Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2008 Pro


  • This topic is locked This topic is locked
7 replies to this topic

#1 kinry

kinry

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 02 July 2008 - 02:38 PM

Greetings,

So I've met one of those times when our feeble knowledge fails, and we lesser mortals implore you Wizards of Light to save our frail computers from the forces of evil that lurk in the dark corners of the internet.

In short, I believe my computer may be infected with something.

Symptoms that i've noticed include:

-pop-ups (often in danish, although i'm in the UK?!)

-desktop icons linking to insalubrious websites

-unsolicited changing of IE settings

-computer slower (than usual)

-fake security alerts including imitation "windows security alert" red shield with white cross, warning of viral infection, and coercing one to download software. This latter symptom causes me the most worry, as i believe my dad has fallen for this ploy and downloaded the program, which appears in program files as "Antivirus 2008 PRO".

Am i too late?!

Here is my Hijackthis Log:

Deckard's System Scanner v20071014.68
Run by Jamie on 2008-07-02 19:50:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
5: 2008-07-02 02:08:21 UTC - RP1002 - Deckard's System Scanner Restore Point
4: 2008-07-02 01:35:21 UTC - RP1001 - Windows Defender Checkpoint
3: 2008-07-01 22:42:14 UTC - RP1000 - Restore Operation
2: 2008-07-01 22:25:00 UTC - RP999 - Restore Operation
1: 2008-07-01 13:13:31 UTC - RP998 - Windows Defender Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 480 MiB (512 MiB recommended).
System Drive C: has 10.89 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-02 19:54:24
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Jamie\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.im/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {1FC48820-7D60-4FB8-966D-1F8C8CA90BC3} - C:\WINDOWS\system32\qoMfddEv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {37F0C601-C555-491B-BDEE-EAAD0BB7A31A} - C:\WINDOWS\system32\opnlMgeE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\Roy\LOCALS~1\Temp\atmadm2.exe
O4 - HKLM\..\Run: [6cff5d3e] rundll32.exe "C:\WINDOWS\system32\glvmanug.dll",b
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: opnlMgeE - C:\WINDOWS\system32\opnlMgeE.dll
O23 - Service: McAfee Application Installer Cleanup (0110551215023980) (0110551215023980mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\011055~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HMVDownloadService - HMV Group plc - C:\Program Files\HMV\DigitalDownloads\HMVDownloadService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\system32\slserv.exe


--
End of file - 11029 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 AC2003 - c:\windows\system32\drivers\ac2003.sys <Not Verified; ABIT Computer Corp.; AC2003 Device Driver>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 RD1009 (EDIROL UM-1 USB Driver) - c:\windows\system32\drivers\rdwm1009.sys <Not Verified; Roland Corporation; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 0110551215023980mcinstcleanup (McAfee Application Installer Cleanup (0110551215023980)) - c:\windows\temp\011055~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)
S4 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
S4 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_1806147B&REV_10\3&61AAA01&0&70
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_1806147B&REV_10\3&61AAA01&0&70
Service: rtl8139


-- Scheduled Tasks -------------------------------------------------------------

2008-07-02 19:31:18 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-30 15:42:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-15 02:00:00 260 --ah----- C:\WINDOWS\Tasks\McDefragTask.job
2008-02-01 02:00:00 348 --ah----- C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 19:39:17 0 d-------- C:\WINDOWS\LastGood
2008-07-02 00:08:48 354 ---hs---- C:\WINDOWS\system32\gunamvlg.ini2
2008-07-01 14:13:20 6352896 --a------ C:\Documents and Settings\Roy\ntuser.dat
2008-07-01 13:47:36 30720 --a------ C:\WINDOWS\Sys9.exe
2008-07-01 12:56:01 91520 --a------ C:\WINDOWS\system32\gkcuqvut.dll
2008-07-01 12:54:03 192883 --ahs---- C:\WINDOWS\system32\vEddfMoq.ini2
2008-07-01 12:53:59 318720 --a------ C:\WINDOWS\system32\qoMfddEv.dll
2008-07-01 12:48:53 27776 -----n--- C:\WINDOWS\system32\opnlMgeE.dll
2008-07-01 12:45:20 0 d-------- C:\Program Files\Antivirus 2008 PRO
2008-07-01 12:45:03 0 d-------- C:\Program Files\VAV
2008-07-01 12:44:59 32256 --a------ C:\WINDOWS\Sys4C.exe
2008-07-01 12:44:57 0 d-------- C:\Program Files\PCHealthCenter
2008-06-27 23:11:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-27 23:11:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-27 23:11:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-08 01:12:18 0 d-------- C:\Program Files\HMV


