Jump to content

Runtime Error 372 and Contraviro infection


BucNut

Recommended Posts

I'm trying to get my grandson's computer running, and it's a mess. I can't get online, can't use system restore, can't use the registry editor and now it seems I can't get Malwarebytes to load due to Vbalgrid from vbalgrid6.ocx and can't look for that file because search doesn't seem to be working either. Any help getting this machine clean will be greatly appreciated.

His machine is a Dell and he's running XP SP3. I was able to download Hijackthis onto my flash drive and get this copy.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:44:23 PM, on 9/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Windows\security\Database\mconfig.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\SightSpeed\SightSpeed.exe

C:\Program Files\Innovative Solutions\DriverMax\devices.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Gary McClellan\yttwas.exe \s

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: C:\WINDOWS\system32\ygsuhdf83id.dll - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\ygsuhdf83id.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [sightSpeed] "C:\Program Files\SightSpeed\SightSpeed.exe" -bootmode

O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [steam] "c:\program files\steam\steam.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [sightSpeed] "C:\Program Files\SightSpeed\SightSpeed.exe" -bootmode (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')

O4 - HKUS\S-1-5-21-4280196803-2235853438-1908108701-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - S-1-5-21-4280196803-2235853438-1908108701-1007 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\contraviro\siglsp.dll' missing

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab

O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopetslive.com/dev/gopets.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\WINDOWS\System32\dmband32.dll

O20 - Winlogon Notify: 6caa2c24609 - C:\WINDOWS\System32\dmband32.dll (file missing)

O21 - SSODL: uVGIyNAHCcYYn - {6CAA2C25-C600-868F-E29E-805A7FEB18E4} - C:\WINDOWS\system32\shocxw.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O22 - SharedTaskScheduler: ksfe98wjkodsngiwiojndg873hundggdd - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\ygsuhdf83id.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Wired AutoConfig (Dot3svc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Extensible Authentication Protocol Service (EapHost) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Health Key and Certificate Management Service (hkmsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Workstation (LanmanWorkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Network Access Protection Agent (napagent) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Turbine Message Service - PublicPreview (PublicPreviewTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

O23 - Service: Turbine Network Service - PublicPreview (PublicPreviewTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe

O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: User Privilege Service (usprserv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Windows Time (w32time) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

O24 - Desktop Component 0: (no name) - http://img.gamespot.com/gamespot/shared/gs...p_gameguide.gif

--

End of file - 16947 bytes

Link to post
Share on other sites

Hi, BucNut :P

Welcome.

Seems that svchost.exe is missing.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, click on the RunMe.bat file and post back the resulting report.

Thanks again for your help. This one has me stumped. Here are the results:

-c----w 14,336 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

-c----w 14,336 2008-04-14 00:12:36 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

Entries: 2 (2)

Directories: 0 Files: 2

Bytes: 28,672 Blocks: 56

Link to post
Share on other sites

I apologize for this taking so long. I thought I had subscribed to the thread, but had not. This is my Hijackthis file after running the command.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:17:18 PM, on 9/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Documents and Settings\Gary McClellan\yttwas.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\program files\steam\steam.exe

C:\Program Files\SightSpeed\SightSpeed.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Innovative Solutions\DriverMax\devices.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Gary McClellan\yttwas.exe \s

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: C:\WINDOWS\system32\ygsuhdf83id.dll - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\ygsuhdf83id.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [sightSpeed] "C:\Program Files\SightSpeed\SightSpeed.exe" -bootmode

O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\contraviro\siglsp.dll' missing

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab

O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopetslive.com/dev/gopets.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\WINDOWS\System32\dmband32.dll

O20 - Winlogon Notify: 6caa2c24609 - C:\WINDOWS\System32\dmband32.dll (file missing)

O21 - SSODL: uVGIyNAHCcYYn - {6CAA2C25-C600-868F-E29E-805A7FEB18E4} - C:\WINDOWS\system32\shocxw.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O22 - SharedTaskScheduler: ksfe98wjkodsngiwiojndg873hundggdd - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\ygsuhdf83id.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Turbine Message Service - PublicPreview (PublicPreviewTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

O23 - Service: Turbine Network Service - PublicPreview (PublicPreviewTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: (no name) - http://img.gamespot.com/gamespot/shared/gs...p_gameguide.gif

--

End of file - 10093 bytes

Link to post
Share on other sites

Hi, BucNut :)

That looks much better.

Please read and follow all these instructions very carefully.

mbamicontw5.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.

[*]Install the Recovery Console upon request.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Link to post
Share on other sites

I did have to restart. Was Malware Removal supposed to come back on?

Also, I can't get online yet, so I'm having to save everything to a CD...his computer won't recognize my flash drive. Will it be a problem for me to get ComboFix on his computer that way?

This is the results of the scan:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

9/18/2009 1:48:50 PM

mbam-log-2009-09-18 (13-48-50).txt

Scan type: Quick Scan

Objects scanned: 104857

Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 57

Registry Values Infected: 5

Registry Data Items Infected: 6

Folders Infected: 7

Files Infected: 42

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Program Files\Contraviro\shellext.dll (Rogue.ContraVirus) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ba603215-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{08eec6ad-7486-487f-89b7-5a3716ddae14} (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\happyquickpop.happyquickpop (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{978ce5fe-bdaa-c777-3ec5-184fc4b6b5f0} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4c8dfb56-4c9c-1183-10d7-ea4b99844dae} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8d644bbd-0ff3-b0ee-b876-72fb72c7ae6e} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8d644bbd-0ff3-b0ee-b876-72fb72c7ae6e} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\happyquickpop.happyquickpop.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ieaddon.statusbarpane (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ieaddon.statusbarpane.1 (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5b184b9d-b7bd-4fea-8d1f-5e27182206a5} (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{c0e56ac2-9f72-436e-b6e7-aec28af9e4eb} (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{418d86be-7386-4f1a-83e0-53604adbda74} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ccb5551d-8594-4999-85f9-1e3eabcb95ac} (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3ed0e410-5c8e-47b6-a75d-d10b886e903c} (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ccb5551d-8594-4999-85f9-1e3eabcb95ac} (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6caa2c25-c600-868f-e29e-805a7feb18e4} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tdisp.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\HappyQuickPop.dll (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\IEAddon.dll (Rogue.UnVirex) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\antiVirus_contextscan (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Drives\shellex\ContextMenuHandlers\antiVirus_contextscan (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\antiVirus_contextscan (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\HappyQuickPop (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\tm (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Contraviro (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpreaxs (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ba603215-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\uvgiynahccyyn (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\Contraviro\Contraviro.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Gary McClellan\yttwas.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Contraviro (Rogue.ContraVirus) -> Delete on reboot.

