Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyshredder...for Starters


  • This topic is locked This topic is locked
14 replies to this topic

#1 surdidymus

surdidymus

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 01 April 2008 - 01:46 PM

Hello,

About 2 weeks ago I ended up with spyshredder on my computer. I have no idea how exactly I got it, but it's having lasting effects on my computer.

I tried the uninstall from add/remove programs. I also have scanned using McAfee, Spyboy S&D, Rogue Remover, SpyHunter (I think it was called)....basically every suggestion that I read on other people having the issue.

I am not seeing the spyshredder warning or scan anymore, but my task bar keeps changing without me changing it. My desktop is still fine, but my computer is running SUPER SLOW and I keep getting popups about anti-spyware ads. My internet clicks are also being hijacked. If I do a yahoo search of something and then click on the search results sometimes it takes me to a random site about spyware. I also tried the SmitFraud Program, but that froze up and I wasn't able to run it completely.

My computer seems to be restarting itself too and I can't seem to boot up in Safe Mode to save my life. My computer doesn't beep.

Here is my HJT report from today. Any help is appreciated.

Thanks!
Tiffany

EDIT TO ADD: I also keep getting messages that my computer needs to be upadated (like the windows message)... I just updated Friday and received 58 updates...and when I logged on this morning it said my computer was in need of updates. I don't know if this is related in anyway to anything, but wanted to throw it out there.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:35:01 PM, on 04/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {370A0EFC-2732-4DB5-86B1-F199A71AC0C7} - c:\windows\system32\dsound3dl.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8269346C-27CA-4778-9DAE-FAAAE5F7DE9F} - C:\WINDOWS\System32\ds16gtl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\Spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\YHL6J69S.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\WHA70XEF.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\SL0R07OV.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\RBD7BLGW.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\N3XNVT4O.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\MS9DJNBV.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\JEORJX4D.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\ITRWLSVM.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\ERXOO2QT.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\D76IJS7B.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\D0J6735J.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\A54BILE5.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\8NFVM85H.SH! C:\DOCUME~1\tdluhy\LOCALS~1\Temp\TEMPOR~1\Content.IE5\7SL9FCGW.SH! C:\DOCUME~1\td
O4 - HKUS\S-1-5-21-2052111302-1606980848-1801674531-1108\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/04b1ad1235bd69...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205955522000
O16 - DPF: {9BDA8A29-24F7-4F95-8C38-2DC79DD99C5F} - http://157.238.134.97/events/bin/media/3.0...7203/MILive.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O17 - HKLM\Software\..\Telephony: DomainName = bbalawfirm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O20 - Winlogon Notify: kkuhkmxy - C:\WINDOWS\SYSTEM32\dsound3dl.dll
O23 - Service: McAfee Application Installer Cleanup (0015831206863144) (0015831206863144mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\001583~1.EXE
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 10300 bytes

Edited by surdidymus, 01 April 2008 - 01:48 PM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 02 April 2008 - 05:57 AM

Hello and welcome to BleepingComputer. :thumbsup:

Please follow the instructions for running ComboFix here. Post back with the log once finished.
Hi there, stranger!

#3 surdidymus

surdidymus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 02 April 2008 - 11:57 AM

I followed the directions exactly as said and I had some different things happen with Combofix... The disclaimer was a pop up box and after I clicked ok to that another pop up box came up with a question mark saying "1/100 computers don't make it through...are you sure you want to continue?"

Between the "Combofix has changed your clock, it shall be restored later" and the Completed stages I had "Deleting "C:Windows\system32\drivers\fad.sys"

There were more than 41 stages. After the last stage it said that Combofix was restarting my computer and it logged it off of windows and I got a blue screen with the error message saying there was a fatal error 0xc0000005 (0x00000000 0x00000000). I had to press and hold the power button to shut it off, I then waited about 15 seconds and started it back up, waited, logged into windows and it came back up with the "Preparing Log Report" I will note that when my computer started I had the little balloon in the bottom right corner saying "Updates are ready for your computer. Click here to install these updates."

So here is the log that it gave me. I have notices that my internet is not taking forever to come up so it looks like something worked. :thumbsup: We'll see what you get from the log. Thanks for you help.

PS: I noticed that the beginning of the log says that my machine doesn't have the recovery installed... wasn't that the file I downloaded from windows and then drag and dropped into Combofix? I did that with no problems so I'm not sure if it's normal for it to say that or if something else happened along the way. AND, I don't know if Combofix has been updated so all the things that happened to me are normal, but I wanted to make sure you got a complete account of the process in case any of it means anything.

EDIT TO ADD: My clock was not changed back. It is now showing military time and a mm/dd/yy format when I hover over.