-- Find3M Report ---------------------------------------------------------------

2008-07-02 19:39:14 0 d-------- C:\Program Files\McAfee
2008-06-22 01:14:40 0 d-------- C:\Documents and Settings\Jamie\Application Data\LimeWire
2008-06-22 00:29:25 0 d-------- C:\Program Files\LimeWire
2008-06-14 22:37:02 0 d-------- C:\Program Files\Soulseek
2008-05-21 18:54:10 0 d-------- C:\Program Files\SiteAdvisor
2008-05-18 11:15:47 0 d-------- C:\Program Files\Kontiki
2008-05-18 11:15:35 0 d-------- C:\Program Files\Sky


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FC48820-7D60-4FB8-966D-1F8C8CA90BC3}]
01/07/2008 12:54 318720 --a------ C:\WINDOWS\system32\qoMfddEv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
26/11/2007 11:46 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37F0C601-C555-491B-BDEE-EAAD0BB7A31A}]
01/07/2008 12:48 27776 --------- C:\WINDOWS\system32\opnlMgeE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2004 11:23 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [01/07/2002 10:50]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [02/10/2006 20:09]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 23:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [30/11/2007 05:42]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 10:23]
"DelayLoad"="C:\DOCUME~1\Roy\LOCALS~1\Temp\atmadm2.exe" []
"6cff5d3e"="C:\WINDOWS\system32\glvmanug.dll" []
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [08/01/2007 11:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 10:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [07/12/2005 17:35:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [24/01/2007 21:08:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{37F0C601-C555-491B-BDEE-EAAD0BB7A31A}"= C:\WINDOWS\system32\opnlMgeE.dll [01/07/2008 12:48 27776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlMgeE]
opnlMgeE.dll 01/07/2008 12:48 27776 C:\WINDOWS\system32\opnlMgeE.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMfddEv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)

*Newly Created Service* - SJYPKT



-- End of Deckard's System Scanner: finished at 2008-07-02 19:58:11 ------------

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:15 PM

Posted 02 July 2008 - 03:58 PM

Hi kinry,

Welcome to Bleeping Computer HijackThis forum. I am farbar. I am going to assist you with your problem. Please give me some time to look it over and I will get back to you as soon as possible.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:15 PM

Posted 03 July 2008 - 06:03 AM

Hi again,


Your log(s) show that you are using so called Lime Wire, Soulseek and Kontiki or file-sharing programs (in your case Emule). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Removal Instructions
  • Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • Click Exit on the Main menu to close the program.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please download ComboFix.exe. Visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    • When the tool is finished, it will produce a report for you.
    • Please copy and paste the content of C:\ComboFix.txt to your reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Deckard System Scanner has produced another log besides the one you have posted. Using Windows explorer please navigate to this folder C:\Deckard\System Scanner\xxxxxxxxxxxxxx (x stands for date and time). Copy and paste the content of extra.txt to your reply.

  • Please copy and paste to your reply:
    • The scan log of MBAM.
    • The ComboFix log.
    • The Deckard System Scanner extra.txt.
    • A fresh Hijackthis log.


#4 kinry

kinry
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 03 July 2008 - 07:42 PM

Thanks for your help!

Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 5.1.2600 Service Pack 2

23:18:54 03/07/2008
mbam-log-7-3-2008 (23-18-54).txt

Scan type: Quick Scan
Objects scanned: 47971
Time elapsed: 31 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 28
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 6
Files Infected: 37

Memory Processes Infected:
C:\WINDOWS\Sys7.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\qoMfddEv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xcgucmpn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnlMgeE.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68b22330-34c0-4418-bfac-bd4dc086f145} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{68b22330-34c0-4418-bfac-bd4dc086f145} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{37f0c601-c555-491b-bdee-eaad0bb7a31a} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37f0c601-c555-491b-bdee-eaad0bb7a31a} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnlmgee (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\optimizer.adssite2 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\optimizer.adssite2.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\adssite (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6cff5d3e (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{37f0c601-c555-491b-bdee-eaad0bb7a31a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysB.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysB.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DelayLoad (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfddev -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfddev -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Roy\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\qoMfddEv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vEddfMoq.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vEddfMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcgucmpn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\npmcugcx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlMgeE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Sys7.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SysB.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.ooo (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Roy\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Sys4C.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Roy\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Roy\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Roy\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.




-------------------------------------------------------------------------------------------------------------------------




ComboFix 08-07-02.5 - Jamie 2008-07-04 1:08:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.100 [GMT 1:00]
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 23:33 . 2008-07-03 23:33 25,312 --a------ C:\Documents and Settings\Jamie\Application Data\GDIPFONTCACHEV1.DAT
2008-07-03 22:39 . 2008-07-03 22:39 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Malwarebytes
2008-07-03 22:38 . 2008-07-03 22:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 22:38 . 2008-07-03 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 22:38 . 2008-06-28 14:21 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-03 22:38 . 2008-06-28 14:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-02 03:07 . 2008-07-02 03:07 <DIR> d-------- C:\Deckard
2008-07-01 12:48 . 2008-07-03 23:18 27,776 --------- C:\WINDOWS\system32\opnlMgeE.dll
2008-06-11 13:24 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 13:24 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 01:12 . 2008-06-08 01:12 <DIR> d-------- C:\Program Files\HMV
2008-06-06 20:27 . 2008-07-04 01:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 20:27 . 2008-06-06 20:27 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-03 20:43 --------- d-----w C:\Program Files\McAfee
2008-07-03 15:43 --------- d-----w C:\Documents and Settings\Roy\Application Data\LimeWire
2008-06-30 10:57 25,312 -c--a-w C:\Documents and Settings\Roy\Application Data\GDIPFONTCACHEV1.DAT
2008-06-24 15:51 --------- d-----w C:\Documents and Settings\Roy\Application Data\SiteAdvisor
2008-06-22 00:14 --------- d-----w C:\Documents and Settings\Jamie\Application Data\LimeWire
2008-06-21 23:29 --------- d-----w C:\Program Files\LimeWire
2008-06-14 21:37 --------- d-----w C:\Program Files\Soulseek
2008-05-21 19:32 --------- d-----w C:\Documents and Settings\Roy\Application Data\AdobeUM
2008-05-21 17:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-18 10:15 --------- d-----w C:\Program Files\Sky
2008-05-18 10:15 --------- d-----w C:\Program Files\Kontiki
2008-05-18 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sky
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2007-01-31 20:13 2,796,160 -c--a-w C:\Documents and Settings\Roy\TvantsSetup.exe
2006-10-20 21:18 19,666,504 -c--a-w C:\Documents and Settings\Liam\QuickTimeInstaller.exe
2006-04-01 19:32 20,920 -c--a-w C:\Documents and Settings\Julia\Application Data\GDIPFONTCACHEV1.DAT
2006-03-25 10:57 5,141,441 -c--a-w C:\Documents and Settings\Liam\PSP_Video_converting.zip
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_ 0.49.54.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-03 23:32:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 23:59:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 23:59:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 10:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 10:50 28672]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2006-10-02 20:09 35928]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 10:23 1032640]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 11:23 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-07 17:35:45 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-01-24 21:08:27 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= rddv1009.dll
"midi2"= rddv1009.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-03 23:33 582992 c:\PROGRA~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-12-06 16:10 419152 C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a--c--- 2005-08-12 16:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-03 15:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-10-05 23:11 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\Soulseek\\Soulseek.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=