C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\HappyQuickPop (Adware.PLayMP3z) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary McClellan\Start Menu\Programs\PlayMP3z (Adware.PLayMP3z) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemService32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\ygsuhdf83id.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\Program Files\Contraviro\shellext.dll (Rogue.ContraVirus) -> Delete on reboot.

C:\Program Files\AVG\AVG8\avgtray.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\HappyQuickPop\HappyQuickPop.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Program Files\Uninstall Fun Web Products.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4280196803-2235853438-1908108701-1007\Dc1.exe (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4280196803-2235853438-1908108701-1007\Dc4.dll (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-4280196803-2235853438-1908108701-1007\Dc9.dll (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphca3nj0elan .exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphca3nj0elan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\MSINET.oca (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qgc91nj0elan.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\shocxw.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary McClellan\stsystra .exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary McClellan\stsystra.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\Contraviro\AF.dll (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\Program Files\Contraviro\guide.chm (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\Program Files\Contraviro\tdifw_drv_WLH.sys (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\Program Files\Contraviro\tdifw_drv_WXP.sys (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

C:\Program Files\HappyQuickPop\uninstall.exe (Adware.PLayMP3z) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary McClellan\Start Menu\Programs\PlayMP3z\Run PlayMP3z.pif (Adware.PLayMP3z) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\1.music.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\2.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\3.video.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\4.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\5.unpack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\6.limepro.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\7.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\GroupPolicyManifest\8.mpgvideo.mpg.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemService32\2D.tmp (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tdisp.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary McClellan\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary McClellan\Application Data\Microsoft\Internet Explorer\Quick Launch\Contraviro.lnk (Rogue.ContraVirus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

I also might mention that I had tried to manually remove contraviro, and I haven't emptied the trash yet. I'll wait for further instructions from you.

Link to post
Share on other sites

Hi, BucNut :)

Lets try to get you back on line:

  1. Enter your Control Panel and double-click on Network Connections
  2. Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL, or AOL Connection.

[*]Left click on Properties

[*]Double-Click on the Internet Protocol (TCP/IP) item

[*]Select the radio dial that says Obtain DNS Servers Automatically

[*]Press OK twice to get out of the properties screen

Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

netsh int ip reset C:\Resetlog.txt

netsh winsock reset catalog

ipconfig /flushdns (The space between g and / is needed)

Exit

Restart the computer.

Attempt to get on line.

Link to post
Share on other sites

Okay, ran Combofix...here are results:

ComboFix 09-09-18.01 - Gary McClellan 09/18/2009 16:49.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.497 [GMT -4:00]

Running from: c:\documents and settings\Gary McClellan\Desktop\ComboFix.exe

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9509C.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9509O.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9509P.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9509S.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9609C.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9609O.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9609P.manifest

c:\documents and settings\Gary McClellan\Application Data\0200000063dea9c9609S.manifest

c:\documents and settings\Gary McClellan\Application Data\Microsoft\~DFK1b522.tmp

c:\documents and settings\Gary McClellan\Application Data\Microsoft\~DFK578092.tmp

c:\documents and settings\Gary McClellan\Application Data\Microsoft\1eaadjc.dll

c:\documents and settings\Gary McClellan\Application Data\Microsoft\bass.dll

c:\documents and settings\Gary McClellan\Application Data\Microsoft\kfgresk.dll

c:\documents and settings\Gary McClellan\Application Data\Microsoft\mjcriu.dll

c:\documents and settings\Gary McClellan\Application Data\Microsoft\peaadje.dll

c:\documents and settings\Gary McClellan\Application Data\Microsoft\qwadjb.dll

c:\documents and settings\Gary McClellan\Application Data\Microsoft\rsaadjd.dll

c:\documents and settings\Gary McClellan\Favorites\Download programs.url

c:\documents and settings\Gary McClellan\Favorites\Games.url

c:\documents and settings\Gary McClellan\Favorites\Translator.url

c:\documents and settings\Gary McClellan\Favorites\Videos.url

c:\documents and settings\Gary McClellan\Start Menu\Programs\Download programs.url

c:\documents and settings\Gary McClellan\Start Menu\Programs\Games.url

c:\documents and settings\Gary McClellan\Start Menu\Programs\Translator.url

c:\documents and settings\Gary McClellan\Start Menu\Programs\Videos.url

c:\documents and settings\Gary McClellan\yttwas.exe

c:\program files\INSTALL.LOG

c:\program files\VisualTool

c:\program files\VisualTool\pcre3.dll

c:\program files\VisualTool\uninstall.exe

c:\temp\DIV55

c:\temp\DIV55\xDb.log

c:\temp\tn3

c:\windows\Config\mconfig.exe

c:\windows\Installer\2ea8f33.msi

c:\windows\Installer\2ea8f34.msp

c:\windows\Installer\2ea8f35.msp

c:\windows\Installer\2ea8f36.msp

c:\windows\Installer\2ea8f37.msp

c:\windows\Installer\2ea8f38.msp

c:\windows\Installer\2ea8f39.msp

c:\windows\Installer\2ea8f3a.msp

c:\windows\Installer\2ea8f3b.msp

c:\windows\Installer\2ea8f3c.msp

c:\windows\system32\0Gruf.vbs

c:\windows\system32\1310232.dll

c:\windows\system32\2phiIAD.vbs

c:\windows\system32\C

c:\windows\system32\CM2n9.vbs

c:\windows\system32\ctfmon .exe

c:\windows\system32\dxkgm.exe

c:\windows\system32\GSAM0gl.vbs

c:\windows\system32\HsqToTN.vbs

c:\windows\system32\hxogqidv.ini

c:\windows\system32\IN

c:\windows\system32\ki3

c:\windows\system32\msCFW.vbs

c:\windows\system32\uXPi02

c:\windows\TEMP\logishrd\LVPrcInj01.dll

Infected copy of c:\windows\system32\lsass.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe

Infected copy of c:\windows\system32\services.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe

c:\windows\system32\spoolsv.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FAD

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))

.

