Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Install Any Antivirus Programs


  • This topic is locked This topic is locked
48 replies to this topic

#1 paperclip57

paperclip57

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 20 March 2008 - 02:14 PM

Please help me
I can't install any antivirus programs. I did have Mcafee installed (total protection) with everthing installed. It disapeared about 5 days ago. I have installed spybot and zonealarm firewall (free). I don't know what to do. Mcafee can't help me they say I need to reinstall windows but I don't want to do that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:10 PM, on 3/20/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [ZoneAlarmSB Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3
O4 - HKCU\..\Run: [XdriveTrayIcon] "C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

--
End of file - 11000 bytes

BC AdBot (Login to Remove)

 


m

#2 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 20 March 2008 - 02:55 PM

Aim 6 no longer runs. Crashes on login.

#3 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 AM

Posted 22 March 2008 - 08:14 PM

Hi, Welcome to Bleeping Computer Forums!

My name is Renato Mejias, and I will help you to solve your problems :thumbsup:.

You might want to save this page on your favorites, so you can find it again when you return.

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#4 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 22 March 2008 - 08:44 PM

hi Renato Mejias
After I rain zonealarm 15day trail with antivirus and got a few hits.

Not-a-virus.AdWare.Win32.Agent Aeh
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe

Backdoor.Win32RAdmin.ag
C:\Program Files\Online Services\Vonage\xtras\regxtra121.x32

Trojan-Downloader.Win32.Agent.aeh
C:\Documents and Settings\My name\Local Settings\Application Data\Mozilla\Firefox\Profiles\Ozyboa0g.default\Cache\A8609E64d01

Zonealarm antivirus deleted these and uploaded them to zonelabs before I could do anythings.
I still have damage to my computer. :thumbsup:

Edited by paperclip57, 23 March 2008 - 12:08 PM.


#5 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 AM

Posted 26 March 2008 - 06:45 AM

Hi :thumbsup:, sorry the delay.

Is advisable install the Recovery Console before begin this procedures, to learn how install it, please read this article:

http://www.bleepingcomputer.com/forums/t/76702/how-to-install-and-use-the-windows-xp-recovery-console/

Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable Spybot-S&D for the duration of your malware cleanup. It may be the case that this program will automatically restart upon reboot; it will be necessary to repeat these disabling steps as required. Once we have successfully removed all of the malware in your system, it is important that you re-enable it once again to prevent future reinfection.
  • Run Spybot-S&D in Advanced Mode.
  • If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  • On the left hand side, Click on Tools
  • Then click on the Resident Icon in the List
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer.
Next

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#6 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 26 March 2008 - 04:26 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:16 PM, on 3/26/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [XdriveTrayIcon] "C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

--
End of file - 10486 bytes

#7 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 26 March 2008 - 04:41 PM