*******************************************


ComboFix 08-04-01.2 - tdluhy 2008-04-02 12:30:01.1 - NTFSx86
Running from: C:\Documents and Settings\tdluhy\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\drivers\cxnumoam.dat
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\ds16gtl.dll
C:\WINDOWS\system32\dsound3dl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_PWCAGDYA
-------\Legacy_SFKORJJD
-------\Service_Iprip
-------\Service_pwcagdya
-------\Service_sfkorjjd


((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-01 14:33 . 2008-04-01 14:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 15:49 . 2003-02-28 18:26 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-03-28 15:49 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-28 15:49 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-03-28 15:49 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-03-28 15:49 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-03-28 15:48 . 2003-02-28 16:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-03-28 15:48 . 2003-02-28 18:26 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2008-03-28 15:48 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-03-28 15:48 . 2003-02-28 18:26 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2008-03-28 15:48 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-03-28 15:48 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-03-28 15:47 . 2003-02-28 18:26 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2008-03-28 15:47 . 2003-02-28 18:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2008-03-28 15:47 . 2003-02-28 18:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2008-03-28 15:47 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-03-28 15:47 . 2003-02-28 18:26 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2008-03-28 15:47 . 2003-02-28 18:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2008-03-28 15:47 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-03-28 15:47 . 2003-02-28 18:26 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2008-03-26 16:38 . 2008-03-26 16:47 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-25 13:53 . 2008-03-25 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-24 15:14 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-03-19 14:52 . 2004-07-01 17:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-03-19 14:52 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-19 14:52 . 2004-07-01 17:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-03-19 14:52 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-19 14:52 . 2004-07-01 17:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-03-19 14:52 . 2004-07-01 17:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-03-19 14:52 . 2004-07-01 17:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-03-19 14:39 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-17 16:41 . 2008-04-02 12:41 9,859 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-17 16:40 . 2008-03-18 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-03-17 16:39 . 2008-03-18 17:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-03-17 16:39 . 2008-04-02 11:49 <DIR> d-------- C:\Documents and Settings\tdluhy\Application Data\SiteAdvisor
2008-03-17 16:39 . 2008-03-17 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-17 16:37 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-17 16:30 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-17 16:30 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-17 16:30 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-17 16:30 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-17 16:30 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-17 16:30 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-17 16:28 . 2008-03-17 16:29 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-17 16:28 . 2008-03-17 16:30 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-17 16:27 . 2008-03-30 02:45 <DIR> d-------- C:\Program Files\McAfee
2008-03-17 16:19 . 2008-03-17 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 13:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-14 13:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-14 13:09 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-14 13:09 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-14 13:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-14 13:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-13 13:54 . 2008-03-14 13:09 2,658 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-13 13:15 . 2008-03-13 13:15 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-13 13:15 . 2008-04-01 19:13 638,208 --a------ C:\WINDOWS\system32\ajelbbyd.dat
2008-03-13 13:15 . 2008-03-13 13:15 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-13 13:15 . 2008-03-13 13:15 42,752 --a------ C:\WINDOWS\system32\fztbovup.dat
2008-03-13 13:15 . 2008-03-13 13:15 35,072 --a------ C:\WINDOWS\system32\xsrfpzjq.dat
2008-03-13 13:12 . 2008-03-13 13:12 36,608 --a------ C:\WINDOWS\system32\pwyswsyg.dat
2008-03-11 16:37 . 2008-03-11 16:37 <DIR> d-------- C:\Documents and Settings\tdluhy\Application Data\FileMaker
2008-03-07 18:26 . 2008-03-07 18:26 120,576 --a------ C:\WINDOWS\system32\vxjonyhw.dat
2008-03-07 18:19 . 2002-12-12 02:14 85,504 --a------ C:\WINDOWS\system32\dsound3dl.dll.bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 21:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:12 --------- d-----w C:\Program Files\HiJack This
2008-03-20 17:35 --------- d-----w C:\Program Files\Java
2008-03-17 21:04 --------- d-----w C:\Documents and Settings\tdluhy\Application Data\AdobeUM
2008-03-14 20:20 --------- d-----w C:\Documents and Settings\tdluhy\Application Data\Uniblue
2008-02-20 19:12 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2008-02-20 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2008-02-20 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-04-30 15:42 313,283 ----a-w C:\Program Files\cwshredder.zip
2007-02-22 22:13 6,017,261 ----a-w C:\Program Files\rviewxp.exe
2004-09-07 15:36 149,504 ----a-w C:\Program Files\CWShredder.exe
2004-06-30 20:10 2,956,949 ----a-w C:\Program Files\mailwasher_pro41.exe
2004-06-25 15:04 521,392 ----a-w C:\Program Files\PrintUtility.exe
2004-04-05 17:47 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-04-05 17:12 141,572 ----a-w C:\Program Files\gw_uslbl.pdf
2004-02-26 17:41 3,888 ----a-w C:\WINDOWS\inf\SET1E1D.tmp
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\Spamihilator.exe" [2007-01-24 08:49 619008]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 09:00 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11 114688]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37 69632]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24 485376]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01 32768]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 13:20 94208]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 13:49 335872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2007-07-17 14:56:18 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S2 0015831206863144mcinstcleanup;McAfee Application Installer Cleanup (0015831206863144);C:\WINDOWS\TEMP\001583~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

