Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Antivirus: Bogus Software... Malware/virus Removal?


  • This topic is locked This topic is locked
28 replies to this topic

#1 writeroxie

writeroxie

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 03 August 2008 - 06:40 PM

I have many pop-up ads while browsing the internet these past 2 days. When I click my Windows Security Alerts icon, it states that I am "at risk" because my automatic updates have been shut-off. Even when I turn them back on, they reman shut off (i'm pretty sure this is the malware running defense for itself). The pop-up ads are for fubar.com, bigpoint.com, ovguide.com, and for vista antivirus 2008 & 2009 software. Basically they're trying to get me to buy bogus software to "fix" or "clean" the problem that they gave me.

I'm running IE7 on Windows XP Home w/sp3. I'd really appreciate any guidance/help from the professionals on this forum with helping me remove these problems. Thanks in advance!
-Jim


Deckard's System Scanner v20071014.68
Run by JIM on 2008-08-03 19:30:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...failed; access is denied.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JIM.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:55 PM, on 8/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JIM\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JIM.exe

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A596175D-BBC7-476A-A152-FBA652B64505} - C:\WINDOWS\system32\fcccAPge.dll
O2 - BHO: (no name) - {CFA0A5B1-0FB0-4F68-8632-5E95D9C76B34} - (no file)
O2 - BHO: (no name) - {F0DC7712-B9CE-4343-9402-5C19D80F498A} - C:\WINDOWS\system32\urqQklJY.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: fcccAPge - C:\WINDOWS\SYSTEM32\fcccAPge.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5260 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080617-183631-670 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
backup-20080802-220947-159 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
backup-20080802-220947-169 O4 - HKCU\..\Run: [mpx] c:\WINDOWS\system32\mpx.exe
backup-20080802-220947-324 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080802-220947-347 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080802-220947-436 O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
backup-20080802-220947-545 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080802-220947-635 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080802-220947-720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080802-220947-865 O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080802-220948-732 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
backup-20080802-220948-754 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080802-220948-809 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
backup-20080802-220949-163 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080802-220949-963 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080802-220950-342 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080802-233642-107 O20 - AppInit_DLLs: wgebrh.dll
backup-20080802-233642-463 O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
backup-20080802-233642-546 O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
backup-20080802-233642-711 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
backup-20080802-235145-852 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080803-093512-458 O20 - AppInit_DLLs: bnvmzm.dll

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 DigiFilter - c:\windows\system32\drivers\digifilt.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
R0 MDPMGRNT - c:\windows\system32\drivers\mdpmgrnt.sys <Not Verified; Mediafour Corporation; Mediafour Disk Partition Manager>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok®>
R1 MDFSYSNT - c:\windows\system32\drivers\mdfsysnt.sys <Not Verified; Mediafour Corporation; MacDrive>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 DigiNet (Digidesign Ethernet Support) - c:\windows\system32\drivers\diginet.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 dalwdmservice (dal service) - c:\windows\system32\drivers\dalwdm.sys <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools®>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DigiRefresh (Digidesign MME Refresh Service) - f:\program files\digidesign\digidesign\drivers\mmerefresh.exe -s <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Digidesign MME Binder>