R1 SiSEsc;SISLIB_ESC;C:\WINDOWS\system32\sisesc.sys [2003-08-18 06:21]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 12:43]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-16 12:39]
R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 08:21]
S3 HMVDownloadService;HMVDownloadService;"C:\Program Files\HMV\DigitalDownloads\HMVDownloadService.exe" [2008-05-07 11:17]
S3 phil2vid;Philips USB VGA Camera;C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 15:04]
S3 RD1009;EDIROL UM-1 USB Driver;C:\WINDOWS\system32\Drivers\rdwm1009.sys [2003-05-14 12:59]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 14:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 01:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-02-01 01:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-07-04 00:03:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 01:14:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-07-04 1:17:53
ComboFix-quarantined-files.txt 2008-07-04 00:17:41
ComboFix2.txt 2008-07-03 23:50:55

Pre-Run: 12,110,397,440 bytes free
Post-Run: 12,098,211,840 bytes free

166 --- E O F --- 2008-07-04 00:07:18





-----------------------------------------------------------------------------------------------------------------------







Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 80%
Physical Memory (total/avail): 479.48 MiB / 93.63 MiB
Pagefile Memory (total/avail): 738.32 MiB / 330.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.82 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.32 GiB total, 10.89 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.32 GiB - C:

\\.\PHYSICALDRIVE2 - GENERIC USB Storage-CFC USB Device

\\.\PHYSICALDRIVE4 - GENERIC USB Storage-MSC USB Device

\\.\PHYSICALDRIVE3 - GENERIC USB Storage-SDC USB Device

\\.\PHYSICALDRIVE1 - GENERIC USB Storage-SMC USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Disabled:SAgent4"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"="C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe:*:Enabled:McAfee Data Backup"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Disabled:mIRC"
"C:\\Program Files\\Soulseek\\Soulseek.exe"="C:\\Program Files\\Soulseek\\Soulseek.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows« NetMeeting«"
"C:\\Program Files\\Empire Earth.exe"="C:\\Program Files\\Empire Earth.exe:*:Disabled:Empire Earth"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Disabled:PPMate"
"C:\\Program Files\\PPMate\\ppamnet.exe"="C:\\Program Files\\PPMate\\ppamnet.exe:*:Disabled:PPMate"
"C:\\Program Files\\PPStream\\PPSAP.exe"="C:\\Program Files\\PPStream\\PPSAP.exe:*:Disabled:PPS ═°┬š╝Ë╦┘ø"
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Disabled:PPS═°┬šÁš╩Ë"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Disabled:Delivery Manager Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jamie\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HARRISON-BF8227
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jamie
LOGONSERVER=\\HARRISON-BF8227
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jamie\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jamie\LOCALS~1\Temp
USERDOMAIN=HARRISON-BF8227
USERNAME=Jamie
USERPROFILE=C:\Documents and Settings\Jamie
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jamie (admin)
Julia
Roy (admin)
Liam (admin)
Sue (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-000000000001}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\setup.exe" -l0x9
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
CANON iMAGE GATEWAY Task --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Cool Edit Pro 2.0 --> C:\Program Files\coolpro2\cep2unin.exe
Driver Theory Test Training 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A3811FFB-CC3A-4F16-A5F6-2D4E77E7EEAC}
EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x9 uninst
EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESC46 Reference Guide --> C:\Program Files\EPSON\TPMANUAL\ESC46\REF_G\DOCUNINS.EXE
ESC46 Software Guide --> C:\Program Files\EPSON\TPMANUAL\ESC46\PQU_G\DOCUNINS.EXE
Game Maker 6.1 --> C:\Program Files\Game_Maker6\Uninstal.exe