2009-09-18 20:54 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-09-18 19:34 . 2009-09-18 19:34 -------- d-----w- c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD}

2009-09-18 17:30 . 2009-09-18 17:30 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Malwarebytes

2009-09-18 17:30 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-18 17:30 . 2009-09-18 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-18 17:30 . 2009-09-18 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-18 17:30 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 16:11 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\svchost.exe

2009-09-18 16:11 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\dllcache\svchost.exe

2009-09-16 19:44 . 2009-09-16 19:44 -------- d-----w- c:\program files\Trend Micro

2009-09-12 23:03 . 2009-09-12 23:03 -------- d-----w- c:\documents and settings\Administrator.GARY\Application Data\Simply Super Software

2009-09-12 23:01 . 2009-09-12 23:01 -------- d-----w- c:\documents and settings\Administrator.GARY\Local Settings\Application Data\Mozilla

2009-09-12 22:34 . 2009-09-12 23:04 100536 ----a-w- c:\documents and settings\Administrator.GARY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-12 22:34 . 2006-11-30 21:31 -------- d--h--w- c:\documents and settings\Administrator.GARY\Application Data\Gtek

2009-09-12 22:34 . 2006-11-30 21:29 -------- d-----w- c:\documents and settings\Administrator.GARY\Application Data\InstallShield

2009-09-12 21:28 . 2009-07-28 20:09 55552 ----a-w- c:\windows\system32\drivers\tdifw_drv.sys

2009-09-12 18:30 . 2009-09-12 18:30 -------- d-----w- c:\program files\Screaming Bee LLC

2009-09-12 17:17 . 2009-09-12 17:17 -------- d-----w- c:\documents and settings\Gary McClellan\Local Settings\Application Data\IsolatedStorage

2009-09-12 17:09 . 2009-09-12 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee

2009-09-11 00:00 . 2009-09-11 00:00 41872 ----a-w- c:\windows\system32\xfcodec.dll

2009-09-07 05:28 . 2009-09-07 06:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-09-07 03:00 . 2009-09-12 17:10 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Screaming Bee

2009-09-07 02:57 . 2009-09-12 17:25 -------- d-----w- c:\program files\Screaming Bee

2009-08-31 15:10 . 2009-08-31 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-31 15:10 . 2009-08-31 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-30 23:57 . 2009-09-07 17:21 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\uTorrent

2009-08-30 23:24 . 2009-07-03 16:24 -------- d-----w- c:\documents and settings\Gary McClellan\Dolphin

2009-08-30 15:28 . 2009-08-30 15:29 -------- dc----w- C:\PacSteamT

2009-08-30 15:28 . 2009-08-30 15:28 -------- d-----w- c:\program files\Common Files\Thraex Software

2009-08-30 04:04 . 2009-08-30 14:30 -------- d-----w- c:\program files\FreeMind

2009-08-27 11:47 . 2009-08-27 11:47 5679 ----a-w- c:\windows\unins000.dat

2009-08-27 11:47 . 2009-08-27 11:47 685849 ----a-w- c:\windows\unins000.exe

2009-08-25 02:57 . 2009-08-25 02:57 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Artweaver

2009-08-25 02:56 . 2009-08-27 11:47 -------- d-----w- c:\program files\Artweaver 0.5

2009-08-22 02:38 . 2009-08-22 02:38 -------- dc----w- C:\nDoors

2009-08-22 00:39 . 2009-08-22 00:39 -------- d-----w- c:\documents and settings\Gary McClellan\Local Settings\Application Data\Pinnacle

2009-08-21 13:28 . 2009-09-18 20:22 772224 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-18 20:56 . 2008-09-03 20:31 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-09-18 20:56 . 2008-09-03 20:31 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2009-09-18 20:54 . 2009-02-15 16:27 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\DNA

2009-09-18 20:33 . 2008-12-20 14:47 -------- d-----w- c:\program files\VSTplugins

2009-09-18 20:33 . 2009-06-09 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony

2009-09-18 20:29 . 2009-06-02 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2009-09-18 20:29 . 2009-06-02 23:10 -------- d-----w- c:\program files\Electronic Arts

2009-09-18 20:24 . 2009-05-24 12:48 -------- d-----w- c:\program files\Steam

2009-09-18 20:24 . 2009-02-15 16:27 -------- d-----w- c:\program files\DNA

2009-09-18 19:48 . 2007-01-07 22:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-18 19:47 . 2006-12-27 19:42 -------- d-----w- c:\program files\Belkin

2009-09-18 16:12 . 2009-02-06 23:36 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Hamachi

2009-09-16 20:13 . 2007-08-26 16:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-16 20:12 . 2006-11-30 21:27 -------- d-----w- c:\program files\Google

2009-09-16 19:43 . 2008-03-08 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-16 19:14 . 2008-04-21 16:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-16 14:34 . 2008-05-06 01:29 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-12 18:28 . 2007-07-15 00:18 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Xfire

2009-09-10 07:10 . 2008-05-14 11:15 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-07 17:22 . 2009-07-26 06:25 -------- d-----w- c:\program files\PCPitstop

2009-09-07 17:21 . 2008-03-08 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2009-09-07 13:47 . 2008-06-17 01:30 -------- d-----w- c:\program files\World of Warcraft

2009-09-07 04:10 . 2007-01-03 13:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-31 20:21 . 2009-03-06 21:15 -------- d-----w- c:\program files\Norton Security Scan

2009-08-31 15:10 . 2006-11-30 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-30 14:42 . 2008-10-03 19:14 -------- d-----w- c:\program files\ZD Soft

2009-08-30 14:31 . 2007-06-19 19:43 -------- d-----w- c:\program files\Pivot Stickfigure Animator

2009-08-30 14:29 . 2009-07-30 09:36 -------- d-----w- c:\program files\Autodesk

2009-08-30 04:59 . 2006-12-25 16:11 100536 ----a-w- c:\documents and settings\Gary McClellan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-22 02:20 . 2009-01-31 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-08-21 22:46 . 2009-02-22 20:23 -------- d-----w- c:\program files\Microsoft Games

2009-08-19 20:46 . 2009-08-19 20:19 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\TeamViewer

2009-08-19 20:19 . 2009-08-19 20:19 -------- d-----w- c:\program files\TeamViewer

2009-08-19 03:09 . 2007-06-15 01:18 2984 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-08-19 03:08 . 2007-06-15 01:18 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Corel

2009-08-19 03:08 . 2007-06-15 01:18 88 --sh--r- c:\windows\system32\5E231424C1.sys

2009-08-18 15:21 . 2008-12-26 06:20 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\WeGame