S3 digiSPTIService - "f:\program files\digidesign\digidesign\pro tools\digisptiservice.exe" <Not Verified; Digidesign, A Division of Avid Technology, Inc.; Pro Tools CD Ripping Service>
S4 ClusterCATS Service (ColdFusion Monitoring Service) - "c:\cfusion\cfam\program\ccmgr.exe"
S4 Cold Fusion Application Server - c:\cfusion\bin\cfserver.exe <Not Verified; Macromedia Inc.; ColdFusion>
S4 Cold Fusion Executive (ColdFusion Executive) - c:\cfusion\bin\cfexec.exe <Not Verified; Macromedia Inc.; ColdFusion>
S4 Cold Fusion RDS (ColdFusion RDS) - c:\cfusion\bin\cfrdsservice.exe <Not Verified; Macromedia Inc.; ColdFusion>
S4 ColdFusion Graphing Server - c:\cfusion\jrun\bin\jrun.exe -jrundir "c:\cfusion\jrun" -nt "jrun default" "default"
S4 ColdFusion Management Repository (ColdFusion Management Repository Server) - "c:\cfusion\jrun\bin\jrun.exe" -jrundir "c:\cfusion\jrun" -nt "coldfusion management repository" "cfam"
S4 ColdFusion Management Service - "c:\cfusion\cfam\bin\canamingadapter.exe"
S4 RAIDmSvr (Promise Array Message Server) - c:\program files\promise technology, inc.\promise array management\msgsvr.exe <Not Verified; ; Promise Message Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: SBP2\LACIE_GROUP_SA&LACIE_D2_EXTREME_LUN_0__&LUN0\00D04B750A04DB33
Manufacturer: (Standard disk drives)
Name: LaCie Group SA LaCie d2 Extreme LUN 0 IEEE 1394 SBP2 Device
PNP Device ID: SBP2\LACIE_GROUP_SA&LACIE_D2_EXTREME_LUN_0__&LUN0\00D04B750A04DB33
Service: disk

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-03 18:02:43 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-07-29 18:37:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-15 01:21:44 346 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-03-01 02:02:28 348 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 09:11:38 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 02:34:56 130432 --a------ C:\WINDOWS\system32\bnvmzm.dll
2008-08-03 02:34:55 130432 --a------ C:\WINDOWS\system32\cbeybcsl.dll
2008-08-03 02:32:08 98688 --a------ C:\WINDOWS\system32\gtnhtakb.dll
2008-08-03 01:36:20 0 d-------- C:\Program Files\Windows Defender
2008-08-03 01:34:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 01:34:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 01:33:33 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 20:33:57 98688 --a------ C:\WINDOWS\system32\uwrigwmp.dll
2008-08-02 20:31:39 130432 --a------ C:\WINDOWS\system32\wgebrh.dll
2008-08-02 20:31:38 130432 --a------ C:\WINDOWS\system32\iffvbfut.dll
2008-08-02 20:30:56 804231 --ahs---- C:\WINDOWS\system32\YJlkQqru.ini2
2008-08-02 20:30:51 322816 --a------ C:\WINDOWS\system32\urqQklJY.dll
2008-08-02 20:26:08 34688 --a------ C:\WINDOWS\system32\awtqnKbB.dll
2008-08-02 20:26:07 34688 --a------ C:\WINDOWS\system32\yayxUnOI.dll
2008-08-02 20:25:47 34688 --a------ C:\WINDOWS\system32\xxyawxxV.dll
2008-08-02 20:25:47 34688 --a------ C:\WINDOWS\system32\fcccAPge.dll
2008-07-09 23:12:58 0 d-------- C:\WINDOWS\Prefetch
2008-07-09 23:08:19 0 d-------- C:\WINDOWS\system32\scripting
2008-07-09 23:08:19 0 d-------- C:\WINDOWS\l2schemas
2008-07-09 23:08:18 0 d-------- C:\WINDOWS\system32\en
2008-07-09 23:08:18 0 d-------- C:\WINDOWS\system32\bits
2008-07-09 23:06:34 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-09 23:04:55 0 d-------- C:\WINDOWS\network diagnostic
2008-07-09 22:59:15 0 d-------- C:\WINDOWS\EHome