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Guitar Pro 5.0 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HMV Digital Downloads --> C:\Program Files\HMV\DigitalDownloads\uninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iPod for Windows 2005-06-26 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{654F0312-CB3D-4FE2-962C-6BB9752E9146} /l1033
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KXploit Tool --> C:\Documents and Settings\psp programme\KXploit Tool\uninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Line 6 Edit (remove only) --> "C:\Program Files\Line6\Line 6 Edit\uninstall.exe"
Logitech MouseWare 9.70 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstall Wizard --> C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SAPI 5.1 --> MsiExec.exe /I{8F194222-199F-11D6-B163-AA8310157D2E}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MP3 Player Utilities 3.57 --> MsiExec.exe /I{7784A172-61F1-445E-8368-601607E0DD22}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
NokiaFREE Unlock Codes Calculator --> "C:\Program Files\NokiaFREE Unlock Codes Calculator\uninst.exe"
OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
Personal Ancestral File 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D94A8E22-DF2B-4107-9E51-608A60A7671D}\Setup.exe"
PIF DESIGNER2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A7124DF-F8A4-405B-904F-CFD3D3DFB5AE}\SETUP.EXE" -l0x9 anything
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PPStream --> C:\Program Files\PPStream\uninst.exe
Professor Franklin --> C:\Program Files\Professor Franklin\Uninstal.exe
PSP Movie Creator(remove only) --> "C:\Program Files\PQDVD\PSPMovieCreator\bt-uninst.exe"
PSP Video 9 1.72 --> C:\Program Files\pspvideo9\uninst.exe
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\SETUP.EXE" ADDREMOVEDLG
SiS 661FX_760_741_M661FX_M760_M741 --> Rundll32 SiSInst.dll,Uninstall VGA,R,0
Sky Anytime --> MsiExec.exe /X{DD30C2FD-F485-46A8-8153-88EC2650BC79}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WG111v2 Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E0F252A6-DE85-4E93-A93B-DFC3537B3965}\setup.exe" -l0x9 REMOVE -removeonly
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type50061 / Warning
Event Submitted/Written: 07/02/2008 03:13:09 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type50054 / Warning
Event Submitted/Written: 07/02/2008 02:48:56 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type50053 / Error
Event Submitted/Written: 07/02/2008 02:45:14 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type50050 / Error
Event Submitted/Written: 07/02/2008 02:02:18 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80070422updateservicemanager-_get_servicesfallbackcheck1.1.1592.0mpsigdwn.dll1.1.1592.0windows defenderNILNILNIL

Event Record #/Type50047 / Warning
Event Submitted/Written: 07/02/2008 00:23:54 AM
Event ID/Source: 0 / COM+ SOAP Services
Event Description:
Removal of an assembly from the global assembly cache failed: C:\Program Files\McAfee\MBK\Arbus.Interfacing.Library.dll Arbus.Interfacing.Library,Version=1.0.0.27362



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type77804 / Error
Event Submitted/Written: 07/02/2008 07:55:26 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type77775 / Warning
Event Submitted/Written: 07/02/2008 02:54:13 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%HARRISON-BF822727 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HARRISON-BF822727 can't undo changes that you allow.

For more information please see the following:
%HARRISON-BF8227275

Scan ID: {D61D5995-59EC-4DE3-92DB-AE4FA4806241}

User: HARRISON-BF8227\Jamie

Name: %HARRISON-BF8227271

ID: %HARRISON-BF8227272

Severity: 1.1.1592.05

Category: 1.1.1592.06

Path Found: %HARRISON-BF8227276

Alert Type: %HARRISON-BF8227278

Detection Type: 1.1.1592.02

Event Record #/Type77771 / Warning
Event Submitted/Written: 07/02/2008 02:53:58 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%HARRISON-BF822727 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HARRISON-BF822727 can't undo changes that you allow.