2009-08-18 12:11 . 2008-12-26 06:19 -------- d-----w- c:\program files\WeGame

2009-08-16 03:04 . 2007-10-05 21:24 -------- d-----w- c:\program files\7-Zip

2009-08-15 03:13 . 2009-08-15 03:13 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas

2009-08-15 03:09 . 2009-08-15 03:09 -------- d-----w- c:\program files\Pixelan

2009-08-13 01:08 . 2009-08-13 01:07 -------- d-----w- c:\program files\Hamachi

2009-08-13 01:07 . 2009-02-06 23:35 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys

2009-08-12 04:08 . 2009-08-11 23:25 -------- d-----w- c:\program files\Postal2STP

2009-08-11 08:14 . 2007-10-05 21:47 -------- d-----w- c:\program files\Paint.NET

2009-08-09 10:23 . 2008-12-20 14:46 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Sony

2009-08-09 09:57 . 2007-11-27 23:36 -------- d-----w- c:\program files\Sony

2009-08-06 08:49 . 2008-08-28 00:24 34 -c--a-w- c:\documents and settings\Gary McClellan\jagex_runescape_preferences.dat

2009-08-06 00:16 . 2009-08-04 03:16 -------- d-----w- c:\program files\Jnes

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 02:15 . 2009-08-05 02:15 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-08-04 21:05 . 2007-05-10 19:36 -------- d-----w- c:\program files\Rockstar Games

2009-08-04 06:10 . 2009-08-04 06:08 -------- d-----w- c:\program files\GTA BioHazard Alert REMAKE

2009-08-02 09:17 . 2009-07-30 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk

2009-07-30 10:10 . 2009-07-30 10:10 -------- d-----w- c:\program files\OSA Kit Pro Player v4.0

2009-07-30 09:47 . 2009-07-30 09:47 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Autodesk

2009-07-30 09:47 . 2009-07-30 09:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-07-30 09:19 . 2008-12-16 22:14 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Download Manager

2009-07-30 08:58 . 2009-07-22 09:29 -------- d-----w- c:\program files\Turbine

2009-07-30 08:57 . 2006-11-30 21:22 -------- d-----w- c:\program files\Common Files\AOL

2009-07-30 08:38 . 2009-07-30 08:38 -------- d-----w- c:\program files\Blockland

2009-07-26 06:00 . 2009-07-25 07:55 -------- d-----w- c:\program files\Twisted Pixel

2009-07-22 09:29 . 2009-07-22 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-21 12:46 . 2008-12-13 15:56 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2008-09-07 16:57 . 2008-09-07 16:57 0 -c--a-w- c:\program files\temp01

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2008-12-22 1410296]

"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-04-18 306088]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SightSpeed"="c:\program files\SightSpeed\SightSpeed.exe" [2008-10-09 4789048]

"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-03-19 5395288]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-15 342848]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-05-17 213936]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-17 213936]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe" [2009-07-02 472568]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\Gary McClellan\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2006-11-3 1585152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager - Lamannia\\TurbineMessageService.exe"=

"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager - Lamannia\\TurbineNetworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"2192:TCP"= 2192:TCP:Akamai NetSession Interface

"2920:TCP"= 2920:TCP:Akamai NetSession Interface

"2166:TCP"= 2166:TCP:Akamai NetSession Interface

"2228:TCP"= 2228:TCP:Akamai NetSession Interface

"1055:TCP"= 1055:TCP:Akamai NetSession Interface

"1195:TCP"= 1195:TCP:Akamai NetSession Interface

"4305:TCP"= 4305:TCP:Akamai NetSession Interface

"2685:TCP"= 2685:TCP:Akamai NetSession Interface

"2712:TCP"= 2712:TCP:Akamai NetSession Interface

"1066:TCP"= 1066:TCP:Akamai NetSession Interface

"1050:TCP"= 1050:TCP:Akamai NetSession Interface

"1250:TCP"= 1250:TCP:Akamai NetSession Interface

"1059:TCP"= 1059:TCP:Akamai NetSession Interface

"1072:TCP"= 1072:TCP:Akamai NetSession Interface

"4237:TCP"= 4237:TCP:Akamai NetSession Interface

"1041:TCP"= 1041:TCP:Akamai NetSession Interface

"2119:TCP"= 2119:TCP:Akamai NetSession Interface

"2178:TCP"= 2178:TCP:Akamai NetSession Interface

"1039:TCP"= 1039:TCP:Akamai NetSession Interface

"1054:TCP"= 1054:TCP:Akamai NetSession Interface

"1058:TCP"= 1058:TCP:Akamai NetSession Interface

"58204:TCP"= 58204:TCP:Pando Media Booster

"58204:UDP"= 58204:UDP:Pando Media Booster

"56425:TCP"= 56425:TCP:Pando Media Booster

"56425:UDP"= 56425:UDP:Pando Media Booster

"56139:TCP"= 56139:TCP:Pando Media Booster

"56139:UDP"= 56139:UDP:Pando Media Booster

R1 i2ompp;i2ompp; [x]

R3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-12-03 155264]

R3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe [2009-07-02 218608]

R3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys [x]

R3 XDva224;XDva224;c:\windows\system32\XDva224.sys [x]

R3 XDva259;XDva259;c:\windows\system32\XDva259.sys [x]

S1 tdifw_drv;tdifw_drv;c:\windows\system32\drivers\tdifw_drv.sys [2009-07-28 55552]

S2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe [2009-07-02 267760]

S2 smp_lpt;smp_lpt; [x]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-04-06 23064]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCYYYYYYYYUS&fl=0&ptb=_ySSowJDMR907PyRuL7Nww&url=http://www.ask.com/web&q={searchTerms}&l=zc&o=sb

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

uSearch Bar = hxxp://www.google.com/ie

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab

DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} - hxxps://secure.gopetslive.com/dev/gopets.cab

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Gary McClellan\Application Data\Mozilla\Firefox\Profiles\ut1xz86i.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=8s.kdY1CCugk0kyNmOrypg&st=kwd&o=kwd&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\Gary McClellan\Application Data\Mozilla\Firefox\Profiles\ut1xz86i.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmeadax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\OSA Kit Pro Player v4.0\npmeadax.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

HKLM-Run-CamMonitor - c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

Notify-6caa2c24609 - c:\windows\System32\dmband32.dll

AddRemove-eooiqcc - c:\documents and settings\gary mcclellan\local settings\application data\eooiqcc.exe

AddRemove-HappyQuickPop - c:\program files\HappyQuickPop\uninstall.exe

AddRemove-MTA:SA DM - c:\documents and settings\Gary McClellan\Desktop\Uninstall.exe