-- Find3M Report ---------------------------------------------------------------

2008-08-03 01:35:13 0 d-------- C:\Program Files\Lavasoft
2008-08-03 01:35:11 0 d-------- C:\Documents and Settings\JIM\Application Data\Lavasoft
2008-08-03 01:34:23 0 d-------- C:\Program Files\Common Files
2008-08-02 22:02:10 0 d-------- C:\Program Files\MediaCoder
2008-08-02 12:19:15 0 d-------- C:\Documents and Settings\JIM\Application Data\Adobe
2008-07-29 23:27:35 0 d-------- C:\Documents and Settings\JIM\Application Data\Digidesign
2008-07-09 23:08:31 0 d-------- C:\Program Files\Messenger
2008-07-09 23:08:18 0 d-------- C:\Program Files\Movie Maker
2008-07-09 23:06:24 0 d-------- C:\Program Files\Windows NT
2008-06-28 10:50:51 0 d-------- C:\Documents and Settings\JIM\Application Data\SiteAdvisor
2008-06-17 18:34:18 0 d-------- C:\Program Files\Trend Micro
2008-05-12 17:23:47 144029 --a------ C:\WINDOWS\hpoins16.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A596175D-BBC7-476A-A152-FBA652B64505}]
08/02/2008 08:25 PM 34688 --a------ C:\WINDOWS\system32\fcccAPge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFA0A5B1-0FB0-4F68-8632-5E95D9C76B34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0DC7712-B9CE-4343-9402-5C19D80F498A}]
08/02/2008 08:30 PM 322816 --a------ C:\WINDOWS\system32\urqQklJY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [04/15/2005 04:54 PM]
"DigidesignMMERefresh"="F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe" [11/14/2006 12:05 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= C:\Program Files\Trend Micro\Tmas\sshook.dll [12/31/2005 12:31 PM 77824]
"{A596175D-BBC7-476A-A152-FBA652B64505}"= C:\WINDOWS\system32\fcccAPge.dll [08/02/2008 08:25 PM 34688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccAPge]
fcccAPge.dll 08/02/2008 08:25 PM 34688 C:\WINDOWS\system32\fcccAPge.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqQklJY

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9ccb7413]
rundll32.exe "C:\WINDOWS\system32\uwrigwmp.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
"C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]
p2pnetworking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
"C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RAIDmSvr"=2 (0x2)
"PCCPFW"=2 (0x2)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"ColdFusion Management Repository"=2 (0x2)
"Cold Fusion RDS"=2 (0x2)
"Cold Fusion Executive"=2 (0x2)
"ClusterCATS Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-03 19:32:56 ------------











Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3700+
Percentage of Memory in Use: 21%
Physical Memory (total/avail): 2558.73 MiB / 2010.66 MiB
Pagefile Memory (total/avail): 4040.75 MiB / 3451.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.35 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 19.52 GiB free.
D: is CDROM (No Media)
F: is Fixed (NTFS) - 74.52 GiB total, 38.33 GiB free.
G: is Fixed (NTFS) - 149.05 GiB total, 71.69 GiB free.
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JB-00JJC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD800JB-00JJC0 - 74.53 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 74.52 GiB - F:

\\.\PHYSICALDRIVE4 - HP Photosmart D5300 USB Device

\\.\PHYSICALDRIVE3 - SEAGATE ST3160023A USB Device - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JIM\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JIM-1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JIM
LOGONSERVER=\\JIM-1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\iZotope\Runtimes;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 10, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=040a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JIM\LOCALS~1\Temp
TMP=C:\DOCUME~1\JIM\LOCALS~1\Temp
USERDOMAIN=JIM-1
USERNAME=JIM
USERPROFILE=C:\Documents and Settings\JIM
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JIM (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\unmrw.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> C:\WINDOWS\UNNVEContent.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53437F29-E703-11D4-A51F-0010B541CDAE}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94492602-F802-48FA-A5AB-AC13DC358475}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0, 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AI - Series --> "C:\Program Files\AI - Series\AI - Series.scr" /S /Uninstall
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASUS Probe V2.22.04 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Probe\probunis.dll"
AsusUpdate --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
AVS DVDMenu Editor 1.2.1.19 --> "C:\Program Files\Common Files\AVSMedia\AVS DVDMenu Editor\unins000.exe"
AVS Video Tools 5.6 --> "C:\Program Files\AVSMedia\VideoTools\unins000.exe"
Beta Bugs Chorrosive VST --> "C:\Program Files\Chorrosive\Chorrosive Uninstall.exe"
Beta Bugs FloFi VST --> "C:\Program Files\FloFi\FloFi Uninstall.exe"
Beta Bugs WideBug VST --> "C:\Program Files\WideBug\WideBug Uninstall.exe"
BitTorrent 5.0.7 --> "C:\Program Files\BitTorrent\uninstall.exe"
BitZipper 4.1 SR-1 --> "C:\Program Files\BitZipper\unins000.exe"
Canon CanoScan Toolbox 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BCE46757-7674-4416-BEDB-68205A60409E}\setup.exe" -l0x9
CaptureWizPro 3.60 --> C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe uninstal
CDex extraction audio --> "C:\Program Files\CDex_150\uninstall.exe"
ColdFusion 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4D64993-5175-4534-8583-355F925644D4}\Setup.exe"
Cool & Quiet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\Setup.exe" -l0x9
Cool Edit Pro v1.2a --> C:\PROGRA~1\Cooledit\UNWISE.EXE C:\PROGRA~1\Cooledit\INSTALL.LOG
Digidesign HFS+ Disk Support --> MsiExec.exe /I {158D7308-FE8B-41F5-91FA-4513692F0CD6}
Digidesign Pro Tools LE 7.3.1 --> C:\Program Files\InstallShield Installation Information\{EF2F3EF2-A1CC-4ACD-BCAE-92CAC8D5613A}\setup.exe -runfromtemp -l0x0009 -removeonly
Digidesign Shared Plug-Ins 7.3 --> C:\Program Files\InstallShield Installation Information\{AFE354A5-640F-4A23-94C8-0B441E8967CA}\Setup.exe -runfromtemp -l0x0009 FromUninstall -removeonly
Drumsite 1.2 --> "C:\Program Files\Drumsite\Uninstall.exe" "C:\Program Files\Drumsite\install.log"
Free Bomb Factory Plug-Ins 7.3 --> C:\Program Files\InstallShield Installation Information\{82D48AB1-8E7F-4AA5-A5FA-47FA58A48110}\Setup.exe -runfromtemp -l0x0009 FromUninstall -removeonly
FTP Explorer --> C:\Program Files\FTP Explorer\ftpx.exe /uninstall
FTP Explorer --> MsiExec.exe /I{CF690C1A-8C14-40FA-877E-77372A579E61}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential 2.01 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Photosmart Printer Software 9.0 --> C:\Program Files\HP\Digital Imaging\{4FC583C2-45DB-44ac-AD30-8837DB845588}\setup\hpzscr01.exe -datfile hposcr16.dat
HP Solution Center 9.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}
InterLok Driver Kit --> MsiExec.exe /X{A15B3CF2-7FB7-4102-BBC9-9680B7F0825F}
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
iZotope Vinyl --> "C:\Program Files\iZotope\Vinyl\unins000.exe"
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia FreeHand 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D826618-59C6-11D4-976E-00C04F8EEB39}\Setup.exe" UNINSTALL
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Massey Demo PlugIns (Remove only) --> "C:\Program Files\Massey\Massey Demo PlugIns Uninstall.exe"
Massey TD5 (Remove only) --> "C:\Program Files\Massey\TD5 Uninstall.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
MediaShow 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
Melodyne 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1F143D1-1F0D-44FB-A44B-71D4367D16DE}\setup.exe" -l0x9 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall
Ogg Converter --> C:\PROGRA~1\OGGCON~1\UNWISE.EXE C:\PROGRA~1\OGGCON~1\INSTALL.LOG
PACE System Files --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28F58CDE-6241-4B11-8232-6A5D4FB06E8B}\Setup.exe" -l0x9 FromUninstall
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerBackup 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADD5DB49-72CF-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerDirector Express --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerDVD Copy 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3D04529-6EDB-11D8-A372-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
PowerStarter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Promise Array Management (PAM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC9D4665-8553-4EBB-9456-31FD98D8C62D}\Setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Trend Micro Anti-Spyware --> C:\Program Files\Trend Micro\Tmas\tmas.exe -uninstall
USB2 Storage Adapter V3 (LaCie) --> C:\WINDOWS\Drivers\LaCie\SilverUninst.exe UnDriver
Video Edit Magic 4.2 --> "C:\Program Files\Deskshare\Video Edit Magic 4.2\unins000.exe"
Videora iPod Converter 0.91 --> C:\Program Files\VideoraiPodConverter\uninst.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtual Cable Tester --> MsiExec.exe /X{3D654496-9C3D-4565-858C-3E551ECDA4E2}
Voice Editor --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Winbond\Voice Editor\DeIsL1.isu" -c"C:\Program Files\Winbond\Voice Editor\_ISREG32.DLL"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinXMedia CD MP3/WAV/WMA Converter 1.0.91c --> C:\Program Files\WinXMedia\WinXMedia CD MP3 Converter\uninst.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type13730 / Error
Event Submitted/Written: 08/03/2008 09:02:45 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80070422, P2 updateservicemanager-_get_services, P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type13728 / Error
Event Submitted/Written: 08/03/2008 09:00:55 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80070422, P2 updateservicemanager-_get_services, P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type13726 / Error
Event Submitted/Written: 08/03/2008 09:00:43 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80070422, P2 updateservicemanager-_get_services, P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type13724 / Error
Event Submitted/Written: 08/03/2008 01:50:03 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80070422, P2 updateservicemanager-_get_services, P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type13723 / Error
Event Submitted/Written: 08/03/2008 01:48:39 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.6.0.30, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type73848 / Error
Event Submitted/Written: 08/03/2008 07:32:45 PM
Event ID/Source: 2 / Disk
Event Description:
\Device\Harddisk4\DP(1)0-0+9

