Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Hackers Don't Give Site Owners Time to Patch, Start Exploiting New Drupal Flaw Within Hours

Featured Deal: Pay What You Want Complete Cyber Security Certification Bundle Deal

Photo

My web searches and links are being randomly redirected

Started by patchmcg , Jun 30 2009 09:26 AM

  • This topic is locked This topic is locked
21 replies to this topic

#1 patchmcg

patchmcg

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 30 June 2009 - 09:26 AM

Thank you kindly in advance for any help you can offer. For the last several weeks, my web links and searches have been randomly re-directed. it doesn't matter what type of link I click, hard link from a web site (any web site), Google search button, or bookmark, they have all been redirected at some point. The only interesting thing is that the re-direct is often related to the content of the link. For example, I did a Google search for "used tacoma guitars"; I then clicked a link identified as a familiar retail music store's website with a specific model of a Tacoma instrument listed. I was re-directed to another search list (instead of the retail site) with other links for "used tacoma pickup trucks". I then clicked back in my browser and discovered I had to click the back-history to skip past several re-directed links to get to the original Google search. I then clicked the retail link again and it worked fine.

Also, the most common re-directs take me to sites that say different versions of "Your computer is infected with (fill in the blank). Download our removal software." I never do of course. I usually ctrl-alt-dlt and end the browser process.

I've run updated versions of Spyware S&D and Malware Bytes. They find things, clean'em off, and then find them again a day later.

This is just an example of many similar experiences. I asked some friends at my office tech support to help, but they were eventually stumped and suggested I send the computer to them (I work remotely.) to reformat the hard drive. However, I need my computer to keep up with my job, so I'm hoping you can find what they couldn't.

I'm using Windows XP professional and Firefox browser. At home I'm on a wireless router and at work I'm wired to the server and can VPN to our home server as well.

Here is the dds logs. I've also attached the "Attach.txt" file to this thread. I look forward to hearing from you and thank you again.
------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-06-26.01) - NTFSx86
Run by pmcguire at 10:00:40.18 on Tue 06/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.589 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Documents and Settings\pmcguire\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Power2GoExpress] NA
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
uExplorerRun: [1] startup.bat
mExplorerRun: [1] startup.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218601187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {B81919AB-CA2D-4F03-B789-215817958AF9} = 208.67.222.222,208.67.220.220
Filter: AutorunsDisabled\x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pmcguire\applic~1\mozilla\firefox\profiles\pv5sbj43.default\
FF - prefs.js: browser.startup.homepage - hxxp://abcnews.go.com/|http://www.cnn.com/|http://www.msnbc.msn.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-20 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-11 87936]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-20 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-20 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-20 171400]
S3 ANVC;ANVC;c:\docume~1\pmcguire\locals~1\temp\ANVC.exe [2009-6-25 449408]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-6-25 11904]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]

=============== Created Last 30 ================

2009-06-25 12:32 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-06-25 12:32 <DIR> --d----- c:\program files\mozilla.org
2009-06-25 10:28 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 10:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-06-23 15:28 <DIR> --ds---- C:\ComboFix
2009-06-23 15:28 388,608 a------- c:\windows\system32\CF30411.exe
2009-06-23 15:25 155,136 a------- c:\windows\PEV.exe
2009-06-23 15:25 161,792 a------- c:\windows\SWREG.exe
2009-06-23 15:25 98,816 a------- c:\windows\sed.exe
2009-06-23 15:25 388,608 a------- c:\windows\system32\CF29909.exe
2009-06-22 12:34 118,784 a------- c:\windows\GREUninstall.exe
2009-06-22 12:34 10,368 a------- c:\windows\mozver.dat
2009-06-10 22:41 205 a------- c:\windows\wininit.ini
2009-06-10 22:03 82,944 ac------ c:\windows\system32\dllcache\ws2_32.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-20 10:57 19,725 a------- c:\program files\common files\wakizywi.scr
2008-10-20 10:57 17,978 a------- c:\docume~1\alluse~1\applic~1\quric.com
2008-10-20 10:57 16,641 a------- c:\docume~1\pmcguire\applic~1\ykoveza.exe
2008-10-20 10:57 16,507 a------- c:\docume~1\alluse~1\applic~1\ugoler.com
2008-10-20 10:57 15,249 a------- c:\docume~1\alluse~1\applic~1\ecix.scr
2008-10-20 10:57 15,192 a------- c:\docume~1\alluse~1\applic~1\xisira.reg
2008-10-20 10:57 14,007 a------- c:\docume~1\pmcguire\applic~1\mavawoke.vbs
2008-10-20 10:57 10,294 a------- c:\docume~1\alluse~1\applic~1\qemoxe.bin
2008-10-20 10:30 60,744 a------- c:\documents and settings\pmcguire\g2mdlhlpx.exe
2008-10-18 10:11 336 a------- c:\program files\temp995.bat