*Newly Created Service* - 0015831206863144MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 19:43:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-17 21:29:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 06:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-24 18:53:03 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-14 18:53:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 12:42:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-02 12:47:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-02 17:47:33
Pre-Run: 30,504,136,704 bytes free
Post-Run: 30,826,401,792 bytes free
.
2008-03-29 01:56:37 --- E O F ---

Edited by surdidymus, 02 April 2008 - 12:05 PM.


#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 02 April 2008 - 12:25 PM

Hi again. :blink:

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\fztbovup.dat
C:\WINDOWS\system32\xsrfpzjq.dat
C:\WINDOWS\system32\pwyswsyg.dat
C:\WINDOWS\system32\vxjonyhw.dat
C:\WINDOWS\system32\ajelbbyd.dat


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Then... Please surf here: http://virustotal.com/

Submit the following file and hit Send File:

C:\Program Files\rviewxp.exe

Wait till the scanners have finished and post back with the scanning results aswell as the ComboFix log. :thumbsup:
Hi there, stranger!

#5 surdidymus

surdidymus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 02 April 2008 - 01:26 PM

ComboFix did not restart the computer this time, but it again changed my time back to military without changing it back. And my taskbar was changed.

HERE IS COMBOFIX LOG:

ComboFix 08-04-01.2 - tdluhy 2008-04-02 14:05:56.2 - NTFSx86
Running from: C:\Documents and Settings\tdluhy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tdluhy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-01 14:33 . 2008-04-01 14:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 15:49 . 2003-02-28 18:26 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-03-28 15:49 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-03-28 15:49 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-03-28 15:49 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-03-28 15:49 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-03-28 15:48 . 2003-02-28 16:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-03-28 15:48 . 2003-02-28 18:26 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2008-03-28 15:48 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-03-28 15:48 . 2003-02-28 18:26 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2008-03-28 15:48 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-03-28 15:48 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-03-28 15:47 . 2003-02-28 18:26 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2008-03-28 15:47 . 2003-02-28 18:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2008-03-28 15:47 . 2003-02-28 18:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2008-03-28 15:47 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-03-28 15:47 . 2003-02-28 18:26 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2008-03-28 15:47 . 2003-02-28 18:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2008-03-28 15:47 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-03-28 15:47 . 2003-02-28 18:26 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2008-03-26 16:38 . 2008-03-26 16:47 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-03-25 13:53 . 2008-03-25 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-24 15:14 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-03-19 14:52 . 2004-07-01 17:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-03-19 14:52 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-19 14:52 . 2004-07-01 17:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-03-19 14:52 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-19 14:52 . 2004-07-01 17:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-03-19 14:52 . 2004-07-01 17:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-03-19 14:52 . 2004-07-01 17:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-03-19 14:39 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-17 16:41 . 2008-04-02 12:41 9,859 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-17 16:40 . 2008-03-18 00:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-03-17 16:39 . 2008-03-18 17:04 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-03-17 16:39 . 2008-04-02 13:37 <DIR> d-------- C:\Documents and Settings\tdluhy\Application Data\SiteAdvisor
2008-03-17 16:39 . 2008-03-17 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-17 16:37 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-17 16:30 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-17 16:30 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-17 16:30 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-17 16:30 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-17 16:30 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-17 16:30 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-17 16:28 . 2008-03-17 16:29 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-17 16:28 . 2008-03-17 16:30 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-17 16:27 . 2008-03-30 02:45 <DIR> d-------- C:\Program Files\McAfee
2008-03-17 16:19 . 2008-03-17 16:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 13:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-14 13:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-14 13:09 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-14 13:09 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-14 13:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-14 13:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-13 13:54 . 2008-03-14 13:09 2,658 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-13 13:15 . 2008-03-13 13:15 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-13 13:15 . 2008-04-01 19:13 638,208 --a------ C:\WINDOWS\system32\ajelbbyd.dat
2008-03-13 13:15 . 2008-03-13 13:15 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-13 13:15 . 2008-03-13 13:15 42,752 --a------ C:\WINDOWS\system32\fztbovup.dat
2008-03-13 13:15 . 2008-03-13 13:15 35,072 --a------ C:\WINDOWS\system32\xsrfpzjq.dat
2008-03-13 13:12 . 2008-03-13 13:12 36,608 --a------ C:\WINDOWS\system32\pwyswsyg.dat
2008-03-11 16:37 . 2008-03-11 16:37 <DIR> d-------- C:\Documents and Settings\tdluhy\Application Data\FileMaker
2008-03-07 18:26 . 2008-03-07 18:26 120,576 --a------ C:\WINDOWS\system32\vxjonyhw.dat
2008-03-07 18:19 . 2002-12-12 02:14 85,504 --a------ C:\WINDOWS\system32\dsound3dl.dll.bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 21:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 18:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:12 --------- d-----w C:\Program Files\HiJack This
2008-03-20 17:35 --------- d-----w C:\Program Files\Java
2008-03-17 21:04 --------- d-----w C:\Documents and Settings\tdluhy\Application Data\AdobeUM
2008-03-14 20:20 --------- d-----w C:\Documents and Settings\tdluhy\Application Data\Uniblue
2008-02-20 19:12 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2008-02-20 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
2008-02-20 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-04-30 15:42 313,283 ----a-w C:\Program Files\cwshredder.zip
2007-02-22 22:13 6,017,261 ----a-w C:\Program Files\rviewxp.exe
2004-09-07 15:36 149,504 ----a-w C:\Program Files\CWShredder.exe
2004-06-30 20:10 2,956,949 ----a-w C:\Program Files\mailwasher_pro41.exe
2004-06-25 15:04 521,392 ----a-w C:\Program Files\PrintUtility.exe
2004-04-05 17:47 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
2004-04-05 17:12 141,572 ----a-w C:\Program Files\gw_uslbl.pdf
2004-02-26 17:41 3,888 ----a-w C:\WINDOWS\inf\SET1E1D.tmp
.