Event Record #/Type73847 / Error
Event Submitted/Written: 08/03/2008 07:32:45 PM
Event ID/Source: 2 / Disk
Event Description:
\Device\Harddisk4\DP(1)0-0+9

Event Record #/Type73846 / Error
Event Submitted/Written: 08/03/2008 07:32:45 PM
Event ID/Source: 2 / Flpydisk
Event Description:
\Device\Floppy0

Event Record #/Type73845 / Error
Event Submitted/Written: 08/03/2008 07:32:44 PM
Event ID/Source: 2 / Flpydisk
Event Description:
\Device\Floppy0

Event Record #/Type73844 / Warning
Event Submitted/Written: 08/03/2008 07:32:12 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JIM-127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JIM-127 can't undo changes that you allow.

For more information please see the following:
%JIM-1275

Scan ID: {F215FB78-CE06-42CB-A12E-C2F9A2856962}

User: JIM-1\JIM

Name: %JIM-1271

ID: %JIM-1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JIM-1276

Alert Type: %JIM-1278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-08-03 19:32:56 ------------

BC AdBot (Login to Remove)

 


#2 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 07 August 2008 - 03:43 PM

update: Spybot - Search & Destroy says it's Virtumonde. I think it could be more too.
:thumbsup: Day 4...

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 09 August 2008 - 02:22 PM

Hello writeroxie,

It is not a good idea to "Bump" your post, as it will only delay
help for your log. :)

When selecting logs we generally use two criteria to
look for unanswered logs.

1. We started from the oldest to the most recent. That means if you
keep bumping, your log is at the top of the list, and since we do not work
from the top, it will be looked at last!!