AddRemove-Sanny Builder 3_is1 - c:\program files\Rockstar Games\GTA San Andreas\Sanny Builder 3\unins000.exe

AddRemove-VisualTool - c:\program files\VisualTool\uninstall.exe

AddRemove-Xfire - c:\program files\Xfire\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-18 16:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4280196803-2235853438-1908108701-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{557F4F3E-E86E-5A68-2E41-30E77409F851}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iakeggkcejpblidibh"=hex:63,62,62,6a,64,63,67,6b,64,6f,70,68,6c,65,64,61,64,69,

66,6a,6d,69,69,64,6e,70,61,6f,62,6e,6f,65,63,70,61,62,6e,68,00,00

"haeemglhepmkfejk"=hex:63,62,62,6a,64,63,67,6b,64,6f,70,68,6c,65,6d,61,62,6d,

69,6b,67,67,69,6a,66,66,62,61,70,63,66,6d,62,62,67,6d,6b,70,00,00

[HKEY_USERS\S-1-5-21-4280196803-2235853438-1908108701-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C95276F5-BAD5-8CB9-128C-68B6DBC94772}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oannpgooelpmfoddlehdbakhdeleci"=hex:63,61,6b,70,69,63,00,7c

[HKEY_USERS\S-1-5-21-4280196803-2235853438-1908108701-1007\Software\SecuROM\License information*]

"datasecu"=hex:eb,e9,56,5d,ce,a6,42,43,98,50,39,87,b6,bd,20,84,0d,7e,10,76,e2,

e3,b3,45,88,f8,d5,4a,42,0f,8f,73,48,e9,b5,aa,2a,02,c0,9f,97,98,e8,56,75,36,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,5d,3a,41,d1,37,

a0,28,c6,c8,28,51,af,b0,29,a3,98,64,8c,f2,e5,fb,75,4f,44,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,72,16,dd,61,ca,

0c,62,cb,71,3b,04,66,8b,46,0d,96,cf,2a,28,c1,b7,ee,9a,2d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,3c,aa,fc,49,45,

f7,34,e7,25,da,ec,7e,55,20,c9,26,c5,38,62,b5,75,9e,38,37,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a0,bb,22,99,4d,

ed,8b,20,3e,1e,9e,e0,57,5a,93,61,c5,0d,15,3d,cf,fe,39,a4,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,fe,ce,74,a6,fc,

e5,21,1a,cd,44,cd,b9,a6,33,6c,cd,c0,de,3a,37,77,89,0e,b1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f1,c8,71,db,18,

9b,0f,48,b0,18,ed,a7,3f,8d,37,a4,83,4a,05,17,5e,fc,04,eb,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,12,30,f4,06,ca,

a0,11,28,31,77,e1,ba,b1,f8,68,02,83,b3,2d,7d,e1,e3,04,30,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,a2,e5,4d,1f,dd,

44,a8,d3,83,6c,56,8b,a0,85,96,ab,da,10,39,54,6e,e9,1c,37,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,02,85,15,4d,

18,28,d7,51,fa,6e,91,28,9e,14,cc,78,c2,a8,cd,9e,d1,85,62,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,d7,5c,5f,d5,50,

45,9c,3e,b1,cd,45,5a,a8,c4,f8,b9,84,32,1c,58,5d,3e,0f,d3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,72,91,d0,cf,e5,

99,85,66,e3,0e,66,d5,eb,bc,2f,6b,27,64,89,ed,5a,b4,e0,b5,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3c,50,ad,41,cc,

6e,bc,81,fa,ea,66,7f,d4,3b,6b,70,2b,60,6a,39,b5,0a,8f,b5,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\System\ControlSet006\Enum\HID\Vid_045e&Pid_0040\6&25ef4129&0&0000\LogConf]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet006\Enum\HID\Vid_045e&Pid_0040\6&38a8f1ce&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3208)

c:\windows\system32\WININET.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\PnkBstrA.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Logitech\QuickCam\LU\LULnchr.exe

c:\windows\system32\cscript.exe

.

**************************************************************************

.

Completion time: 2009-09-18 17:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-18 21:05

Pre-Run: 9,580,085,248 bytes free

Post-Run: 9,485,389,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=6 Default=6 Failed=1 LastKnownGood=7 Sets=1,2,3,4,5,6,7

473 --- E O F --- 2009-09-10 07:04

Here are the results of the Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:24:15 PM, on 9/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

C:\Program Files\SightSpeed\SightSpeed.exe

C:\Program Files\Innovative Solutions\DriverMax\devices.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061130

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe"

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [sightSpeed] "C:\Program Files\SightSpeed\SightSpeed.exe" -bootmode

O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab

O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - https://secure.gopetslive.com/dev/gopets.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Turbine Message Service - PublicPreview (PublicPreviewTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

O23 - Service: Turbine Network Service - PublicPreview (PublicPreviewTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: (no name) - http://img.gamespot.com/gamespot/shared/gs...p_gameguide.gif

--

End of file - 9137 bytes

Link to post
Share on other sites

Lets check for remnants:

Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

  • Accept the License Agreement.
  • Once the ActiveX installs click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy and paste the entire report in your next reply.

Link to post
Share on other sites

Scanning Report

Friday, September 18, 2009 18:15:35 - 19:40:45

Computer name: GARY

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

12 malware found

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

Trojan.Generic.1465703 (spyware)

System (Disinfected)

Trojan.Patched.U (spyware)

System (Disinfected)

Trojan.Patched.U (virus)

C:\WINDOWS\SYSTEM32\WINLOGON.EXE (Not cleaned & Submitted)

Trojan.Generic.2375996 (virus)

C:\WINDOWS\SECURITY\DATABASE\MCONFIG.EXE (Renamed & Submitted)

Trojan.Generic.2375996 (virus)

C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM .EXE (Renamed & Submitted)

Trojan.Generic.2375996 (virus)

C:\PROGRAM FILES\AVG\AVG8\AVGTRAY .EXE (Renamed & Submitted)

Trojan.Generic.2375996 (virus)

C:\PROGRAM FILES\ADOBE\ACROTRAY .EXE (Renamed & Submitted)

Trojan.Generic.1469331 (virus)

C:\DOCUMENTS AND SETTINGS\GARY MCCLELLAN\MY DOCUMENTS\DOWNLOADS\PACSTEAMT-271207.EXE (Renamed & Submitted)

Trojan.Generic.1625648 (virus)