============= FINISH: 10:01:14.26 ===============

Attached Files


BC AdBot (Login to Remove)

 

#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:41 AM

Posted 04 July 2009 - 01:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 06 July 2009 - 03:32 PM

Thank you for the response. Any help is appreciated regardless of delays. I've been using a borrowed laptop since I posted this thread, so I'm afraid I can offer no further details other than what I originally posted description-wise, but I re-ran the utility as suggested. I've attached the Zipped Attach.txt and pasted the DDS log below. Hope to hear from you soon.

Thanks again.


DDS (Ver_09-06-26.01) - NTFSx86
Run by pmcguire at 16:24:49.21 on Mon 07/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.609 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\pmcguire\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Power2GoExpress] NA
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
uExplorerRun: [1] startup.bat
mExplorerRun: [1] startup.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218601187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {B81919AB-CA2D-4F03-B789-215817958AF9} = 208.67.222.222,208.67.220.220
Filter: AutorunsDisabled\x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pmcguire\applic~1\mozilla\firefox\profiles\pv5sbj43.default\
FF - prefs.js: browser.startup.homepage - hxxp://abcnews.go.com/|http://www.cnn.com/|http://www.msnbc.msn.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-20 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-11 87936]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-20 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-20 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-20 171400]
S3 ANVC;ANVC;c:\docume~1\pmcguire\locals~1\temp\ANVC.exe [2009-6-25 449408]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-6-25 11904]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]

=============== Created Last 30 ================

2009-06-25 12:32 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-06-25 12:32 <DIR> --d----- c:\program files\mozilla.org
2009-06-25 10:28 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 10:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-06-23 15:28 <DIR> --ds---- C:\ComboFix
2009-06-23 15:28 388,608 a------- c:\windows\system32\CF30411.exe
2009-06-23 15:25 155,136 a------- c:\windows\PEV.exe
2009-06-23 15:25 161,792 a------- c:\windows\SWREG.exe
2009-06-23 15:25 98,816 a------- c:\windows\sed.exe
2009-06-23 15:25 388,608 a------- c:\windows\system32\CF29909.exe
2009-06-22 12:34 118,784 a------- c:\windows\GREUninstall.exe
2009-06-22 12:34 10,368 a------- c:\windows\mozver.dat
2009-06-10 22:41 205 a------- c:\windows\wininit.ini
2009-06-10 22:03 82,944 ac------ c:\windows\system32\dllcache\ws2_32.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-20 10:57 19,725 a------- c:\program files\common files\wakizywi.scr
2008-10-20 10:57 17,978 a------- c:\docume~1\alluse~1\applic~1\quric.com
2008-10-20 10:57 16,641 a------- c:\docume~1\pmcguire\applic~1\ykoveza.exe
2008-10-20 10:57 16,507 a------- c:\docume~1\alluse~1\applic~1\ugoler.com
2008-10-20 10:57 15,249 a------- c:\docume~1\alluse~1\applic~1\ecix.scr
2008-10-20 10:57 15,192 a------- c:\docume~1\alluse~1\applic~1\xisira.reg
2008-10-20 10:57 14,007 a------- c:\docume~1\pmcguire\applic~1\mavawoke.vbs
2008-10-20 10:57 10,294 a------- c:\docume~1\alluse~1\applic~1\qemoxe.bin
2008-10-20 10:30 60,744 a------- c:\documents and settings\pmcguire\g2mdlhlpx.exe
2008-10-18 10:11 336 a------- c:\program files\temp995.bat

