Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Antispywaresuite Popups


  • This topic is locked This topic is locked
2 replies to this topic

#1 hector13

hector13

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 26 May 2008 - 08:50 PM

I get the AntiSpywareSuite popup in firefox every hour or so (I don't use any other browsers).

Here is my main.txt log:
Deckard's System Scanner v20071014.68
Run by hector on 2008-05-26 21:02:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
7: 2008-05-26 21:43:01 UTC - RP84 - Windows Update
6: 2008-05-26 21:30:06 UTC - RP83 - Windows Update
5: 2008-05-26 20:58:21 UTC - RP82 - Windows Update
4: 2008-05-26 20:30:53 UTC - RP81 - ComboFix created restore point
3: 2008-05-26 16:59:13 UTC - RP80 - Installed Adobe Reader 8.1.2


-- First Restore Point --
1: 2008-05-25 19:41:39 UTC - RP78 - Removed Adobe Acrobat 8 Professional - English, Français, Deutsch


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as hector.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:42 PM, on 5/26/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Garmin\gStart.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cscript.exe
C:\Users\hector\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\hector.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0212561211836177) (0212561211836177mcinstcleanup) - Unknown owner - C:\Users\hector\AppData\Local\Temp\021256~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6073 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.ini - UltraEdit.ini - DefaultIcon - unable to read value
.ini - UltraEdit.ini - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1"
.js - UltraEdit.js - DefaultIcon - unable to read value
.js - UltraEdit.js - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1"
.txt - UltraEdit.txt - DefaultIcon - unable to read value
.txt - UltraEdit.txt - shell\open\command - "C:\Program Files\UltraEdit\uedit32.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 0212561211836177mcinstcleanup (McAfee Application Installer Cleanup (0212561211836177)) - c:\users\hector\appdata\local\temp\021256~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart C7100 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart C7100 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C7100 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7100 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-26 17:19:43 334 --a------ C:\Windows\Tasks\McQcTask.job
2008-05-26 17:19:43 342 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 21:04:32 0 d-------- C:\Program Files\Trend Micro
2008-05-26 17:09:15 0 d-------- C:\Program Files\McAfee.com
2008-05-26 17:09:12 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-26 17:09:09 0 d-------- C:\Program Files\McAfee
2008-05-26 17:08:04 0 d-------- C:\Users\All Users\McAfee
2008-05-26 16:34:37 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-26 16:30:30 68096 --a------ C:\Windows\zip.exe
2008-05-26 16:30:30 49152 --a------ C:\Windows\VFind.exe
2008-05-26 16:30:30 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-26 16:30:30 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-26 16:30:30 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-26 16:30:30 98816 --a------ C:\Windows\sed.exe
2008-05-26 16:30:30 80412 --a------ C:\Windows\grep.exe
2008-05-26 16:30:30 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-25 19:21:33 0 d-------- C:\Users\All Users\ZoneFiveSoftware
2008-05-25 18:57:51 0 d-------- C:\Program Files\Zone Five Software
2008-05-25 15:38:53 58368 --a------ C:\Windows\system32\xxyabxYr.dll
2008-05-25 08:55:56 0 d-------- C:\Program Files\Garmin GPS Plugin
2008-05-04 20:59:23 0 d-------- C:\Users\All Users\Google Updater
2008-05-04 20:59:21 0 d-------- C:\Program Files\Google
2008-05-04 16:22:58 0 d-------- C:\Users\All Users\GARMIN