C:\DOCUMENTS AND SETTINGS\GARY MCCLELLAN\MY DOCUMENTS\DOWNLOADS\YOU BRUTE 2.0.EXE (Renamed & Submitted)

Trojan.Generic.1465703 (virus)

C:\DOCUMENTS AND SETTINGS\GARY MCCLELLAN\DESKTOP\MARIO64 MOVIE MAKER.EXE (Not cleaned)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 87195

System: 4404

Not scanned: 7

Actions:

Disinfected: 4

Renamed: 6

Deleted: 0

Not cleaned: 2

Submitted: 7

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\DESKTOP.INI

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Link to post
Share on other sites

-c----w 502,272 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

-c----w 507,904 2008-04-14 00:12:39 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

----a-w 512,000 2008-04-14 00:12:39 C:\WINDOWS\system32\winlogon.exe

Entries: 3 (3)

Directories: 0 Files: 3

Bytes: 1,522,176 Blocks: 2,973

Again, I can't thank you enough!

Link to post
Share on other sites

Hi, BucNut :)

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line:

Copy C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\

Exit

Step 2

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to move:

C:\winlogon.exe | C:\WINDOWS\system32\winlogon.exe

Drivers to delete:

XDva224

XDva259

smp_lpt

i2ompp

Files to delete:

c:\windows\system32\XDva259.sys

c:\windows\system32\XDva224.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\winlogon.exe" is whitelisted

File move operation "C:\winlogon.exe|C:\WINDOWS\system32\winlogon.exe" failed!

Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Driver "XDva224" deleted successfully.

Driver "XDva259" deleted successfully.

Driver "smp_lpt" deleted successfully.

Driver "i2ompp" deleted successfully.

Error: file "c:\windows\system32\XDva259.sys" not found!

Deletion of file "c:\windows\system32\XDva259.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\XDva224.sys" not found!

Deletion of file "c:\windows\system32\XDva224.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Ahhh!

Remove Combofix from your desktop and download a fresh copy from Here or Here to your Desktop.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

FCopy::

C:\WINDOWS\ServicePackFiles\i386\winlogon.exe | C:\WINDOWS\system32\winlogon.exe

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

Link to post
Share on other sites

ComboFix 09-09-18.01 - Gary McClellan 09/18/2009 23:57.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.453 [GMT -4:00]

Running from: c:\documents and settings\Gary McClellan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Gary McClellan\Desktop\CFScript.txt

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

C:\winlogon.exe

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))

.

2009-09-18 22:15 . 2009-09-18 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-18 20:54 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-09-18 19:34 . 2009-09-18 19:34 -------- d-----w- c:\windows\{D9FAE986-A4C1-4A2D-8B20-60F92F4222AD}

2009-09-18 17:30 . 2009-09-18 17:30 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Malwarebytes

2009-09-18 17:30 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-18 17:30 . 2009-09-18 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-18 17:30 . 2009-09-18 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-18 17:30 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-18 16:11 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\svchost.exe

2009-09-18 16:11 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\dllcache\svchost.exe

2009-09-16 19:44 . 2009-09-16 19:44 -------- d-----w- c:\program files\Trend Micro

2009-09-12 23:03 . 2009-09-12 23:03 -------- d-----w- c:\documents and settings\Administrator.GARY\Application Data\Simply Super Software

2009-09-12 23:01 . 2009-09-12 23:01 -------- d-----w- c:\documents and settings\Administrator.GARY\Local Settings\Application Data\Mozilla

2009-09-12 22:34 . 2009-09-12 23:04 100536 ----a-w- c:\documents and settings\Administrator.GARY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-12 22:34 . 2006-11-30 21:31 -------- d--h--w- c:\documents and settings\Administrator.GARY\Application Data\Gtek

2009-09-12 22:34 . 2006-11-30 21:29 -------- d-----w- c:\documents and settings\Administrator.GARY\Application Data\InstallShield

2009-09-12 21:28 . 2009-07-28 20:09 55552 ----a-w- c:\windows\system32\drivers\tdifw_drv.sys

2009-09-12 18:30 . 2009-09-12 18:30 -------- d-----w- c:\program files\Screaming Bee LLC

2009-09-12 17:17 . 2009-09-12 17:17 -------- d-----w- c:\documents and settings\Gary McClellan\Local Settings\Application Data\IsolatedStorage

2009-09-12 17:09 . 2009-09-12 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee

2009-09-11 00:00 . 2009-09-11 00:00 41872 ----a-w- c:\windows\system32\xfcodec.dll

2009-09-07 05:28 . 2009-09-07 06:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2009-09-07 03:00 . 2009-09-12 17:10 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Screaming Bee

2009-09-07 02:57 . 2009-09-12 17:25 -------- d-----w- c:\program files\Screaming Bee

2009-08-31 15:10 . 2009-08-31 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-31 15:10 . 2009-08-31 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-30 23:57 . 2009-09-07 17:21 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\uTorrent

2009-08-30 23:24 . 2009-07-03 16:24 -------- d-----w- c:\documents and settings\Gary McClellan\Dolphin

2009-08-30 15:28 . 2009-08-30 15:29 -------- dc----w- C:\PacSteamT

2009-08-30 15:28 . 2009-08-30 15:28 -------- d-----w- c:\program files\Common Files\Thraex Software

2009-08-30 04:04 . 2009-08-30 14:30 -------- d-----w- c:\program files\FreeMind

2009-08-27 11:47 . 2009-08-27 11:47 5679 ----a-w- c:\windows\unins000.dat

2009-08-27 11:47 . 2009-08-27 11:47 685849 ----a-w- c:\windows\unins000.exe

2009-08-25 02:57 . 2009-08-25 02:57 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Artweaver

2009-08-25 02:56 . 2009-08-27 11:47 -------- d-----w- c:\program files\Artweaver 0.5

2009-08-22 02:38 . 2009-08-22 02:38 -------- dc----w- C:\nDoors

2009-08-22 00:39 . 2009-08-22 00:39 -------- d-----w- c:\documents and settings\Gary McClellan\Local Settings\Application Data\Pinnacle

2009-08-21 13:28 . 2009-09-19 02:06 772224 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-19 04:07 . 2008-09-03 20:31 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-09-19 04:07 . 2008-09-03 20:31 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2009-09-19 04:05 . 2009-02-15 16:27 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\DNA