ComboFix 08-03-25.4 - Trent Reeves 2008-03-26 17:29:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.589 [GMT -4:00]
Running from: C:\Documents and Settings\Trent Reeves\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-24 13:32 . 2008-03-24 13:32 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\AbiSuite
2008-03-23 20:08 . 2008-03-23 20:09 488 --a--c--- C:\hpfr3420.xml
2008-03-23 20:06 . 2008-03-23 20:06 <DIR> d----c--- C:\Program Files\Common Files\Hewlett-Packard
2008-03-23 20:04 . 2008-03-23 20:04 <DIR> d-------- C:\TEMP\HP All-in-One Series Web Release
2008-03-23 19:53 . 2008-02-11 17:03 25,856 --a--c--- C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-23 19:53 . 2008-02-11 17:03 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-23 19:51 . 2008-02-11 16:49 32,128 --a--c--- C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-23 19:51 . 2008-02-11 16:49 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-23 09:40 . 2008-03-23 09:40 <DIR> d----c--- C:\Program Files\SonicWallES
2008-03-22 12:46 . 2008-03-26 16:17 0 --a--c--- C:\rollback.ini
2008-03-22 12:41 . 2008-03-26 16:01 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\MailFrontier
2008-03-22 10:50 . 2008-03-22 10:50 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\Windows Desktop Search
2008-03-21 20:29 . 2008-03-22 08:55 <DIR> d----c--- C:\Program Files\a-squared Anti-Malware
2008-03-21 18:36 . 2008-03-26 17:36 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-03-21 18:36 . 2008-03-21 18:36 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-03-21 15:37 . 2008-03-21 15:37 <DIR> d----c--- C:\Program Files\BillP Studios
2008-03-21 15:37 . 2008-03-21 15:37 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\WinPatrol
2008-03-19 20:14 . 2008-03-19 20:14 2,335,270 --a--c--- C:\WINDOWS\system32\25d232D.mht
2008-03-19 20:14 . 2008-03-19 20:14 54,624 --a--c--- C:\WINDOWS\system32\61d232E.sys
2008-03-19 17:04 . 2008-03-21 23:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 17:00 . 2008-03-19 17:00 <DIR> d----c--- C:\Program Files\Trend Micro
2008-03-18 19:05 . 2008-03-18 19:11 <DIR> d----c--- C:\Wormguard
2008-03-18 18:57 . 2008-03-18 19:09 87,076 --a--c--- C:\WINDOWS\system32\pguard.dat
2008-03-18 18:57 . 2008-03-18 19:08 42,020 --a--c--- C:\WINDOWS\system32\pghash.dat
2008-03-18 18:56 . 2008-03-26 17:36 553,760 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-18 18:56 . 2008-03-26 17:34 8,468 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-18 18:54 . 2008-03-18 19:29 <DIR> d----c--- C:\Program Files\ProcessGuard
2008-03-18 16:47 . 2008-03-25 19:41 <DIR> d----c--- C:\Program Files\AIM6
2008-03-18 15:50 . 2008-03-18 15:50 <DIR> d----c--- C:\Program Files\Zone Labs
2008-03-18 15:50 . 2008-03-22 19:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-18 15:49 . 2008-03-26 17:26 <DIR> d----c--- C:\WINDOWS\Internet Logs
2008-03-18 15:49 . 2008-03-26 17:36 355,091 --a--c--- C:\WINDOWS\system32\vsconfig.xml
2008-03-17 20:26 . 2008-03-23 20:40 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-03-17 20:26 . 2008-03-23 20:42 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-17 15:37 . 2008-03-21 18:29 <DIR> d----c--- C:\AV-CLS
2008-03-17 15:37 . 2008-03-16 19:06 2,577 --a--c--- C:\WINDOWS\system32\config.bak
2008-03-17 15:37 . 2004-08-05 00:00 1,688 --a--c--- C:\WINDOWS\system32\autoexec.bak
2008-03-15 09:57 . 2008-03-15 10:00 27,735 --a--c--- C:\WINDOWS\system32\Config.MPF
2008-03-15 09:56 . 2008-03-15 09:56 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\SiteAdvisor
2008-03-15 09:56 . 2008-03-15 09:56 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-03-15 09:53 . 2007-07-21 09:08 201,288 --a--c--- C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-15 09:53 . 2007-07-13 09:20 113,952 --a--c--- C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-15 09:53 . 2007-07-24 07:40 79,304 --a--c--- C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-15 09:53 . 2007-07-21 09:08 40,488 --a--c--- C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-15 09:53 . 2007-07-21 09:08 35,240 --a--c--- C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-15 09:53 . 2007-07-24 12:02 33,800 --a--c--- C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-15 09:37 . 2008-03-15 09:37 492 --a--c--- C:\WINDOWS\WinInit.Ini
2008-03-15 09:25 . 2008-03-15 09:25 <DIR> d----c--- C:\Program Files\FRISK Software