2. We look for first for posts with no replies. A bump is a reply so
you get pushed further down the response ladder.




I see you have been attempting to "fix" items using Hijackthis youself and removed many wrong entries. :thumbsup:

If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.
If you are do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program.




Restore everything you've removed and we'll take it from there.

Open HijackThis
Click Open Misc Tool Section> Config section > Backups button>
Place a check in all backed up entries and click Restore.
Reboot the computer.

************************


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 09 August 2008 - 02:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 10 August 2008 - 12:54 AM

SifuMike!
I can't tell you how happy I am to hear from you! Thanks for helping me!
After I restored the changes I made in Hijackthis, I now get a pop-up error message upon start-up.
-------------------------------------------------------------
RUNDLL
Error loading c:\WINDOWS\system32\qvtetfuj.dll

The specified module could not be found.

[OK]
-------------------------------------------------------------


Here are the logs:

Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 3

1:41:24 AM 8/10/2008
mbam-log-8-10-2008 (01-41-24).txt

Scan type: Quick Scan
Objects scanned: 45344
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\urqQklJY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fcccAPge.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qsoeso.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ddab4e9-4d3c-41f8-ac39-2aa8b56989e4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3ddab4e9-4d3c-41f8-ac39-2aa8b56989e4} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{639d8d8a-b5e6-4bcc-af73-35adcd6ad4e1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{639d8d8a-b5e6-4bcc-af73-35adcd6ad4e1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a596175d-bbc7-476a-a152-fba652b64505} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a596175d-bbc7-476a-a152-fba652b64505} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fcccapge (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a596175d-bbc7-476a-a152-fba652b64505} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqqkljy -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqqkljy -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\urqQklJY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\YJlkQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YJlkQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qsoeso.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eugoqmkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lkmqogue.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fcccAPge.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wgdvdsms.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqnKbB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pevtbahl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsfijwgd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilrvza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyawxxV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxUnOI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zskldk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.





+++++++++++++++++++++++++++++++++++++++++++





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:48 AM, on 8/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0450A06F-0226-4001-AB66-F7A355AC72AE} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CFA0A5B1-0FB0-4F68-8632-5E95D9C76B34} - (no file)
O2 - BHO: (no name) - {F0B6B168-C064-4868-B728-E40805628888} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [9ccb7413] rundll32.exe "C:\WINDOWS\system32\qvtetfuj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
O4 - HKCU\..\Run: [mpx] c:\WINDOWS\system32\mpx.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: wgebrh.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - F:\Program Files\Digidesign\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5633 bytes

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 10 August 2008 - 10:47 AM

Hi writeroxie,

Looks like you have very bad infection so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You must disable your McAfee Antivirus before running ComboFix, as it will prevent it from running. <=== IMPORTANT


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 10 August 2008 - 02:11 PM

When I follow the instructions to install the Recovery Console, (and I drag the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe icon onto the Combofix icon) it doesn't give me the prompt that the instructions mention (stating the RC was installed and asking me if I'd like to proceed with the scanning). Instead, the blue window pops open saying Combofix is preparing to run. So I'm not sure what I'm doing wrong with Recovery Console.

Also a McAfee pops a bottom-right corner window open asking if I should "trust" this program. I'm guessing this means Mcafee isnt completely disabled? I can't find a way to completely disable McAfee. any ideas?

thanks!

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 10 August 2008 - 02:17 PM

When I follow the instructions to install the Recovery Console, (and I drag the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe icon onto the Combofix icon) it doesn't give me the prompt that the instructions mention (stating the RC was installed and asking me if I'd like to proceed with the scanning). Instead, the blue window pops open saying Combofix is preparing to run. So I'm not sure what I'm doing wrong with Recovery Console.


That is OK. Let it run (after you disable McAfee Antivirus). McAfee will prevent ComboFix from working, so it must be disabled.

Also a McAfee pops a bottom-right corner window open asking if I should "trust" this program. I'm guessing this means Mcafee isnt completely disabled? I can't find a way to completely disable McAfee. any ideas?