2009-09-19 02:09 . 2009-05-24 12:48 -------- d-----w- c:\program files\Steam

2009-09-19 02:09 . 2009-02-15 16:27 -------- d-----w- c:\program files\DNA

2009-09-18 20:33 . 2008-12-20 14:47 -------- d-----w- c:\program files\VSTplugins

2009-09-18 20:33 . 2009-06-09 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony

2009-09-18 20:29 . 2009-06-02 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2009-09-18 20:29 . 2009-06-02 23:10 -------- d-----w- c:\program files\Electronic Arts

2009-09-18 19:48 . 2007-01-07 22:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-18 19:47 . 2006-12-27 19:42 -------- d-----w- c:\program files\Belkin

2009-09-18 16:12 . 2009-02-06 23:36 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Hamachi

2009-09-16 20:13 . 2007-08-26 16:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-16 20:12 . 2006-11-30 21:27 -------- d-----w- c:\program files\Google

2009-09-16 19:43 . 2008-03-08 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-16 19:14 . 2008-04-21 16:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-16 14:34 . 2008-05-06 01:29 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-12 18:28 . 2007-07-15 00:18 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Xfire

2009-09-10 07:10 . 2008-05-14 11:15 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-07 17:22 . 2009-07-26 06:25 -------- d-----w- c:\program files\PCPitstop

2009-09-07 17:21 . 2008-03-08 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2009-09-07 13:47 . 2008-06-17 01:30 -------- d-----w- c:\program files\World of Warcraft

2009-09-07 04:10 . 2007-01-03 13:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-31 20:21 . 2009-03-06 21:15 -------- d-----w- c:\program files\Norton Security Scan

2009-08-31 15:10 . 2006-11-30 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-30 14:42 . 2008-10-03 19:14 -------- d-----w- c:\program files\ZD Soft

2009-08-30 14:31 . 2007-06-19 19:43 -------- d-----w- c:\program files\Pivot Stickfigure Animator

2009-08-30 14:29 . 2009-07-30 09:36 -------- d-----w- c:\program files\Autodesk

2009-08-30 04:59 . 2006-12-25 16:11 100536 ----a-w- c:\documents and settings\Gary McClellan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-22 02:20 . 2009-01-31 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-08-21 22:46 . 2009-02-22 20:23 -------- d-----w- c:\program files\Microsoft Games

2009-08-19 20:46 . 2009-08-19 20:19 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\TeamViewer

2009-08-19 20:19 . 2009-08-19 20:19 -------- d-----w- c:\program files\TeamViewer

2009-08-19 03:09 . 2007-06-15 01:18 2984 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-08-19 03:08 . 2007-06-15 01:18 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Corel

2009-08-19 03:08 . 2007-06-15 01:18 88 --sh--r- c:\windows\system32\5E231424C1.sys

2009-08-18 15:21 . 2008-12-26 06:20 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\WeGame

2009-08-18 12:11 . 2008-12-26 06:19 -------- d-----w- c:\program files\WeGame

2009-08-16 03:04 . 2007-10-05 21:24 -------- d-----w- c:\program files\7-Zip

2009-08-15 03:13 . 2009-08-15 03:13 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas

2009-08-15 03:09 . 2009-08-15 03:09 -------- d-----w- c:\program files\Pixelan

2009-08-13 01:08 . 2009-08-13 01:07 -------- d-----w- c:\program files\Hamachi

2009-08-13 01:07 . 2009-02-06 23:35 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys

2009-08-12 04:08 . 2009-08-11 23:25 -------- d-----w- c:\program files\Postal2STP

2009-08-11 08:14 . 2007-10-05 21:47 -------- d-----w- c:\program files\Paint.NET

2009-08-09 10:23 . 2008-12-20 14:46 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Sony

2009-08-09 09:57 . 2007-11-27 23:36 -------- d-----w- c:\program files\Sony

2009-08-06 08:49 . 2008-08-28 00:24 34 -c--a-w- c:\documents and settings\Gary McClellan\jagex_runescape_preferences.dat

2009-08-06 00:16 . 2009-08-04 03:16 -------- d-----w- c:\program files\Jnes

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 02:15 . 2009-08-05 02:15 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2009-08-04 21:05 . 2007-05-10 19:36 -------- d-----w- c:\program files\Rockstar Games

2009-08-04 06:10 . 2009-08-04 06:08 -------- d-----w- c:\program files\GTA BioHazard Alert REMAKE

2009-08-02 09:17 . 2009-07-30 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk

2009-07-30 10:10 . 2009-07-30 10:10 -------- d-----w- c:\program files\OSA Kit Pro Player v4.0

2009-07-30 09:47 . 2009-07-30 09:47 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Autodesk

2009-07-30 09:47 . 2009-07-30 09:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-07-30 09:19 . 2008-12-16 22:14 -------- d-----w- c:\documents and settings\Gary McClellan\Application Data\Download Manager

2009-07-30 08:58 . 2009-07-22 09:29 -------- d-----w- c:\program files\Turbine

2009-07-30 08:57 . 2006-11-30 21:22 -------- d-----w- c:\program files\Common Files\AOL

2009-07-30 08:38 . 2009-07-30 08:38 -------- d-----w- c:\program files\Blockland

2009-07-26 06:00 . 2009-07-25 07:55 -------- d-----w- c:\program files\Twisted Pixel

2009-07-22 09:29 . 2009-07-22 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Turbine

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-21 12:46 . 2008-12-13 15:56 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2008-09-07 16:57 . 2008-09-07 16:57 0 -c--a-w- c:\program files\temp01

.

((((((((((((((((((((((((((((( SnapShot@2009-09-18_20.56.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-08-10 17:51 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\winlogon.exe

+ 2009-07-10 14:39 . 2009-07-10 14:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2008-12-22 1410296]

"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-04-18 306088]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SightSpeed"="c:\program files\SightSpeed\SightSpeed.exe" [2008-10-09 4789048]

"DriverMax"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2009-03-19 5395288]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-15 342848]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-22 185896]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-05-17 213936]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-17 213936]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe" [2009-07-02 472568]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\Gary McClellan\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2006-11-3 1585152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager - Lamannia\\TurbineMessageService.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager - Lamannia\\TurbineNetworkService.exe"=

"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"2192:TCP"= 2192:TCP:Akamai NetSession Interface