------- Sigcheck -------

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\Spamihilator.exe" [2007-01-24 08:49 619008]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 09:00 13312]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11 114688]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37 69632]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34 36864]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24 485376]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01 32768]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 13:20 94208]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 13:49 335872]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2007-07-17 14:56:18 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S2 0015831206863144mcinstcleanup;McAfee Application Installer Cleanup (0015831206863144);C:\WINDOWS\TEMP\001583~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

*Newly Created Service* - 0015831206863144MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 19:43:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-17 21:29:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-01 06:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-03-24 18:53:03 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-14 18:53:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 14:09:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
Completion time: 2008-04-02 14:12:10
ComboFix-quarantined-files.txt 2008-04-02 19:11:53
ComboFix2.txt 2008-04-02 17:47:52
Pre-Run: 30,783,668,224 bytes free
Post-Run: 30,772,895,744 bytes free
.
2008-03-29 01:56:37 --- E O F ---

*************************************************************************

HERE IS VIRUSTOTAL SCAN RESULTS:

Antivirus Version Last Update Result
AhnLab-V3 2008.4.1.2 2008.04.02 -
AntiVir 7.6.0.80 2008.04.02 -
Authentium 4.93.8 2008.04.02 -
Avast 4.7.1098.0 2008.04.01 -
AVG 7.5.0.516 2008.04.01 -
BitDefender 7.2 2008.04.02 -
CAT-QuickHeal 9.50 2008.04.02 -
ClamAV 0.92.1 2008.04.02 -
DrWeb 4.44.0.09170 2008.04.02 -
eSafe 7.0.15.0 2008.04.01 -
eTrust-Vet 31.3.5664 2008.04.02 -
Ewido 4.0 2008.04.02 -
F-Prot 4.4.2.54 2008.04.02 -
F-Secure 6.70.13260.0 2008.04.02 -
FileAdvisor 1 2008.04.02 -
Fortinet 3.14.0.0 2008.04.02 -
Ikarus T3.1.1.20 2008.04.02 -
Kaspersky 7.0.0.125 2008.04.02 -
McAfee 5265 2008.04.02 -
Microsoft 1.3301 2008.04.01 -
NOD32v2 2995 2008.04.02 -
Norman 5.80.02 2008.04.02 -
Panda 9.0.0.4 2008.04.02 -
Rising 20.38.22.00 2008.04.02 -
Sophos 4.28.0 2008.04.02 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.04.02 -
TheHacker 6.2.92.262 2008.04.02 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.04.02 -
Webwasher-Gateway 6.6.2 2008.04.02 -

Additional information
File size: 6017261 bytes
MD5: 6b148578974f9934787e29c99b7bdf08
SHA1: 9d0ab27f3f702d7b802b397407b54bdf8384bec2
PEiD: -
packers: ZIP

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 02 April 2008 - 01:42 PM

Looks like it did nothing. :blink:

You sure you copied this in the CFScript text?