============= FINISH: 16:25:24.45 ===============

Attached Files


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:41 AM

Posted 07 July 2009 - 05:14 PM

Hello patchmcg my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


Regards,
~ Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#5 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 08 July 2009 - 01:03 PM

Good to meet you Semp. I await further instructions. :thumbup2:

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:41 AM

Posted 08 July 2009 - 05:14 PM

Hello patchmcg,

Sorry for the delay, forum have been really busy.

1. I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
If viewpoint is not listed in your program list:
Start firefox > click tools > click add-ons from there look for viewpoint or viewpoint media player then uninstall it.

Then, go to c: > program files and delete viewpoint folder.


2. Let's run MBAM.

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


3. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


4. Lastly, create a new DDS log. Post it together with MBAM and Kaspersky scan log.

Regards,
~ Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#7 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 09 July 2009 - 08:44 AM

I've got mbam running now, but regarding the Viewpoint software: It does not show in either the ADD/REMOVE window or the Firefox add-ons list, so I cannot uninstall it the normal way. However, there is a viewpoint folder in the programs file. Should I just delete it? :thumbup2:

#8 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 09 July 2009 - 04:22 PM

OK, here are all the text logs.

Thanks again for the help.

Malwarebytes' Anti-Malware 1.38
Database version: 2398
Windows 5.1.2600 Service Pack 2

7/9/2009 1:37:33 PM
mbam-log-2009-07-09 (13-37-33).txt

Scan type: Quick Scan
Objects scanned: 121743
Time elapsed: 13 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 9, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 09, 2009 17:31:01
Records in database: 2450155
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
H:\
S:\
Y:\

Scan statistics:
Files scanned: 117395
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:37:34


File name / Threat name / Threats count
C:\Documents and Settings\pmcguire\Desktop\helpdesk.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\pmcguire\Local Settings\Temp\7zS37E.tmp\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\RECYCLER\S-1-5-21-1145796173-183921221-1660491571-5492\Dc12.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\WINDOWS\system32\fhl.dll Infected: not-a-virus:FraudTool.Win32.TotalSecure2009.s 1

The selected area was scanned.


----------------------------------------------------------------------------------------------------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/21/2006 11:19:40 AM
System Uptime: 7/9/2009 1:39:44 PM (4 hours ago)

Motherboard: Gateway | |
Processor: Intel® Core™2 CPU T5500 @ 1.66GHz | uFCPGA2 | 981/667mhz
Processor: Intel® Core™2 CPU T5500 @ 1.66GHz | uFCPGA2 | 981/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 30 GiB total, 7.512 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 3.241 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== Installed Programs ======================

5500
5500_Help
5500Tour
5500Trb
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Reader 7.0.9
Adobe Shockwave Player
AiO_Scan
AIOMinimal
AiOSoftware
Amazon MP3 Downloader 1.0.3
AX88772A & AX88772 Vista 64-Bit Driver
Bonjour
Click'N Design 3D (V5)
Copy
CraigsPalFree version 3.04
CreativeProjects
Director
DocProc
DVD Solution
ExamView Assessment Suite
Fax
Google Toolbar for Internet Explorer
GoToMeeting 4.0.0.320
gtw_logo
High Definition Audio Driver Package - KB888111
Hitman Pro 3.5
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB914906)
HP Image Zone 3.5
hp LaserJet 1010 Series
HP PSC & OfficeJet 3.5
HP Software Update
HP Unload DLL Patch
hpmdtab
HPSystemDiagnostics
InstantShare
Intel Matrix Storage Manager
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 14
Java™ 6 Update 7
Lexmark X1100 Series
Malwarebytes' Anti-Malware
Maxtor Backup
Maxtor Encryption
Maxtor OneTouch III
McAfee VirusScan Enterprise
mCore
mDriver
mDrWiFi
Memories Disc Creator 2.0
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.1
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft Streets and Trips
mIWA
mLogView
mMHouse
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (2.0.0.21)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 Parser and SDK
mWlsSafe
mXML
mZConfig
OrderReminder hp LaserJet 101x
Overland
PhotoGallery
Power2Go 4.0
PowerDVD
PrintScreen
QFolder
QuickProjects
QuickTime
Readme
Recovery Software Suite Gateway
Scan
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Sibelius Scorch Plugin
SigmaTel Audio
SkinsHP1
SkinsHP2
Spybot - Search & Destroy
Synaptics Pointing Device Driver
TaxCut New York 2008
TaxCut Oklahoma 2008
TaxCut Premium + State + Efile 2008
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinPhlash

==== End Of File ===========================

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:41 AM

Posted 10 July 2009 - 04:08 PM

Hello patchmcg,

I've got mbam running now, but regarding the Viewpoint software: It does not show in either the ADD/REMOVE window or the Firefox add-ons list, so I cannot uninstall it the normal way. However, there is a viewpoint folder in the programs file. Should I just delete it?

Yes you can safely delete that folder. :thumbup2:


1. We need to download and run ComboFix (by sUBs)

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**:

*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


2. Please create a fresh DDS log. Post it together with the combofix log.

Note: Please post the other part of the DDS log and not the one that you've posted in your last reply.


Regards,
~ Semp :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#10 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 13 July 2009 - 09:35 AM

Morning Semp,

I've encountered a problem.

The combofix detects that my McAfeeVirus Scan is still active even though I disabled it. Did I miss something? Here is a copy of my screen showing the Virus Scan Console with the Combofix warning over it. Ideas?

Also, the Virus Scan icon is not in my system tray. So I had to open the console to disable each scan manually. Again, did I miss something?

To repeat, I thought Virus Scan had been disabled before I opened Combofix. Considering this warning, what should I do next?

Posted Image

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:41 AM

Posted 14 July 2009 - 08:09 AM

Hi patchmcg,


How to disable McAfee:
  • Please open McAfee Security Centre
  • Under Common Tasks click on Home
  • Click Computer Files
  • Click Configure
  • Make sure the following are disabled by ticking the "Off" button.

    Virus protection
    Spyware protection
    System Guards Protection
    Script Scanning Protection (you may have to scroll down to see it)

  • Next, select never for "When to re-enable real time scanning"
  • and click OK.
Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820


Then, try running combofix again by following the instruction on my previous post.


~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#12 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 14 July 2009 - 03:54 PM

As luck would have it, I have an earlier version of McAfee, and as I said before, it did not have an icon in the system tray. Hence, the instructions from the link you provided couldn't help. But, after LOTS of web searching and trial and error, I found the culprit: in the on access scanner properties, even though I had already disabled the scanner itself, I had to "uncheck" the box next to "enable On Access scan at start up". So I finally have the Combo fix log below, along with a new DDS log. (The right one, not the attach one. Please delet that part of this thread if you can.) Thanks again. I look forward to hearing from you.

ComboFix 09-07-12.03 - pmcguire 07/14/2009 16:26.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.587 [GMT -4:00]
Running from: c:\documents and settings\pmcguire\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\pmcguire\Local Settings\Temporary Internet Files\alebylolu._sy
c:\documents and settings\pmcguire\Local Settings\Temporary Internet Files\zylebejib._dl
c:\windows\Installer\2e3669e4.msp
c:\windows\system32\fhl.dll
.
---- Previous Run -------
.
c:\windows\system32\mdm.exe
D:\Autorun.inf
F:\Autorun.inf

c:\windows\system32\ws2_32.dll . . . is infected!!