2008-03-15 09:25 . 2008-03-15 09:36 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-03-15 09:21 . 2008-03-15 09:21 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\Talkback
2008-03-06 19:51 . 2006-08-31 03:47 25,856 --a--c--- C:\WINDOWS\system32\drivers\tap0801co.sys
2008-03-02 19:17 . 2008-03-02 19:17 595 --a--c--- C:\WINDOWS\eReg.dat
2008-03-02 19:12 . 2008-03-02 19:12 <DIR> d----c--- C:\Program Files\Maxis
2008-03-01 11:14 . 2008-03-01 11:14 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\Blackboard
2008-03-01 11:14 . 2008-03-01 11:14 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Agilix
2008-03-01 11:14 . 2007-01-31 14:02 167,936 -ra--c--- C:\WINDOWS\system32\GBInf.dll
2008-03-01 04:16 . 2008-03-01 04:16 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\DivX
2008-03-01 01:40 . 2008-03-01 01:42 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 00:00 . 2008-03-01 00:14 <DIR> d----c--- C:\Program Files\Macromedia
2008-03-01 00:00 . 2008-03-01 00:06 <DIR> d----c--- C:\Program Files\Common Files\Macromedia
2008-02-29 22:26 . 2008-03-17 21:00 <DIR> d----c--- C:\Documents and Settings\Trent Reeves\Application Data\DNA
2008-02-28 21:10 . 2007-05-17 12:55 61,440 --a--c--- C:\WINDOWS\system32\Vista.Emulation.dll
2008-02-28 20:52 . 2008-02-28 21:18 <DIR> d----c--- C:\Program Files\Microsoft games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 21:37 --------- dc----w C:\Documents and Settings\Trent Reeves\Application Data\Orbit
2008-03-26 21:37 --------- dc----w C:\Documents and Settings\Trent Reeves\Application Data\OpenOffice.org2
2008-03-26 00:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-25 23:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-24 00:05 --------- dc----w C:\Program Files\Hewlett-Packard
2008-03-22 20:20 --------- dc----w C:\Program Files\Starcraft
2008-03-22 14:49 --------- dc----w C:\Program Files\Windows Desktop Search
2008-03-18 22:56 --------- dc----w C:\Program Files\Common Files\Blizzard Entertainment
2008-03-18 19:54 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-16 22:27 --------- dc----w C:\Program Files\music_now
2008-03-16 16:07 --------- dc----w C:\Program Files\SiteAdvisor
2008-03-16 15:47 --------- dc----w C:\Program Files\Common Files\McAfee
2008-03-16 15:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 03:11 75,248 -c--a-w C:\WINDOWS\zllsputility.exe
2008-03-05 23:18 --------- dc----w C:\Program Files\Quickensetup
2008-03-05 23:17 --------- dc----w C:\Program Files\Quicken
2008-03-02 15:52 --------- dc----w C:\Program Files\Orbitdownloader
2008-03-01 16:21 --------- dc----w C:\Documents and Settings\Trent Reeves\Application Data\BitTorrent
2008-03-01 06:29 --------- dc----w C:\Program Files\Warcraft III
2008-02-26 00:30 --------- dc----w C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-02-25 00:10 --------- dc----w C:\Documents and Settings\Trent Reeves\Application Data\McAfee
2008-02-24 22:23 --------- dc----w C:\Documents and Settings\Trent Reeves\Application Data\Xdrive
2008-02-24 22:17 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-02-24 22:17 --------- dc----w C:\Program Files\Xdrive
2008-02-23 01:32 --------- dc----w C:\Program Files\Common Files\INCA Shared
2008-02-21 20:01 --------- dc----w C:\Program Files\iTunes
2008-02-20 22:19 --------- dc----w C:\Program Files\FLVPlayer
2008-02-18 14:57 --------- dc----w C:\Program Files\DivX
2008-02-16 16:00 --------- dc----w C:\Documents and Settings\Trent Reeves\Application Data\MSNInstaller
2008-02-15 23:05 --------- dc----w C:\Program Files\Common Files\Download Manager
2008-02-14 22:15 --------- dc----w C:\Program Files\Microsoft.NET
2008-02-13 16:49 --------- dc----w C:\Program Files\Common Files\AOL
2008-02-13 15:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-12 09:30 40,840 -c--a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-02-12 09:30 21,896 -c--a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-02-12 09:30 139,656 -c--a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-02-12 09:30 12,040 -c--a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-02-12 09:29 69,120 -c--a-w C:\WINDOWS\notepad.exe
2008-02-12 09:29 50,688 -c--a-w C:\WINDOWS\twain_32.dll
2008-02-12 09:29 34,816 -c--a-w C:\WINDOWS\Help\sniffpol.dll
2008-02-12 09:29 33,280 -c--a-w C:\WINDOWS\Help\sstub.dll
2008-02-12 09:29 32,866 -c----w C:\WINDOWS\slrundll.exe
2008-02-12 09:29 3,901 -c----w C:\WINDOWS\system32\drivers\siint5.dll
2008-02-12 09:29 283,648 -c--a-w C:\WINDOWS\winhlp32.exe
