOWS\system32\uwdf.exe
----a-w 28,672 2006-03-17 00:38:01 C:\WINDOWS\system32\verclsid.exe
----a-w 4,096 2006-10-19 04:47:18 C:\WINDOWS\system32\wdfapi.dll
----a-w 8,704 2006-10-19 04:58:00 C:\WINDOWS\system32\wdfmgr.exe
----a-w 236,928 2007-02-16 01:00:26 C:\WINDOWS\system32\WgaLogon.dll
----a-w 336,768 2007-02-16 01:01:26 C:\WINDOWS\system32\WgaTray.exe
----a-w 206,336 2006-10-17 19:05:58 C:\WINDOWS\system32\WinFXDocObj.exe
----a-w 429,056 2006-10-19 04:47:18 C:\WINDOWS\system32\wmdrmdev.dll
----a-w 348,672 2006-10-19 04:47:20 C:\WINDOWS\system32\wmdrmnet.dll
----a-w 535,040 2006-10-19 04:47:20 C:\WINDOWS\system32\wmdrmsdk.dll
----a-w 295,936 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpeffects.dll
----a-w 1,661,440 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpencen.dll
----a-w 613,376 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpmde.dll
----a-w 130,048 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpps.dll
----a-w 204,288 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpsrcwp.dll
----a-w 4,096 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVADVD.dll
----a-w 4,096 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVADVE.DLL
----a-w 1,543,680 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVDECOD.dll
----a-w 1,574,912 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVENCOD.dll
----a-w 1,382,912 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVSDECD.dll
----a-w 767,488 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVSENCD.dll
----a-w 656,896 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVXENCD.dll
----a-w 35,840 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdconns.dll
----a-w 154,624 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdmtp.dll
----a-w 63,488 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdmtpus.dll
----a-w 2,603,008 2006-10-19 04:47:22 C:\WINDOWS\system32\WpdShext.dll
----a-w 17,408 2006-10-19 03:00:14 C:\WINDOWS\system32\wpdshextautoplay.exe
----a-w 38,400 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdshextres.dll
----a-w 133,632 2006-10-19 04:47:22 C:\WINDOWS\system32\WPDShServiceObj.dll
----a-w 356,352 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdsp.dll
----a-w 629,760 2006-10-19 04:47:22 C:\WINDOWS\system32\wpd_ci.dll
----a-w 95,344 2006-09-29 03:13:26 C:\WINDOWS\system32\WUDFCoinstaller.dll
----a-w 146,432 2006-09-29 01:56:38 C:\WINDOWS\system32\WudfHost.exe
----a-w 165,376 2006-09-29 01:56:16 C:\WINDOWS\system32\WudfPlatform.dll
----a-w 55,808 2006-09-29 01:56:14 C:\WINDOWS\system32\WudfSvc.dll
----a-w 316,416 2006-09-29 01:56:38 C:\WINDOWS\system32\WUDFx.dll
----a-w 121,856 2006-07-14 15:51:51 C:\WINDOWS\system32\xmllite.dll
----a-w 32,768 2007-09-06 20:16:17 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-06 20:16:17 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
--sha-w 32,768 2007-09-06 20:16:17 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