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-09 13:45 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 13:45 . 2009-07-09 13:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 13:45 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-25 16:32 . 2009-06-25 16:32 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-06-25 16:32 . 2009-06-25 16:32 -------- d-----w- c:\program files\mozilla.org
2009-06-25 14:28 . 2009-06-25 14:28 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 14:28 . 2009-06-25 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-06-22 16:55 . 2009-06-22 16:55 167376 ----a-w- c:\documents and settings\pmcguire\Application Data\Mozilla\Profiles\default\2r8o1tr9.slt\FlashGot.exe
2009-06-22 16:34 . 2009-06-22 16:34 118784 ----a-w- c:\windows\GREUninstall.exe
2009-06-22 16:34 . 2009-06-22 16:53 10368 ----a-w- c:\windows\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 22:42 . 2007-04-25 15:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-26 17:17 . 2007-04-23 14:37 -------- d-----w- c:\documents and settings\pmcguire\Application Data\AdobeUM
2009-06-25 16:31 . 2006-09-22 13:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-25 16:31 . 2006-09-22 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 16:35 . 2007-04-23 14:30 335 ----a-w- c:\windows\nsreg.dat
2009-06-11 23:54 . 2006-09-11 14:40 -------- d-----w- c:\program files\Java
2009-06-11 23:53 . 2009-06-11 23:53 152576 ----a-w- c:\documents and settings\pmcguire\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-02 18:28 . 2007-04-26 17:58 105512 ----a-w- c:\documents and settings\pmcguire\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-02 15:14 . 2006-09-11 14:41 -------- d-----w- c:\program files\Google
2009-05-21 15:33 . 2009-01-21 14:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 12:27 . 2009-05-14 12:27 152576 ----a-w- c:\documents and settings\pmcguire\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-16 02:23 . 2009-04-16 02:23 4386576 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2008\Downloads\TaxCutOK.exe
2008-10-20 14:57 . 2008-10-20 14:57 19725 ----a-w- c:\program files\Common Files\wakizywi.scr
2008-10-18 14:11 . 2008-10-18 14:11 336 ----a-w- c:\program files\temp995.bat
2006-02-23 12:16 . 2009-06-25 15:19 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2009-06-25 15:19 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2004-08-05 02:00 82944 E4DABF6F4E97FCD76A96A245D004D4F6 c:\windows\system32\ws2_32.dll
[-] 2004-08-05 02:00 82944 E4DABF6F4E97FCD76A96A245D004D4F6 c:\windows\system32\dllcache\ws2_32.dll

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-05 143360]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-01-20 544768]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-13 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [9/11/2006 10:51 AM 87936]
S3 ANVC;ANVC;c:\docume~1\pmcguire\LOCALS~1\Temp\ANVC.exe --> c:\docume~1\pmcguire\LOCALS~1\Temp\ANVC.exe [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [6/25/2009 10:28 AM 11904]
S4 Lanvdmx;Lanvdmx; [x]
.
Contents of the 'Scheduled Tasks' folder

2006-09-21 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 02:00]

2006-09-21 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 02:00]

2006-09-21 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 02:00]

2007-07-17 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Explorer_Run-1 - startup.bat
Notify-NavLogon - (no file)
SafeBoot-TDSScffs.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TCP: {B81919AB-CA2D-4F03-B789-215817958AF9} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\pmcguire\Application Data\Mozilla\Firefox\Profiles\pv5sbj43.default\
FF - prefs.js: browser.startup.homepage - hxxp://abcnews.go.com/|http://www.cnn.com/|http://www.msnbc.msn.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-07-14 16:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 20:41

Pre-Run: 10,070,065,152 bytes free
Post-Run: 10,420,445,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