2008-02-12 09:29 279,040 -c--a-w C:\WINDOWS\Help\tshoot.dll
2008-02-12 09:29 146,432 -c--a-w C:\WINDOWS\regedit.exe
2008-02-12 09:29 11,325 -c----w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-02-12 09:29 10,752 -c--a-w C:\WINDOWS\hh.exe
2008-02-12 09:29 1,033,728 -c--a-w C:\WINDOWS\explorer.exe
2008-02-12 04:51 162,816 -c--a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-02-12 04:50 91,520 -c--a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-02-12 04:50 48,384 -c--a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-02-12 04:50 361,344 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-02-12 04:50 182,656 -c--a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-02-12 04:49 75,264 -c--a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-02-12 04:49 51,328 -c--a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-02-12 04:49 138,112 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-02-12 02:29 --------- dc----w C:\Documents and Settings\All Users\Application Data\Renaissance Learning
2008-02-11 22:34 175,744 -c--a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-02-11 22:26 146,048 -c--a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-02-11 22:24 52,480 -c--a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-02-11 22:23 83,072 -c--a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-02-11 22:23 456,576 -c--a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-02-11 22:23 141,056 -c--a-w C:\WINDOWS\system32\drivers\ks.sys
2008-02-11 22:23 105,344 -c--a-w C:\WINDOWS\system32\drivers\mup.sys
2008-02-11 22:22 64,512 -c--a-w C:\WINDOWS\system32\drivers\serial.sys
2008-02-11 22:22 60,800 -c--a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-02-11 22:22 574,976 -c--a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-02-11 22:22 49,536 -c--a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-02-11 22:21 334,848 -c--a-w C:\WINDOWS\system32\drivers\srv.sys
2008-02-11 22:20 63,744 -c--a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-02-11 22:20 143,744 -c--a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-02-11 21:51 30,080 -c--a-w C:\WINDOWS\system32\drivers\modem.sys
2008-02-11 21:51 225,664 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-02-11 21:51 19,072 -c--a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-02-11 21:50 61,696 -c--a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-02-11 21:50 59,136 -c----w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-02-11 21:50 53,376 -c--a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-02-11 21:50 37,888 -c----w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-02-11 21:50 36,480 -c----w C:\WINDOWS\system32\drivers\bthprint.sys
2008-02-11 21:50 273,024 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-02-11 21:50 25,600 -c----w C:\WINDOWS\system32\drivers\hidbth.sys
2008-02-11 21:50 25,344 -c--a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-02-11 21:50 18,944 -c----w C:\WINDOWS\system32\drivers\bthusb.sys
2008-02-11 21:50 17,024 -c----w C:\WINDOWS\system32\drivers\bthenum.sys
2008-02-11 21:50 121,984 -c----w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-02-11 21:49 59,520 -c--a-w C:\WINDOWS\system32\drivers\usbhub.sys
2008-02-11 21:49 36,864 -c--a-w C:\WINDOWS\system32\drivers\hidclass.sys
2008-02-11 21:49 30,208 -c--a-w C:\WINDOWS\system32\drivers\usbehci.sys
2008-02-11 21:49 25,728 -c--a-w C:\WINDOWS\system32\drivers\usbcamd2.sys
2008-02-11 21:49 25,600 -c--a-w C:\WINDOWS\system32\drivers\usbcamd.sys
2008-02-11 21:49 24,960 -c--a-w C:\WINDOWS\system32\drivers\hidparse.sys
2008-02-11 21:49 20,608 -c--a-w C:\WINDOWS\system32\drivers\usbuhci.sys
2008-02-11 21:49 19,200 -c----w C:\WINDOWS\system32\drivers\hidir.sys
2008-02-11 21:49 15,872 -c--a-w C:\WINDOWS\system32\drivers\usbintel.sys
2008-02-11 21:49 143,872 -c--a-w C:\WINDOWS\system32\drivers\usbport.sys
2008-02-11 21:49 10,368 -c--a-w C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-11 21:47 69,120 -c--a-w C:\WINDOWS\system32\drivers\psched.sys
2008-02-11 21:47 35,072 -c--a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-02-11 21:47 30,592 -c--a-w C:\WINDOWS\system32\drivers\rndismp.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedFolder]
@={5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedSharedFolder]
@={7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.SharedFolder]
@={39C2972F-3338-471B-8D67-FA82E46E3AC2}