For more information please see the following:
%HARRISON-BF8227275

Scan ID: {2AD3E90D-EB4C-4DA6-9B17-2E7492F26194}

User: HARRISON-BF8227\Jamie

Name: %HARRISON-BF8227271

ID: %HARRISON-BF8227272

Severity: 1.1.1592.05

Category: 1.1.1592.06

Path Found: %HARRISON-BF8227276

Alert Type: %HARRISON-BF8227278

Detection Type: 1.1.1592.02

Event Record #/Type77752 / Error
Event Submitted/Written: 07/02/2008 02:53:10 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The KService service hung on starting.

Event Record #/Type77745 / Error
Event Submitted/Written: 07/02/2008 02:35:34 AM
Event ID/Source: 1008 / WinDefend
Event Description:
%NT AUTHORITY27 has encountered an error when taking action on spyware or other potentially unwanted software.

For more information please see the following:
%NT AUTHORITY275

Scan ID: {DC301C82-7E05-4008-B40F-E10DA8D2A232}

Scan Type: %NT AUTHORITY02

User: NT AUTHORITY\NETWORK SERVICE

Name: %NT AUTHORITY271

ID: %NT AUTHORITY272

Severity: 1.1.1592.05

Category: 1.1.1592.06

Path: %NT AUTHORITY276

Action: 1.1.1592.00

Error Code: 1.1.1592.01

Error description: 1.1.1592.02



-- End of Deckard's System Scanner: finished at 2008-07-02 19:58:11 ------------





----------------------------------------------------------------------------------------------------------------------------






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:39:03, on 04/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.im/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HMVDownloadService - HMV Group plc - C:\Program Files\HMV\DigitalDownloads\HMVDownloadService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8489 bytes








It seems to have worked. Thanks again!

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:15 PM

Posted 04 July 2008 - 03:24 AM

Hi kinry,


Goodjob! It looks good. Just a few things to do:
  • Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.



    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will produce a report for you.
    Please paste and copy the log for further review.

  • Using windows explorer remove the following file: C:\WINDOWS\system32\opnlMgeE.dll


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 6...allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "English".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.



#6 kinry

kinry
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 04 July 2008 - 08:02 PM

Farbar, I could kiss your bald alien head!

Thank you very much for your help.

Is there no way of making a donation? I feel as though I owe you a drink, at least.








ComboFix 08-07-02.5 - Jamie 2008-07-05 1:43:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.123 [GMT 1:00]
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-05 01:41 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-05 01:40 . 2008-07-05 01:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-05 01:16 . 2008-07-05 01:16 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-07-04 01:35 . 2008-07-04 01:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 23:33 . 2008-07-03 23:33 25,312 --a------ C:\Documents and Settings\Jamie\Application Data\GDIPFONTCACHEV1.DAT
2008-07-03 22:39 . 2008-07-03 22:39 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\Malwarebytes
2008-07-03 22:38 . 2008-07-03 22:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 22:38 . 2008-07-03 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 22:38 . 2008-06-28 14:21 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-03 22:38 . 2008-06-28 14:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-02 03:07 . 2008-07-02 03:07 <DIR> d-------- C:\Deckard
2008-06-11 13:24 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 13:24 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 01:12 . 2008-06-08 01:12 <DIR> d-------- C:\Program Files\HMV
2008-06-06 20:27 . 2008-07-05 01:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 20:27 . 2008-06-06 20:27 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-05 00:41 --------- d-----w C:\Program Files\Java
2008-07-03 20:43 --------- d-----w C:\Program Files\McAfee
2008-07-03 15:43 --------- d-----w C:\Documents and Settings\Roy\Application Data\LimeWire
2008-06-30 10:57 25,312 -c--a-w C:\Documents and Settings\Roy\Application Data\GDIPFONTCACHEV1.DAT
2008-06-24 15:51 --------- d-----w C:\Documents and Settings\Roy\Application Data\SiteAdvisor
2008-06-22 00:14 --------- d-----w C:\Documents and Settings\Jamie\Application Data\LimeWire
2008-06-21 23:29 --------- d-----w C:\Program Files\LimeWire
2008-06-14 21:37 --------- d-----w C:\Program Files\Soulseek
2008-05-21 19:32 --------- d-----w C:\Documents and Settings\Roy\Application Data\AdobeUM
2008-05-21 17:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-18 10:15 --------- d-----w C:\Program Files\Sky
2008-05-18 10:15 --------- d-----w C:\Program Files\Kontiki
2008-05-18 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sky
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-01-31 20:13 2,796,160 -c--a-w C:\Documents and Settings\Roy\TvantsSetup.exe
2006-10-20 21:18 19,666,504 -c--a-w C:\Documents and Settings\Liam\QuickTimeInstaller.exe
2006-04-01 19:32 20,920 -c--a-w C:\Documents and Settings\Julia\Application Data\GDIPFONTCACHEV1.DAT
2006-03-25 10:57 5,141,441 -c--a-w C:\Documents and Settings\Liam\PSP_Video_converting.zip
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_ 0.49.54.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-03 23:32:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-05 00:35:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-03 20:55:23 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-04 21:21:30 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-03 20:55:23 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-04 21:21:30 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-03 20:55:23 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-04 21:21:30 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-22 01:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 00:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 01:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 00:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 02:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 01:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-07-05 00:36:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_760.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 10:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 10:50 28672]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2006-10-02 20:09 35928]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 10:23 1032640]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 11:23 67584 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-07 17:35:45 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-01-24 21:08:27 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= rddv1009.dll
"midi2"= rddv1009.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2007-08-03 23:33 582992 c:\PROGRA~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-12-06 16:10 419152 C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a--c--- 2005-08-12 16:16 1121792 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-02-03 15:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-10-05 23:11 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\Soulseek\\Soulseek.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=