File::
C:\WINDOWS\system32\fztbovup.dat
C:\WINDOWS\system32\xsrfpzjq.dat
C:\WINDOWS\system32\pwyswsyg.dat
C:\WINDOWS\system32\vxjonyhw.dat
C:\WINDOWS\system32\ajelbbyd.dat

Anyway...

Click Start -> Run and type in:

ComboFix /u

Click on OK. When shown the disclaimer, choose 2.

Let's try this instead.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\fztbovup.dat
    C:\WINDOWS\system32\xsrfpzjq.dat
    C:\WINDOWS\system32\pwyswsyg.dat
    C:\WINDOWS\system32\vxjonyhw.dat
    C:\WINDOWS\system32\ajelbbyd.dat
    C:\WINDOWS\system32\jdbgmgr.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Finally..

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. :thumbsup:

Edited by Rawe, 02 April 2008 - 01:43 PM.

Hi there, stranger!

#7 surdidymus

surdidymus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 02 April 2008 - 02:15 PM

I did not get any of the renaming prompts and YES, I did copy and paste directly what you had in the quote box. :thumbsup:

McAfee keeps saying that Proxy Server Module has encountered an error and needs to shut down. Here are the DSS reports.

MAIN

Deckard's System Scanner v20071014.68
Run by tdluhy on 2008-04-02 15:06:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-04-02 20:06:44 UTC - RP4 - Deckard's System Scanner Restore Point
1: 2008-04-02 19:56:48 UTC - RP3 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as tdluhy.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07, on 2008-04-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tdluhy\Desktop\dss.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\tdluhy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\Spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/04b1ad1235bd69...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205955522000
O16 - DPF: {9BDA8A29-24F7-4F95-8C38-2DC79DD99C5F} - http://157.238.134.97/events/bin/media/3.0...7203/MILive.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O17 - HKLM\Software\..\Telephony: DomainName = bbalawfirm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O23 - Service: McAfee Application Installer Cleanup (0015831206863144) (0015831206863144mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\001583~1.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 9008 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ATNT40K (ActiveTouch NT Appsharing Driver) - c:\windows\system32\drivers\atnt40k.sys

S3 catchme - c:\docume~1\tdluhy\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 winvnc (VNC Server) - "c:\program files\realvnc\winvnc\winvnc.exe" -service <Not Verified; RealVNC Ltd.; RealVNC Ltd. - WinVNC>

S2 0015831206863144mcinstcleanup (McAfee Application Installer Cleanup (0015831206863144)) - c:\windows\temp\001583~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-01 14:43:23 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-01 01:00:03 334 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-03-24 13:53:03 272 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-03-17 16:29:29 342 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-14 13:53:41 394 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-03-02 and 2008-04-02 -----------------------------

2008-04-02 14:57:59 0 d-------- C:\!KillBox
2008-04-01 14:33:21 0 d-------- C:\Program Files\Trend Micro
2008-03-28 15:49:06 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:49:04 171280 --a------ C:\WINDOWS\System32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:49:01 139536 --a------ C:\WINDOWS\System32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:49:00 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-03-28 15:48:58 313856 --a------ C:\WINDOWS\System32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-03-28 15:48:13 113 --a------ C:\WINDOWS\System32\zonedon.reg
2008-03-28 15:48:09 113 --a------ C:\WINDOWS\System32\zonedoff.reg
2008-03-28 15:48:06 171792 --a------ C:\WINDOWS\System32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:48:04 286992 --a------ C:\WINDOWS\System32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:48:03 21264 --a------ C:\WINDOWS\System32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:59 947472 --a------ C:\WINDOWS\System32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:57 154384 --a------ C:\WINDOWS\System32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:54 172304 --a------ C:\WINDOWS\System32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:50 404752 --a------ C:\WINDOWS\System32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:47 63248 --a------ C:\WINDOWS\System32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:45 187152 --a------ C:\WINDOWS\System32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:40 49424 --a------ C:\WINDOWS\System32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-26 16:38:16 0 d-------- C:\Program Files\RogueRemover FREE
2008-03-17 16:40:12 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-03-17 16:40:12 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-03-17 16:39:35 0 d-------- C:\Program Files\SiteAdvisor
2008-03-17 16:39:34 0 d-------- C:\Documents and Settings\tdluhy\Application Data\SiteAdvisor
2008-03-17 16:39:34 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-17 16:37:29 143360 --a------ C:\WINDOWS\System32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-03-17 16:28:46 0 d-------- C:\Program Files\McAfee.com
2008-03-17 16:28:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-03-17 16:27:51 0 d-------- C:\Program Files\McAfee
2008-03-17 16:19:04 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 17:14:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-14 13:09:39 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-14 13:09:39 82432 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-14 13:09:38 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-03-14 13:09:38 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-14 13:09:38 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-14 13:09:38 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-03-13 13:54:07 2658 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-13 13:15:47 1188375 --a------ C:\WINDOWS\System32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-13 13:15:46 246545 --a------ C:\WINDOWS\System32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-11 16:37:51 0 d-------- C:\Documents and Settings\tdluhy\Application Data\FileMaker