186


---------------------------------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-06-26.01) - NTFSx86
Run by pmcguire at 16:44:05.89 on Tue 07/14/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.599 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pmcguire\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Power2GoExpress] NA
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218601187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {B81919AB-CA2D-4F03-B789-215817958AF9} = 208.67.222.222,208.67.220.220
Filter: AutorunsDisabled\x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pmcguire\applic~1\mozilla\firefox\profiles\pv5sbj43.default\
FF - prefs.js: browser.startup.homepage - hxxp://abcnews.go.com/|http://www.cnn.com/|http://www.msnbc.msn.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-20 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-11 87936]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-20 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-20 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-20 171400]
S3 ANVC;ANVC;c:\docume~1\pmcguire\locals~1\temp\anvc.exe --> c:\docume~1\pmcguire\locals~1\temp\ANVC.exe [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-6-25 11904]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
S4 Lanvdmx;Lanvdmx; [x]

=============== Created Last 30 ================

2009-07-14 16:40 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-14 16:25 <DIR> a-dshr-- C:\cmdcons
2009-07-09 09:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 09:45 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 09:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 12:32 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-06-25 12:32 <DIR> --d----- c:\program files\mozilla.org
2009-06-25 10:28 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 10:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-06-23 15:25 155,136 a------- c:\windows\PEV.exe
2009-06-23 15:25 161,792 a------- c:\windows\SWREG.exe
2009-06-23 15:25 98,816 a------- c:\windows\sed.exe
2009-06-22 12:34 118,784 a------- c:\windows\GREUninstall.exe
2009-06-22 12:34 10,368 a------- c:\windows\mozver.dat

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-20 10:57 19,725 a------- c:\program files\common files\wakizywi.scr
2008-10-20 10:57 17,978 a------- c:\docume~1\alluse~1\applic~1\quric.com
2008-10-20 10:57 16,641 a------- c:\docume~1\pmcguire\applic~1\ykoveza.exe
2008-10-20 10:57 16,507 a------- c:\docume~1\alluse~1\applic~1\ugoler.com
2008-10-20 10:57 15,249 a------- c:\docume~1\alluse~1\applic~1\ecix.scr
2008-10-20 10:57 15,192 a------- c:\docume~1\alluse~1\applic~1\xisira.reg
2008-10-20 10:57 14,007 a------- c:\docume~1\pmcguire\applic~1\mavawoke.vbs
2008-10-20 10:57 10,294 a------- c:\docume~1\alluse~1\applic~1\qemoxe.bin
2008-10-20 10:30 60,744 a------- c:\documents and settings\pmcguire\g2mdlhlpx.exe
2008-10-18 10:11 336 a------- c:\program files\temp995.bat

============= FINISH: 16:44:26.10 ===============

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:41 AM

Posted 16 July 2009 - 07:08 AM

Hello patchmcg,

1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found

HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SRPeek::
C:\WINDOWS\system32\ws2_32.dll

File::
c:\docume~1\pmcguire\LOCALS~1\Temp\ANVC.exe
c:\program files\common files\wakizywi.scr
c:\docume~1\alluse~1\applic~1\quric.com
c:\docume~1\pmcguire\applic~1\ykoveza.exe
c:\docume~1\alluse~1\applic~1\ugoler.com
c:\docume~1\alluse~1\applic~1\ecix.scr
c:\docume~1\alluse~1\applic~1\xisira.reg
c:\docume~1\pmcguire\applic~1\mavawoke.vbs
c:\docume~1\alluse~1\applic~1\qemoxe.bin
c:\program files\temp995.bat

Folder::
c:\program files\Viewpoint\Viewpoint Media Player

Driver::
ANVC
Lanvdmx


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2. Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

3. Create a new DDS log. Post it together with Combofix and Bitdefender scan logs.


Regards,
~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#14 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 16 July 2009 - 10:55 AM

OK Semp, I think I got all that. Results below:

ComboFix 09-07-12.03 - pmcguire 07/16/2009 9:35.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.577 [GMT -4:00]
Running from: c:\documents and settings\pmcguire\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pmcguire\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point