-- Find3M Report ---------------------------------------------------------------

2008-05-26 17:32:44 0 d-------- C:\Program Files\Windows Mail
2008-05-26 17:09:12 0 d-------- C:\Program Files\Common Files
2008-05-26 13:00:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-26 11:58:36 0 d-------- C:\Users\hector\AppData\Roaming\Apple Computer
2008-05-25 12:00:23 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 4
2008-05-04 21:00:57 0 d-------- C:\Users\hector\AppData\Roaming\Google
2008-05-04 16:22:58 0 d-------- C:\Users\hector\AppData\Roaming\GARMIN
2008-04-22 22:45:21 0 d-------- C:\Program Files\Safari
2008-04-22 22:44:40 0 d-------- C:\Program Files\Apple Software Update
2008-04-22 07:29:28 174 --ahs---- C:\Program Files\desktop.ini
2008-04-22 07:26:28 0 d-------- C:\Program Files\Windows Calendar
2008-04-22 07:26:27 0 d-------- C:\Program Files\Windows Defender
2008-04-14 16:22:30 0 d-------- C:\Program Files\PuTTY
2008-04-13 18:00:29 130873 --a------ C:\Windows\hpoins18.dat
2008-04-13 17:57:18 0 d-------- C:\Program Files\HP
2008-04-13 17:57:11 0 d-------- C:\Program Files\Common Files\HP
2008-04-13 09:48:02 0 d-------- C:\Program Files\Windows Sidebar
2008-04-12 23:58:14 0 d-------- C:\Program Files\MSXML 4.0
2008-04-09 07:19:38 0 d-------- C:\Program Files\iTunes
2008-04-09 07:19:33 0 d-------- C:\Program Files\iPod
2008-04-09 07:18:25 0 d-------- C:\Program Files\QuickTime
2008-04-06 14:56:31 0 d-------- C:\Program Files\Java
2008-04-06 14:55:15 0 d-------- C:\Program Files\Common Files\Java
2008-04-06 13:17:34 0 d-------- C:\Users\hector\AppData\Roaming\Adobe
2008-04-06 13:11:55 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-06 12:52:33 0 d-------- C:\Users\hector\AppData\Roaming\IDMComp
2008-04-06 12:51:34 0 d-------- C:\Program Files\UltraEdit
2008-04-06 12:51:26 0 d-------- C:\Program Files\IDM Computer Solutions
2008-04-05 21:51:06 0 d-------- C:\Program Files\iArtwork
2008-04-05 19:33:53 0 d-------- C:\Users\hector\AppData\Roaming\Macromedia
2008-04-04 11:08:28 0 d-------- C:\Users\hector\AppData\Roaming\Media Player Classic
2008-04-01 07:40:15 0 d-------- C:\Program Files\ffdshow
2008-03-31 22:23:31 0 d-------- C:\Program Files\Lenogo iPhone to PC Transfer
2008-03-31 21:40:46 0 d-------- C:\Program Files\Bonjour
2008-03-31 21:38:35 0 d-------- C:\Program Files\Common Files\Apple
2008-03-29 11:21:51 0 d-------- C:\Users\hector\AppData\Roaming\HP
2008-03-29 11:18:43 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-29 11:18:43 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-26 23:35:52 0 d-------- C:\Program Files\EphPod
2008-03-26 07:13:08 0 d-------- C:\Program Files\QuickPar
2008-03-26 01:12:19 0 d-------- C:\Users\hector\AppData\Roaming\ICAClient
2008-03-15 13:07:02 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-03-15 12:12:32 60273 --a------ C:\Windows\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\Windows\System32\msconfig.exe" [11/02/2006 05:45 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gStart"="C:\Garmin\gStart.exe" [03/04/2007 11:08 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:33 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/4/2008 8:59:23 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 9:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc

*Newly Created Service* - MFERKDK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-26 21:05:55 ------------


Here is extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 4300 @ 1.80GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 2046.94 MiB / 1000.88 MiB
Pagefile Memory (total/avail): 4329.18 MiB / 3249.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1910.62 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 465.76 GiB total, 85.4 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
H: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - ST3500630AS ATA Device - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.76 GiB - C:

\\.\PHYSICALDRIVE1 - Apple Computer_ Inc. iPod IEEE 1394 SBP2 Device - 13.96 GiB - 1 partition
\PARTITION0 - Unknown - 13.93 GiB - H:

\\.\PHYSICALDRIVE2 - Generic Flash HS-CF USB Device

\\.\PHYSICALDRIVE3 - Generic Flash HS-COMBO USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FW: McAfee Personal Firewall v (McAfee) Disabled
AV: McAfee VirusScan v (McAfee)
AS: McAfee VirusScan v (McAfee)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\hector\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BLACKBOX
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\hector
KMP_DUPLICATE_LIB_OK=TRUE
LOCALAPPDATA=C:\Users\hector\AppData\Local
LOGONSERVER=\\BLACKBOX
MKL_SERIAL=YES
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\UltraEdit\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\hector\AppData\Local\Temp
TMP=C:\Users\hector\AppData\Local\Temp
USERDOMAIN=BlackBox
USERNAME=hector
USERPROFILE=C:\Users\hector
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