-- Find3M Report ---------------------------------------------------------------

2008-03-26 16:40:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 13:12:12 0 d-------- C:\Program Files\HiJack This
2008-03-20 12:35:13 0 d-------- C:\Program Files\Java
2008-03-18 17:39:48 36 --ah----- C:\WINDOWS\System32\f9t.dat
2008-03-17 16:28:17 0 d-a------ C:\Program Files\Common Files
2008-03-17 16:04:49 0 d-------- C:\Documents and Settings\tdluhy\Application Data\AdobeUM
2008-03-14 16:36:03 0 d-------- C:\Documents and Settings\tdluhy\Application Data\Adobe
2008-03-14 15:20:01 0 d-------- C:\Documents and Settings\tdluhy\Application Data\Uniblue
2008-02-20 14:12:24 0 d-------- C:\Program Files\Stamps.com Internet Postage


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
2007-09-19 06:15 329032 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 13:20]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\Spamihilator.exe" [2007-01-24 08:49]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 09:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2007-07-17 14:56:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-02 15:08:32 ------------


EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 247.48 MiB / 76.07 MiB
Pagefile Memory (total/avail): 606.7 MiB / 344.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 28.72 GiB free.
D: is CDROM (No Media)
U: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD400EB-11CPF0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\tdluhy\Application Data
CLASSPATH=.;C:\PVSW\bin\pvjdbc2x.jar;C:\PVSW\bin\pvjdbc.jar;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CLOSER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\tdluhy
LOGONSERVER=\\SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PVSW\bin;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\tdluhy\LOCALS~1\Temp
TMP=C:\DOCUME~1\tdluhy\LOCALS~1\Temp
USERDNSDOMAIN=BBALAWFIRM.COM
USERDOMAIN=BBALAWFIRM
USERNAME=tdluhy
USERPROFILE=C:\Documents and Settings\tdluhy
VSL=C:\PVSW\bin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
lboard
dborden
clerk
lklingler
tdluhy (admin)
Administrator.BBALAWFIRM (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom Management Programs --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{750DFF5E-C559-11D4-A441-00B0D0436EE7}\Setup.exe"
Easy Access Button Support --> C:\Program Files\COMPAQ\Easy Access Button Support\Uninst.exe
eLynx Ltd. Web Post Printer --> C:\PROGRA~1\elynx\WebPost\UNWISE.EXE C:\PROGRA~1\elynx\WebPost\INSTALL.LOG
Form Viewer --> MsiExec.exe /X{873D68B3-EDE5-4DFD-85AC-FFC430FB7EE2}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp LaserJet 1000 --> zuninst.exe
HP LaserJet 4100 Uninstaller --> C:\Program Files\Hewlett-Packard\LJ4100\Uninstall\setup.exe ciuninst.ini
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Nikon View 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}\setup.exe" UNINSTALL
Pervasive System Analyzer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Common Files\Pervasive Software Shared\PSA\psa.isu"
Pervasive.SQL V8 Client (v8.6) --> MsiExec.exe /I{39A3DC93-4EE4-40A8-A85E-6188BDABD651}
PixZip --> MsiExec.exe /I{B390FED9-D3E5-4B3D-B5A3-D908B8FD2F13}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Real Estate Transaction Viewer --> C:\PROGRA~1\TRANSA~1\UNWISE.EXE C:\PROGRA~1\TRANSA~1\INSTALL.LOG
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Software Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Software Setup\Uninst.isu" -c"C:\Program Files\COMPAQ\Software Setup\CPQUNST.DLL"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
Spamihilator --> "C:\Program Files\Spamihilator\uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Stamps.com --> "C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}\stamps.exe" REMOVE=TRUE MODIFY=FALSE
Stamps.com support for Microsoft Word 2000-2007 --> "C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}\MSW2KPIMstmp.exe" REMOVE=TRUE MODIFY=FALSE
SwiftView Viewer --> C:\Program Files\SwiftView\svinst.exe -Uninstall
Timeslips Express v10.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C47C88C6-9F9E-11D1-9FDF-00403330A134}\setup.exe" -uninst
TSS DPS --> MsiExec.exe /X{982C418C-9BC3-48B5-8451-BEAE7B315BEE}
TSS TitleExpress --> MsiExec.exe /I{570CF8D0-71FC-4BEB-A325-7DA3107CBBA8}
VNC 3.3.7 --> "C:\Program Files\RealVNC\unins000.exe"
Web Savings from Ebates --> wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" ls: deletefeature ld: feature=ebateswebsavingsdr1.xml
WebEx --> C:\PROGRA~1\WebEx\atcliun.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type80542 / Error
Event Submitted/Written: 04/02/2008 03:05:00 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type80541 / Error
Event Submitted/Written: 04/02/2008 03:04:25 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type80539 / Error
Event Submitted/Written: 04/02/2008 03:03:59 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type80536 / Error
Event Submitted/Written: 04/02/2008 01:06:57 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 485564694.