R1 SiSEsc;SISLIB_ESC;C:\WINDOWS\system32\sisesc.sys [2003-08-18 06:21]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 12:43]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-16 12:39]
R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 08:21]
S3 HMVDownloadService;HMVDownloadService;"C:\Program Files\HMV\DigitalDownloads\HMVDownloadService.exe" [2008-05-07 11:17]
S3 phil2vid;Philips USB VGA Camera;C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 15:04]
S3 RD1009;EDIROL UM-1 USB Driver;C:\WINDOWS\system32\Drivers\rdwm1009.sys [2003-05-14 12:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 14:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 01:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-02-01 01:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-07-05 00:39:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 01:48:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-07-05 1:51:30
ComboFix-quarantined-files.txt 2008-07-05 00:51:18
ComboFix2.txt 2008-07-04 00:17:56
ComboFix3.txt 2008-07-03 23:50:55

Pre-Run: 12,635,897,856 bytes free
Post-Run: 12,612,685,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

192 --- E O F --- 2008-07-04 00:07:18

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:15 PM

Posted 05 July 2008 - 02:06 AM

Farbar, I could kiss your bald alien head!

Thank you very much for your help.

Is there no way of making a donation? I feel as though I owe you a drink, at least.


Consider it done with that kiss.


Your log shows no infection any more.


In order to reduce the possible infection in the future, you may follow the following steps:
  • First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Sometimes the Privacy, Security and Web settings are altered by the malware. Check and if needed reset them to default:
    • Open Internet explorer > Tools menu > Internet options.
    • Under privacy tab press default.
    • Under security tab press default.
    • Under Programs tab press Reset Web Settings and click OK.
  • Update your Anti Virus and Antispyware Software definitions and run the programs on a regular basis.

  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC.
    Windows XP Service Pack 2 is now outdated. Microsoft has recently released Service Pack 3 which has more features and is more secure than Service Pack 2. You may update your Windows via Windows update.

    Go here to check for & install updates to Microsoft applications.

  • Install Javacoolsę SpywareBlaster -
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. You can find more information and a download link here.


#8 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 10 July 2008 - 02:13 AM

As this seems to resolved... topic is closed. Glad we could help.

If you need to re-open this topic, please send a private message to your helper or moderator.

This applies to original thread starter only.

Everyone else begin a new topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users