FILE ::
"c:\docume~1\alluse~1\applic~1\ecix.scr"
"c:\docume~1\alluse~1\applic~1\qemoxe.bin"
"c:\docume~1\alluse~1\applic~1\quric.com"
"c:\docume~1\alluse~1\applic~1\ugoler.com"
"c:\docume~1\alluse~1\applic~1\xisira.reg"
"c:\docume~1\pmcguire\applic~1\mavawoke.vbs"
"c:\docume~1\pmcguire\applic~1\ykoveza.exe"
"c:\docume~1\pmcguire\LOCALS~1\Temp\ANVC.exe"
"c:\program files\common files\wakizywi.scr"
"c:\program files\temp995.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\ecix.scr
c:\docume~1\alluse~1\applic~1\qemoxe.bin
c:\docume~1\alluse~1\applic~1\quric.com
c:\docume~1\alluse~1\applic~1\ugoler.com
c:\docume~1\alluse~1\applic~1\xisira.reg
c:\docume~1\pmcguire\applic~1\mavawoke.vbs
c:\docume~1\pmcguire\applic~1\ykoveza.exe
c:\program files\common files\wakizywi.scr
c:\program files\temp995.bat
c:\program files\Viewpoint\Viewpoint Media Player
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Atmosphere.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\BlueStreak.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\ExtremeShot.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Mts2Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VectorView.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VETsdk.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

c:\windows\system32\ws2_32.dll . . . is infected!!

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANVC
-------\Service_ANVC
-------\Service_Lanvdmx


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-09 13:45 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 13:45 . 2009-07-09 13:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 13:45 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-25 16:32 . 2009-06-25 16:32 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-06-25 16:32 . 2009-06-25 16:32 -------- d-----w- c:\program files\mozilla.org
2009-06-25 14:28 . 2009-06-25 14:28 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 14:28 . 2009-06-25 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-06-22 16:55 . 2009-06-22 16:55 167376 ----a-w- c:\documents and settings\pmcguire\Application Data\Mozilla\Profiles\default\2r8o1tr9.slt\FlashGot.exe
2009-06-22 16:34 . 2009-06-22 16:34 118784 ----a-w- c:\windows\GREUninstall.exe
2009-06-22 16:34 . 2009-06-22 16:53 10368 ----a-w- c:\windows\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 13:38 . 2007-07-17 15:02 -------- d-----w- c:\program files\Viewpoint
2009-06-26 22:42 . 2007-04-25 15:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-26 17:17 . 2007-04-23 14:37 -------- d-----w- c:\documents and settings\pmcguire\Application Data\AdobeUM
2009-06-25 16:31 . 2006-09-22 13:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-25 16:31 . 2006-09-22 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 16:35 . 2007-04-23 14:30 335 ----a-w- c:\windows\nsreg.dat
2009-06-11 23:54 . 2006-09-11 14:40 -------- d-----w- c:\program files\Java
2009-06-11 23:53 . 2009-06-11 23:53 152576 ----a-w- c:\documents and settings\pmcguire\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-02 18:28 . 2007-04-26 17:58 105512 ----a-w- c:\documents and settings\pmcguire\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-02 15:14 . 2006-09-11 14:41 -------- d-----w- c:\program files\Google
2009-05-21 15:33 . 2009-01-21 14:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-14 12:27 . 2009-05-14 12:27 152576 ----a-w- c:\documents and settings\pmcguire\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2006-02-23 12:16 . 2009-06-25 15:19 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2009-06-25 15:19 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2004-08-05 02:00 82944 E4DABF6F4E97FCD76A96A245D004D4F6 c:\windows\system32\ws2_32.dll
[-] 2004-08-05 02:00 82944 E4DABF6F4E97FCD76A96A245D004D4F6 c:\windows\system32\dllcache\ws2_32.dll

.
((((((((((((((((((((((((((((( SnapShot@2009-07-14_20.38.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 13:40 . 2009-07-16 13:40 16384 c:\windows\Temp\Perflib_Perfdata_134.dat
- 2009-07-14 20:31 . 2009-07-14 20:31 16384 c:\windows\Temp\Perflib_Perfdata_134.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-05 143360]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 81920]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 712704]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-01-20 544768]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-13 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [9/11/2006 10:51 AM 87936]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [6/25/2009 10:28 AM 11904]
.
Contents of the 'Scheduled Tasks' folder