Event Record #/Type80535 / Error
Event Submitted/Written: 04/02/2008 01:06:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application te1.exe, version 5.9.4.718, faulting module kernel32.dll, version 5.1.2600.1869, fault address 0x0001aafc.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7099 / Error
Event Submitted/Written: 04/02/2008 03:04:49 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error:
%%127

Event Record #/Type7098 / Error
Event Submitted/Written: 04/02/2008 03:04:49 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The HTTP service failed to start due to the following error:
%%127

Event Record #/Type7094 / Error
Event Submitted/Written: 04/02/2008 03:04:21 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The SSDP Discovery Service service depends on the HTTP service which failed to start because of the following error:
%%127

Event Record #/Type7093 / Error
Event Submitted/Written: 04/02/2008 03:04:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The HTTP service failed to start due to the following error:
%%127

Event Record #/Type7091 / Error
Event Submitted/Written: 04/02/2008 03:04:20 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
FltMgr



-- End of Deckard's System Scanner: finished at 2008-04-02 15:08:32 ------------

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 02 April 2008 - 02:34 PM

Okay. First note. Let's free you up some memory from useless apps.. :blink:

Click Start -> Control Panel -> Add/Remove Programs and uninstall each of the following:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_04
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1


Leave the Update 5. It's the latest.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Then navigate to, and delete the following file:

C:\WINDOWS\System32\f9t.dat

Empty recycle bin.

Rerun a scan with HijackThis and check the following object for removal:

O23 - Service: McAfee Application Installer Cleanup (0015831206863144) (0015831206863144mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\001583~1.EXE (file missing)


Now close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

Please post a fresh DSS log. :thumbsup:
Hi there, stranger!

#9 surdidymus

surdidymus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 02 April 2008 - 03:08 PM

Had no problems this time with anything...DSS only made a main.txt file and not an extra.txt...so here's the main. THANK YOU!!




Deckard's System Scanner v20071014.68
Run by tdluhy on 2008-04-02 16:08:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis (run as tdluhy.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:08, on 2008-04-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Documents and Settings\tdluhy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\tdluhy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\Spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/04b1ad1235bd69...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205955522000
O16 - DPF: {9BDA8A29-24F7-4F95-8C38-2DC79DD99C5F} - http://157.238.134.97/events/bin/media/3.0...7203/MILive.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O17 - HKLM\Software\..\Telephony: DomainName = bbalawfirm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bbalawfirm.com
O23 - Service: McAfee Application Installer Cleanup (0015831206863144) (0015831206863144mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\001583~1.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 8991 bytes