[HKEY_CLASSES_ROOT\CLSID\{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}]
2008-02-27 20:18 77824 --a--c--- C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll

[HKEY_CLASSES_ROOT\CLSID\{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}]
2008-02-27 20:18 77824 --a--c--- C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll

[HKEY_CLASSES_ROOT\CLSID\{39C2972F-3338-471B-8D67-FA82E46E3AC2}]
2008-02-27 20:18 77824 --a--c--- C:\Program Files\Xdrive\Xdrive Desktop\Overlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XdriveTrayIcon"="C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe" [2008-02-27 20:21 253952]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-12 05:29 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 06:29 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 06:27 1015808]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 14:23 1187840]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-06-23 18:43 102400]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 19:21 135168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 20:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 15:17 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 15:17 118784]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 03:11 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 18:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 14:50 40960]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2008-01-20 17:33:49 1703]

C:\Documents and Settings\Trent Reeves\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-01-20 20:01:27 557568]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2008-02-18 19:11:59 1674440]
Windows Desktop Search.lnk.disabled [2008-03-22 10:49:49 1787]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\AV-CLS\\WGET.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 14:53]
S2 AsUsbDrvXp;AsUsbDrvXp;C:\WINDOWS\system32\DRIVERS\AsUsbDrvXP.sys [2006-04-13 10:03]
S2 Ramdisk;Ramdisk [ QSoft ] Basic;C:\WINDOWS\system32\DRIVERS\RAMDisk.sys [2008-02-11 17:44]
S3 61d232E;61d232E;C:\WINDOWS\system32\61d232E.sys [2008-03-19 20:14]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);C:\WINDOWS\system32\DRIVERS\tap0801co.sys [2006-08-31 03:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f6dca82-d5e0-11dc-914b-0014a5f0398f}]
\Shell\AutoRun\command - F:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f6dca8a-d5e0-11dc-914b-0014a5f0398f}]
\Shell\AutoRun\command - F:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 15:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 13:53:30 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-15 13:53:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 17:37:00
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????\??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-26 17:39:43 - machine was rebooted [Trent Reeves]
ComboFix-quarantined-files.txt 2008-03-26 21:39:38
.
2008-03-13 13:10:50 --- E O F ---

#8 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 26 March 2008 - 05:02 PM

Renato Mejias
Aim now runs
windows update online and running (should I update?)
windows system restore is run and active (should I disable this?)

I guess this is a good start. Thanks

#9 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 AM

Posted 29 March 2008 - 11:16 AM

Hi :thumbsup:.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\system32\25d232D.mht
C:\WINDOWS\system32\61d232E.sys


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#10 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 30 March 2008 - 09:52 AM

File: 25d232d.mht
Status:
OK
MD5: 00e7d2d63341b809bbbc01006e78e059
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 30 Mar 2008 14:49:37 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing




File: 61d232e.sys
Status:
OK
MD5: 4aee6656d369812c8b972fbc08b1cc0f
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)
Scanner results
Scan taken on 30 Mar 2008 14:52:44 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Edited by paperclip57, 30 March 2008 - 09:54 AM.


#11 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 30 March 2008 - 11:59 AM

zonealarm anti-spyware found
P2P-Worm.Win32.Logpole.c
It won't tell me where its at but its quarantined it.

#12 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 AM

Posted 03 April 2008 - 10:04 PM

Hi :thumbsup:

I recommend to you uninstall McAfee because it is broke, you can find out instructions here:

http://service.mcafee.com/FAQDocument.aspx...083&lc=1033

Next,

Copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

regedit /a c:\srservice.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice
notepad c:\srservice.txt


In the end Notepad will open with some text. Please post that here.

Question:

Can you tell me what is the drive F:\ on your computer?
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#13 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 04 April 2008 - 12:29 PM

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,43,3a,5c,57,49,4e,44,4f,\
57,53,5c,73,79,73,74,65,6d,33,32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,\
6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="System Restore Service"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,54,00,52,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice\Parameters]
"ServiceDll"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,\
5c,73,72,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice\Enum]
"0"="Root\\LEGACY_SRSERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001




Drive F: is either magic disk or a flash drive.
Magic disk doesn't work with games but works with Encarta and other programs that need the disk.

Also do you want me to try to reinstall Mcafee.

Edited by paperclip57, 04 April 2008 - 12:31 PM.


#14 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:00 AM

Posted 06 April 2008 - 09:47 PM

Hi :thumbsup:

Also do you want me to try to reinstall Mcafee.


I saied to you uninstall the McAfee, if you wish reinstall do it after we clear the computer :blink:.

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines:

C:\WINDOWS\system32\25d232D.mht
C:\WINDOWS\system32\61d232E.sys


and paste it in the box in SFP, then click "Continue".

It will copy the files and zip em up to a cab file on your desktop.
Called something like "Requested files [time/date].cab"

Please upload the cab file to this site:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Please copy/paste the URL from this thread in the space provided so I can ID the upload.

Thanks :wacko:.

We need to backup the registry before we continue.
Registry edits can be potentially dangerous; we can revert to the backup if needed.
Go to Start Run type: regedit OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
Follow this instructions:

Copy (Ctrl+C)
and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixReg.reg. Please save it on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice]
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00

Double click FixReg.reg and click "Ok".

Next,

Disable and Enable System Restore. You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above.

Please, post a new Hijackthis log.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#15 paperclip57

paperclip57
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 AM

Posted 07 April 2008 - 03:45 PM

Hi again :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:42 PM, on 4/7/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [XdriveTrayIcon] "C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

--
End of file - 9600 bytes


I upload the files that you requested.
I also disabled and re enabled windows system restore




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users