hector


-- Add/Remove Programs ---------------------------------------------------------

--> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
EphPod --> C:\PROGRA~1\EphPod\UNWISE.EXE C:\PROGRA~1\EphPod\INSTALL.LOG
ffdshow [rev 1900] [2008-03-15] --> "C:\Program Files\ffdshow\unins000.exe"
Garmin Communicator Plugin --> MsiExec.exe /X{3A7BF905-F37D-4DFB-8308-EC3AA4617B36}
Garmin Training Center 3.4.1 --> MsiExec.exe /X{33BABF46-8430-47A8-A98C-88B1E9DA5DE6}
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Photosmart.All-In-One Driver Software 8.0 .A --> C:\Program Files\HP\Digital Imaging\{282E5AB2-8E47-4571-B6FA-6B512555B557}\setup\hpzscr01.exe -datfile hposcr18.dat -onestop -showdisconnect -forcereboot
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HPSSupply --> MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
iArtwork --> MsiExec.exe /I{BEC519C9-0FCC-4756-9C62-8A097B67FF0E}
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lightroom --> MsiExec.exe /I{6297F8EC-D821-4B33-B845-8A8D1A0DF472}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{AB6972B2-CF5D-4CC8-AF4F-B5D6888AB120}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox 3 Beta 4\uninstall\helper.exe
Mp3tag v2.40b --> C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PuTTY version 0.60 --> "C:\Program Files\PuTTY\unins000.exe"
QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
SABRE --> MsiExec.exe /X{A1ED7333-E45A-4A57-82D0-A0B7D10BF6A7}
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
SportTracks 2.0 --> MsiExec.exe /I{2BDD5425-0CD0-4989-A119-FAEEB7963E32}
UltraEdit v14.00+4 --> MsiExec.exe /I{632C29B7-99FC-4257-A88B-40C48A93F104}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1697 / Success
Event Submitted/Written: 05/26/2008 05:19:57 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type1696 / Success
Event Submitted/Written: 05/26/2008 05:19:53 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type1692 / Success
Event Submitted/Written: 05/26/2008 05:19:48 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type1680 / Warning
Event Submitted/Written: 05/26/2008 05:17:43 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-1184206579-41152997-601951518-1000_Classes:
Process 1692 (\Device\HarddiskVolume1\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1184206579-41152997-601951518-1000_CLASSES
Process 3072 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1184206579-41152997-601951518-1000_CLASSES
Process 1692 (\Device\HarddiskVolume1\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1184206579-41152997-601951518-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Event Record #/Type1679 / Warning
Event Submitted/Written: 05/26/2008 05:17:42 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-1184206579-41152997-601951518-1000:
Process 3072 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1184206579-41152997-601951518-1000
Process 1692 (\Device\HarddiskVolume1\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1184206579-41152997-601951518-1000\Software\Policies
Process 1692 (\Device\HarddiskVolume1\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1184206579-41152997-601951518-1000\Software



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12709 / Warning
Event Submitted/Written: 05/26/2008 05:32:34 PM
Event ID/Source: 4374 / Microsoft-Windows-Servicing
Event Description:
Windows Servicing identified that package KB905866(Update) is not applicable for this system

Event Record #/Type12688 / Error
Event Submitted/Written: 05/26/2008 05:26:51 PM
Event ID/Source: 4375 / Microsoft-Windows-Servicing
Event Description:
Windows Servicing failed to complete the process of setting package KB905866 (Update) into Staging(Staging) state

Event Record #/Type12687 / Error
Event Submitted/Written: 05/26/2008 05:26:51 PM
Event ID/Source: 4375 / Microsoft-Windows-Servicing
Event Description:
Windows Servicing failed to complete the process of setting package KB905866 (Update) into Staging(Staging) state

Event Record #/Type12686 / Error
Event Submitted/Written: 05/26/2008 05:26:51 PM
Event ID/Source: 4375 / Microsoft-Windows-Servicing
Event Description:
Windows Servicing failed to complete the process of setting package KB905866 (Update) into Staging(Staging) state

Event Record #/Type12685 / Error
Event Submitted/Written: 05/26/2008 05:26:51 PM
Event ID/Source: 4375 / Microsoft-Windows-Servicing
Event Description:
Windows Servicing failed to complete the process of setting package KB905866 (Update) into Staging(Staging) state



-- End of Deckard's System Scanner: finished at 2008-05-26 21:05:55 ------------



thanks for any help

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:14 PM

Posted 26 June 2008 - 01:46 PM

Hello hector13. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine)

We apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

If you still would like help, please follow the following instructions:

Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
Next
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please make sure the following reports are present:
  • The Kaspersky scan report
  • DSS's Main.txt
  • DSS's Extra.txt

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:14 PM

Posted 02 July 2008 - 02:32 AM

Hi,

Topic is now closed due to inactivity.
If you still need assistance please send a PM (private message) to a member of the Moderating Team with a link to your thread.
All other users please start your own topic.

Thank You

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users