2006-09-21 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 02:00]

2006-09-21 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 02:00]

2006-09-21 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 02:00]

2007-07-17 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TCP: {B81919AB-CA2D-4F03-B789-215817958AF9} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\pmcguire\Application Data\Mozilla\Firefox\Profiles\pv5sbj43.default\
FF - prefs.js: browser.startup.homepage - hxxp://abcnews.go.com/|http://www.cnn.com/|http://www.msnbc.msn.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 09:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-07-16 9:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 13:45
ComboFix2.txt 2009-07-14 20:41

Pre-Run: 10,397,528,064 bytes free
Post-Run: 10,346,188,800 bytes free

233


__________________________________________________________________________________________________




BitDefender Online Scanner







Scan report generated at: Thu, Jul 16, 2009 - 11:15:25









Scan path: C:\;D:\;E:\;















Statistics

Time


01:16:41

Files


532300

Folders


7879

Boot Sectors


0

Archives


52771

Packed Files


28611







Results

Identified Viruses


2

Infected Files


4

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


3







Engines Info

Virus Definitions


3732203

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


45

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Qoobox\Quarantine\C\WINDOWS\system32\fhl.dll.vir


Infected with: Trojan.Downloader.JKZL

C:\Qoobox\Quarantine\C\WINDOWS\system32\fhl.dll.vir


Deleted

C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP379\A0114217.dll


Infected with: Trojan.Downloader.JKZL

C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP379\A0114217.dll


Deleted

C:\WINDOWS\system32\dllcache\ws2_32.dll


Infected with: Trojan.Patched.EM

C:\WINDOWS\system32\dllcache\ws2_32.dll


Disinfection failed

C:\WINDOWS\system32\dllcache\ws2_32.dll


Deleted

C:\WINDOWS\system32\ws2_32.dll


Infected with: Trojan.Patched.EM

C:\WINDOWS\system32\ws2_32.dll


Disinfection failed

C:\WINDOWS\system32\ws2_32.dll


Delete failed


___________________________________________________________________________________________________



DDS (Ver_09-06-26.01) - NTFSx86
Run by pmcguire at 11:48:15.51 on Thu 07/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.569 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pmcguire\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=M255-E
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Power2GoExpress] NA
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218601187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {B81919AB-CA2D-4F03-B789-215817958AF9} = 208.67.222.222,208.67.220.220
Filter: AutorunsDisabled\x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pmcguire\applic~1\mozilla\firefox\profiles\pv5sbj43.default\
FF - prefs.js: browser.startup.homepage - hxxp://abcnews.go.com/|http://www.cnn.com/|http://www.msnbc.msn.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-1-24 144704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-20 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-1-24 54608]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-11 87936]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-20 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-20 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-20 171400]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-6-25 11904]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]

=============== Created Last 30 ================

2009-07-14 16:40 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-14 16:25 <DIR> a-dshr-- C:\cmdcons
2009-07-09 09:45 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 09:45 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 09:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 12:32 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-06-25 12:32 <DIR> --d----- c:\program files\mozilla.org
2009-06-25 10:28 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-06-25 10:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-06-23 15:25 155,136 a------- c:\windows\PEV.exe
2009-06-23 15:25 161,792 a------- c:\windows\SWREG.exe
2009-06-23 15:25 98,816 a------- c:\windows\sed.exe
2009-06-22 12:34 118,784 a------- c:\windows\GREUninstall.exe
2009-06-22 12:34 10,368 a------- c:\windows\mozver.dat

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-20 10:30 60,744 a------- c:\documents and settings\pmcguire\g2mdlhlpx.exe

============= FINISH: 11:48:37.31 ===============

#15 patchmcg

patchmcg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:09:41 PM

Posted 16 July 2009 - 10:58 AM

I just noticed that I forgot to go back and delete the Viewpoint folder, so it shows up all over the reports! I just deleted the the folder, should I just re-do the previous step?

Sorry! :thumbup2:
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·