------w 276,992 2006-10-19 04:47:08 C:\WINDOWS\system32\audiodev.dll
------w 249,856 2006-10-19 03:00:46 C:\WINDOWS\system32\drmupgds.exe
------w 61,952 2006-10-17 18:58:20 C:\WINDOWS\system32\icardie.dll
------w 26,112 2006-06-29 15:05:44 C:\WINDOWS\system32\idndl.dll
------w 180,736 2006-11-08 04:03:36 C:\WINDOWS\system32\ieui.dll
------w 212,992 2006-10-19 04:47:14 C:\WINDOWS\system32\MFPLAT.dll
------w 259,072 2006-10-19 04:47:14 C:\WINDOWS\system32\MP43DECD.dll
------w 317,440 2006-10-19 04:47:14 C:\WINDOWS\system32\MP4SDECD.dll
------w 259,072 2006-10-19 04:47:14 C:\WINDOWS\system32\MPG4DECD.dll
------w 312,128 2006-10-02 22:28:42 C:\WINDOWS\system32\msdelta.dll
------w 12,288 2006-10-17 18:58:32 C:\WINDOWS\system32\msfeedssync.exe
------w 24,576 2006-06-29 00:59:26 C:\WINDOWS\system32\nlsdl.dll
------w 23,552 2006-06-29 15:05:44 C:\WINDOWS\system32\normaliz.dll
------w 284,160 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceApi.dll
------w 101,888 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceClassExtension.dll
------w 166,912 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceTypes.dll
------w 132,096 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
------w 199,168 2006-10-19 04:47:18 C:\WINDOWS\system32\PortableDeviceWMDRM.dll
------w 14,640 2006-09-26 00:58:48 C:\WINDOWS\system32\spmsg.dll
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
------w 8,704 2006-10-19 04:58:00 C:\WINDOWS\system32\uwdf.exe
------w 28,672 2006-03-17 00:38:01 C:\WINDOWS\system32\verclsid.exe
------w 4,096 2006-10-19 04:47:18 C:\WINDOWS\system32\wdfapi.dll
------w 8,704 2006-10-19 04:58:00 C:\WINDOWS\system32\wdfmgr.exe
------w 236,928 2007-02-16 01:00:26 C:\WINDOWS\system32\WgaLogon.dll
------w 336,768 2007-02-16 01:01:26 C:\WINDOWS\system32\WgaTray.exe
------w 206,336 2006-10-17 19:05:58 C:\WINDOWS\system32\WinFXDocObj.exe
------w 429,056 2006-10-19 04:47:18 C:\WINDOWS\system32\wmdrmdev.dll
------w 348,672 2006-10-19 04:47:20 C:\WINDOWS\system32\wmdrmnet.dll
------w 535,040 2006-10-19 04:47:20 C:\WINDOWS\system32\wmdrmsdk.dll
------w 295,936 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpeffects.dll
------w 1,661,440 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpencen.dll
------w 613,376 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpmde.dll
------w 130,048 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpps.dll
------w 204,288 2006-10-19 04:47:20 C:\WINDOWS\system32\wmpsrcwp.dll
------w 4,096 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVADVD.dll
------w 4,096 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVADVE.DLL
------w 1,543,680 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVDECOD.dll
------w 1,574,912 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVENCOD.dll
------w 1,382,912 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVSDECD.dll
------w 767,488 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVSENCD.dll
------w 656,896 2006-10-19 04:47:22 C:\WINDOWS\system32\WMVXENCD.dll
------w 35,840 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdconns.dll
------w 154,624 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdmtp.dll
------w 63,488 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdmtpus.dll
------w 2,603,008 2006-10-19 04:47:22 C:\WINDOWS\system32\WpdShext.dll
------w 17,408 2006-10-19 03:00:14 C:\WINDOWS\system32\wpdshextautoplay.exe
------w 38,400 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdshextres.dll
------w 133,632 2006-10-19 04:47:22 C:\WINDOWS\system32\WPDShServiceObj.dll
------w 356,352 2006-10-19 04:47:22 C:\WINDOWS\system32\wpdsp.dll
------w 629,760 2006-10-19 04:47:22 C:\WINDOWS\system32\wpd_ci.dll
------w 95,344 2006-09-29 03:13:26 C:\WINDOWS\system32\WUDFCoinstaller.dll
------w 146,432 2006-09-29 01:56:38 C:\WINDOWS\system32\WudfHost.exe
------w 165,376 2006-09-29 01:56:16 C:\WINDOWS\system32\WudfPlatform.dll
------w 55,808 2006-09-29 01:56:14 C:\WINDOWS\system32\WudfSvc.dll
------w 316,416 2006-09-29 01:56:38 C:\WINDOWS\system32\WUDFx.dll
------w 121,856 2006-07-14 15:51:51 C:\WINDOWS\system32\xmllite.dll
----a-w 32,768 2007-09-06 16:14:56 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-09-06 16:14:56 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-09-06 16:14:56 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 05:39 C:\WINDOWS\SOUNDMAN.EXE]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"nwiz"="nwiz.exe" [2006-11-17 19:29 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]

C:\DOCUME~1\cor\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 22:16:50]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cor^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\cor\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

R0 SI3132;SiI-3132 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3132.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe


Contents of the 'Scheduled Tasks' folder
2007-09-02 14:07:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-15 07:08:43 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-09-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 18:25:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 18:26:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 18:26
C:\ComboFix2.txt ... 2007-09-06 15:12

--- E O F ---

hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:49 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Razer\razerhid.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\gjgh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] "C:\Program Files\Razer\razerhid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files\Razer\Diamondback\razerhid.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 5522 bytes

#9 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:29 AM

Posted 07 September 2007 - 06:10 PM

Hello thebeerinator,

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.
Posted Image

#10 thebeerinator

thebeerinator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 08 September 2007 - 04:44 PM

heres the AVG Anti-Spyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:17:21 PM 9/8/2007

+ Scan result:



HKU\S-1-5-21-1715567821-1364589140-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\cor\Cookies\cor@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@oasc02.247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@electronicarts.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@viacomedycentralrl.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@4.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@search.techrepublic.com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@software.techrepublic.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@linksynergy[1].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@linksynergy[3].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@counter5.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@counter7.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@tacoda[3].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\cor\Cookies\cor@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

#11 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:29 AM

Posted 08 September 2007 - 07:18 PM

Hello thebeerinator,

Please post back with a new HijackThis log and an update on how your computer is running.
Posted Image

#12 thebeerinator

thebeerinator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 09 September 2007 - 03:04 PM

Since i used the combofix process my computer has been back to normal it seems. im not getting any popups and i think all is well. ive changed some mcafee settings to make my systems security a little tighter. i think i got the spyware from downloading something, and well i forgot to scan it. :thumbsup:

well heres the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:20 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Razer\razerhid.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Right Hemisphere\Deep Paint 3D\Deep3D.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\gjgh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run= C:\WESTWOOD\C&C95\INSTICON.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [razer] "C:\Program Files\Razer\razerhid.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files\Razer\Diamondback\razerhid.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6166 bytes

#13 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:06:29 AM

Posted 09 September 2007 - 09:31 PM

Hello thebeerinator,

Please delete the following foler:
C:\Qoobox

Congratulations, your computer is now clean of malware!

Let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users