See if this works.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.

  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 10 August 2008 - 03:03 PM

"Exit" is not an option when I right-click the McAfee icon. There's no obvious action like that in the drop-down, that's why I'm a little confused about how to turn it off. :thumbsup:

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 10 August 2008 - 03:09 PM

Hi,


What version of McAfee are you running?
Is it part of McAfee package?
Please tell me what options you see on the drop down.

Edited by SifuMike, 10 August 2008 - 03:11 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 10 August 2008 - 03:21 PM

"McAfee Security Center v8.1"
(has Security Center, VirusScan, Personal Firewall, SiteAdvisor)

drop down menu (upon right mouse click):

- Open Security Center
- Updates
- Scan
- Quick Links (> Home, View Recent Events, McAfee Virtual Technician, My Account, Manage Network, maintain Computer, Lockdown Firewall, Restore Firewall Defaults)
- Change Settings
- Verify Subscritpion
- Upgrade Center
- Customer Support

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 10 August 2008 - 03:27 PM

Hi writeroxie

OK here goes.... Security Center itself cannot be turned off, but it is only the vessel housing all the different pieces of software.

Double-click the taskbar icon to open Security Center
Click Advanced Menu (bottom left)
Click Configure (left)
Click Computer & Files (top left)
You can disable VirusScan in the right-hand module**


**Choose "Never" from the menu presented for when you wish them to resume if the installation you are doing will involve a reboot to complete, but don't forget to re-enable them afterwards. You'll see a warning taskbar icon in any case.

Let me know if that works.

Edited by SifuMike, 10 August 2008 - 03:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 10 August 2008 - 03:36 PM

Ok that worked!

I am going to attempt to run Combofix now.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 10 August 2008 - 03:37 PM

Great! :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 writeroxie

writeroxie
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 10 August 2008 - 04:10 PM

I ran Combofix. It got to the end where the log.txt opens. At that time, a few other things popped open such as a registry change notice for SpybotS&D

value: deleted
Entry: spybotSD teatimer

I closed that (by clicking allow)
then another opened

value: deleted
Entry: 9ccb7413

I closed that (by clicking allow)

Also a McAfee "registry change" window popped open (even though I thought we had disabled it).

When I closed the log.txt file, my desktop remained bare (just the background image, all the icons and toolbar were gone. It just sort of sat there so I hit control-alt-delete and used the "run" function - typed in "desktop" and all my desktop items reappeared. The log.txt file was not saved to the desktop like I thought it would be. Luckily, as a safety precaution, I copy and pasted it when it popped open a few minutes earlier. So here it is:

ComboFix 08-08-10.01 - JIM 2008-08-10 16:48:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2288 [GMT -4:00]
Running from: C:\Documents and Settings\JIM\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JIM\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\JIM\Application Data\macromedia\Flash Player\#SharedObjects\P8R6AAV2\interclick.com
C:\Documents and Settings\JIM\Application Data\macromedia\Flash Player\#SharedObjects\P8R6AAV2\interclick.com\ud.sol
C:\Documents and Settings\JIM\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\JIM\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\winupdate
C:\Program Files\winupdates
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\bkathntg.ini
C:\WINDOWS\system32\juftetvq.ini
C:\WINDOWS\system32\mtdrkdde.ini
C:\WINDOWS\system32\ocujotht.ini
C:\WINDOWS\system32\pesonoje.ini
C:\WINDOWS\system32\pmwgirwu.ini
C:\WINDOWS\system32\qtutlvyp.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-10 01:26 . 2008-08-10 01:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-10 01:26 . 2008-08-10 01:26 <DIR> d-------- C:\Documents and Settings\JIM\Application Data\Malwarebytes
2008-08-10 01:26 . 2008-08-10 01:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-10 01:26 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-10 01:26 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 19:30 . 2008-08-03 19:30 <DIR> d-------- C:\Deckard
2008-08-03 09:11 . 2008-08-03 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 01:36 . 2008-08-03 01:36 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-03 01:34 . 2008-08-03 01:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-03 01:34 . 2008-08-03 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 01:33 . 2008-08-03 09:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-10 12:29 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-10 12:29 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-10 12:29 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-10 12:29 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-10 12:29 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-10 12:29 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-10 12:29 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-10 12:29 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-10 12:29 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-05 21:54 --------- d-----w C:\Documents and Settings\JIM\Application Data\SiteAdvisor
2008-08-04 01:09 --------- d-----w C:\Program Files\FTP Explorer
2008-08-03 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 05:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-03 05:35 --------- d-----w C:\Program Files\Lavasoft
2008-08-03 05:35 --------- d-----w C:\Documents and Settings\JIM\Application Data\Lavasoft
2008-08-03 02:02 --------- d-----w C:\Program Files\MediaCoder
2008-07-30 03:27 --------- d-----w C:\Documents and Settings\JIM\Application Data\Digidesign
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 22:34 --------- d-----w C:\Program Files\Trend Micro
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 16:54 106496]
"DigidesignMMERefresh"="F:\Program Files\Digidesign\Digidesign\Drivers\MMERefresh.exe" [2006-11-14 00:05 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 20:12 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"= "C:\Program Files\Trend Micro\Tmas\sshook.dll" [2005-12-31 12:31 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wgebrh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"wave1"= Digi32.dll
"MIDI2"= diomidi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-04 02:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
-ra------ 2002-12-17 16:43 61440 C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-09-22 17:10 1871872 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
--a------ 2006-11-18 08:46 35928 C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RAIDmSvr"=2 (0x2)
"PCCPFW"=2 (0x2)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"ColdFusion Management Repository"=2 (0x2)
"Cold Fusion RDS"=2 (0x2)
"Cold Fusion Executive"=2 (0x2)
"ClusterCATS Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\FTP Explorer\\ftpx.exe"=

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 21:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 10:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 12:53]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-10-20 23:01]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 21:38]
S3 brgwunic;NETGEAR CM212 Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\brgwunic.sys [2003-12-09 05:02]
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 21:36]
S4 Cold Fusion Application Server;Cold Fusion Application Server;C:\CFusion\Bin\cfserver.exe [2001-05-23 23:13]
S4 Cold Fusion Executive;ColdFusion Executive;C:\CFusion\Bin\cfexec.exe [2001-05-23 23:27]
S4 Cold Fusion RDS;ColdFusion RDS;C:\CFusion\Bin\cfrdsservice.exe [2001-05-23 23:33]
S4 ColdFusion Management Repository;ColdFusion Management Repository Server;C:\CFusion\jrun\bin\jrun.exe [2001-05-11 00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-05-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-03-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-10 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0450A06F-0226-4001-AB66-F7A355AC72AE} - (no file)
BHO-{CFA0A5B1-0FB0-4F68-8632-5E95D9C76B34} - (no file)
BHO-{F0B6B168-C064-4868-B728-E40805628888} - (no file)
ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
HKCU-Run-mpx - c:\WINDOWS\system32\mpx.exe
HKLM-Run-9ccb7413 - C:\WINDOWS\system32\qvtetfuj.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-9ccb7413 - C:\WINDOWS\system32\uwrigwmp.dll
MSConfigStartUp-p2pnetworking - p2pnetworking.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\JIM\Application Data\Mozilla\Firefox\Profiles\6ymwhfcp.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 16:51:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-10 16:52:31
ComboFix-quarantined-files.txt 2008-08-10 20:52:24

Pre-Run: 20,765,487,104 bytes free
Post-Run: 20,913,614,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

204 --- E O F --- 2008-07-10 16:29:33

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:36 AM

Posted 10 August 2008 - 04:35 PM

Hi writeroxie,


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users