-- Files created between 2008-03-02 and 2008-04-02 -----------------------------

2008-04-02 14:57:59 0 d-------- C:\!KillBox
2008-04-01 14:33:21 0 d-------- C:\Program Files\Trend Micro
2008-03-28 15:49:06 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:49:04 171280 --a------ C:\WINDOWS\System32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:49:01 139536 --a------ C:\WINDOWS\System32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:49:00 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-03-28 15:48:58 313856 --a------ C:\WINDOWS\System32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-03-28 15:48:13 113 --a------ C:\WINDOWS\System32\zonedon.reg
2008-03-28 15:48:09 113 --a------ C:\WINDOWS\System32\zonedoff.reg
2008-03-28 15:48:06 171792 --a------ C:\WINDOWS\System32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:48:04 286992 --a------ C:\WINDOWS\System32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:48:03 21264 --a------ C:\WINDOWS\System32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:59 947472 --a------ C:\WINDOWS\System32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:57 154384 --a------ C:\WINDOWS\System32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:54 172304 --a------ C:\WINDOWS\System32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:50 404752 --a------ C:\WINDOWS\System32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:47 63248 --a------ C:\WINDOWS\System32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:45 187152 --a------ C:\WINDOWS\System32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-28 15:47:40 49424 --a------ C:\WINDOWS\System32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-03-26 16:38:16 0 d-------- C:\Program Files\RogueRemover FREE
2008-03-17 16:40:12 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-03-17 16:40:12 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-03-17 16:39:35 0 d-------- C:\Program Files\SiteAdvisor
2008-03-17 16:39:34 0 d-------- C:\Documents and Settings\tdluhy\Application Data\SiteAdvisor
2008-03-17 16:39:34 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-17 16:37:29 143360 --a------ C:\WINDOWS\System32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-03-17 16:28:46 0 d-------- C:\Program Files\McAfee.com
2008-03-17 16:28:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-03-17 16:27:51 0 d-------- C:\Program Files\McAfee
2008-03-17 16:19:04 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-14 17:14:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-14 13:09:39 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-14 13:09:39 82432 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-14 13:09:38 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-03-14 13:09:38 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-14 13:09:38 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-14 13:09:38 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-03-13 13:54:07 2658 --a------ C:\WINDOWS\System32\tmp.reg
2008-03-13 13:15:47 1188375 --a------ C:\WINDOWS\System32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-13 13:15:46 246545 --a------ C:\WINDOWS\System32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-11 16:37:51 0 d-------- C:\Documents and Settings\tdluhy\Application Data\FileMaker


-- Find3M Report ---------------------------------------------------------------

2008-04-02 15:57:17 0 d-------- C:\Program Files\Java
2008-03-26 16:40:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 13:12:12 0 d-------- C:\Program Files\HiJack This
2008-03-17 16:28:17 0 d-a------ C:\Program Files\Common Files
2008-03-17 16:04:49 0 d-------- C:\Documents and Settings\tdluhy\Application Data\AdobeUM
2008-03-14 16:36:03 0 d-------- C:\Documents and Settings\tdluhy\Application Data\Adobe
2008-03-14 15:20:01 0 d-------- C:\Documents and Settings\tdluhy\Application Data\Uniblue
2008-02-20 14:12:24 0 d-------- C:\Program Files\Stamps.com Internet Postage


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
2007-09-19 06:15 329032 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 05:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 05:11]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 03:37]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 16:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 09:24]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 13:20]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 13:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\Spamihilator.exe" [2007-01-24 08:49]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 09:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2007-07-17 14:56:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-04-02 16:09:02 ------------

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 02 April 2008 - 03:13 PM

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :thumbsup:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#11 surdidymus

surdidymus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 02 April 2008 - 03:31 PM

No issues removing - computer has NOT been restarted.


Malwarebytes' Anti-Malware 1.10
Database version: 583

Scan type: Quick Scan
Objects scanned: 37938
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 02 April 2008 - 03:37 PM

How does the system appear to be running at this point? :thumbsup:

Please navigate to, and right-click on the following file:

C:\Program Files\rviewxp.exe

Choose Properties and give me all the info there is available.
Hi there, stranger!

#13 surdidymus

surdidymus
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 02 April 2008 - 03:44 PM

RViewXP -

Type of file: Application
Decription: 32-bit Self Extractor Module

Location: C:\Program Files
Size: 5.73 MB
Size on disk: 5.74MB

Created: June 27, 2005
Modified: February 22, 2007
Accessed: April 2, 2008

Version: 1.2.1.1
Copyright 1996-1998 Xceed Software Inc.
1-450-442-2626
sfx@xceedsoft.com
www.xceedsoft.com

I believe this is an application that opens loan documents from lenders when they email them. Sort of like Adobe, but their own secure version. Loan documents meaning...when you buy a house and get a loan...all of the papers you have to sign in order to get that loan.

The system is running a lot better! The internet is no longer delayed and I haven't gotten any of the popups I was getting when I tried to open a website. So far so good! THANK YOU!

Edited by surdidymus, 02 April 2008 - 03:48 PM.


#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 03 April 2008 - 03:16 AM

You're welcome. :thumbsup:

Rehide hidden files. Go ahead and uninstall Malwarebytes' Anti-Malware if you wish.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:53 PM

Posted 05 April 2008 - 06:46 AM

Since this issue appears to be resolved, this topic has been closed. Should you need this topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users