"2920:TCP"= 2920:TCP:Akamai NetSession Interface

"2166:TCP"= 2166:TCP:Akamai NetSession Interface

"2228:TCP"= 2228:TCP:Akamai NetSession Interface

"1055:TCP"= 1055:TCP:Akamai NetSession Interface

"1195:TCP"= 1195:TCP:Akamai NetSession Interface

"4305:TCP"= 4305:TCP:Akamai NetSession Interface

"2685:TCP"= 2685:TCP:Akamai NetSession Interface

"2712:TCP"= 2712:TCP:Akamai NetSession Interface

"1066:TCP"= 1066:TCP:Akamai NetSession Interface

"1050:TCP"= 1050:TCP:Akamai NetSession Interface

"1250:TCP"= 1250:TCP:Akamai NetSession Interface

"1059:TCP"= 1059:TCP:Akamai NetSession Interface

"1072:TCP"= 1072:TCP:Akamai NetSession Interface

"4237:TCP"= 4237:TCP:Akamai NetSession Interface

"1041:TCP"= 1041:TCP:Akamai NetSession Interface

"2119:TCP"= 2119:TCP:Akamai NetSession Interface

"2178:TCP"= 2178:TCP:Akamai NetSession Interface

"1039:TCP"= 1039:TCP:Akamai NetSession Interface

"1054:TCP"= 1054:TCP:Akamai NetSession Interface

"1058:TCP"= 1058:TCP:Akamai NetSession Interface

"58204:TCP"= 58204:TCP:Pando Media Booster

"58204:UDP"= 58204:UDP:Pando Media Booster

"56425:TCP"= 56425:TCP:Pando Media Booster

"56425:UDP"= 56425:UDP:Pando Media Booster

"56139:TCP"= 56139:TCP:Pando Media Booster

"56139:UDP"= 56139:UDP:Pando Media Booster

R1 tdifw_drv;tdifw_drv;c:\windows\system32\drivers\tdifw_drv.sys [9/12/2009 5:28 PM 55552]

R2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe [7/22/2009 5:29 AM 267760]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/21/2008 6:53 AM 24652]

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

S3 NUVision;Pinnacle DVC 80 Video;c:\windows\system32\drivers\nuvvid2.sys [3/30/2009 3:37 PM 155264]

S3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe [7/22/2009 5:29 AM 218608]

S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCYYYYYYYYUS&fl=0&ptb=_ySSowJDMR907PyRuL7Nww&url=http://www.ask.com/web&q={searchTerms}&l=zc&o=sb

uSearch Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab

DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} - hxxps://secure.gopetslive.com/dev/gopets.cab

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Gary McClellan\Application Data\Mozilla\Firefox\Profiles\ut1xz86i.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=8s.kdY1CCugk0kyNmOrypg&st=kwd&o=kwd&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\Gary McClellan\Application Data\Mozilla\Firefox\Profiles\ut1xz86i.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmeadax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\OSA Kit Pro Player v4.0\npmeadax.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-19 00:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4280196803-2235853438-1908108701-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{557F4F3E-E86E-5A68-2E41-30E77409F851}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iakeggkcejpblidibh"=hex:63,62,62,6a,64,63,67,6b,64,6f,70,68,6c,65,64,61,64,69,

66,6a,6d,69,69,64,6e,70,61,6f,62,6e,6f,65,63,70,61,62,6e,68,00,00

"haeemglhepmkfejk"=hex:63,62,62,6a,64,63,67,6b,64,6f,70,68,6c,65,6d,61,62,6d,

69,6b,67,67,69,6a,66,66,62,61,70,63,66,6d,62,62,67,6d,6b,70,00,00

[HKEY_USERS\S-1-5-21-4280196803-2235853438-1908108701-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C95276F5-BAD5-8CB9-128C-68B6DBC94772}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oannpgooelpmfoddlehdbakhdeleci"=hex:63,61,6b,70,69,63,00,7c

[HKEY_USERS\S-1-5-21-4280196803-2235853438-1908108701-1007\Software\SecuROM\License information*]

"datasecu"=hex:eb,e9,56,5d,ce,a6,42,43,98,50,39,87,b6,bd,20,84,0d,7e,10,76,e2,

e3,b3,45,88,f8,d5,4a,42,0f,8f,73,48,e9,b5,aa,2a,02,c0,9f,97,98,e8,56,75,36,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,5d,3a,41,d1,37,

a0,28,c6,c8,28,51,af,b0,29,a3,98,64,8c,f2,e5,fb,75,4f,44,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,72,16,dd,61,ca,

0c,62,cb,71,3b,04,66,8b,46,0d,96,cf,2a,28,c1,b7,ee,9a,2d,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,3c,aa,fc,49,45,

f7,34,e7,25,da,ec,7e,55,20,c9,26,c5,38,62,b5,75,9e,38,37,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a0,bb,22,99,4d,

ed,8b,20,3e,1e,9e,e0,57,5a,93,61,c5,0d,15,3d,cf,fe,39,a4,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,fe,ce,74,a6,fc,

e5,21,1a,cd,44,cd,b9,a6,33,6c,cd,c0,de,3a,37,77,89,0e,b1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,f1,c8,71,db,18,

9b,0f,48,b0,18,ed,a7,3f,8d,37,a4,83,4a,05,17,5e,fc,04,eb,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,12,30,f4,06,ca,

a0,11,28,31,77,e1,ba,b1,f8,68,02,83,b3,2d,7d,e1,e3,04,30,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,a2,e5,4d,1f,dd,

44,a8,d3,83,6c,56,8b,a0,85,96,ab,da,10,39,54,6e,e9,1c,37,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,02,85,15,4d,

18,28,d7,51,fa,6e,91,28,9e,14,cc,78,c2,a8,cd,9e,d1,85,62,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,d7,5c,5f,d5,50,

45,9c,3e,b1,cd,45,5a,a8,c4,f8,b9,84,32,1c,58,5d,3e,0f,d3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,72,91,d0,cf,e5,

99,85,66,e3,0e,66,d5,eb,bc,2f,6b,27,64,89,ed,5a,b4,e0,b5,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3c,50,ad,41,cc,

6e,bc,81,fa,ea,66,7f,d4,3b,6b,70,2b,60,6a,39,b5,0a,8f,b5,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\System\ControlSet006\Enum\HID\Vid_045e&Pid_0040\6&25ef4129&0&0000\LogConf]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet006\Enum\HID\Vid_045e&Pid_0040\6&38a8f1ce&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3384)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\PnkBstrA.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe

.

**************************************************************************

.

Completion time: 2009-09-19 0:16 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-19 04:16

ComboFix2.txt 2009-09-18 21:05

Pre-Run: 9,144,868,864 bytes free

Post-Run: 9,413,738,496 bytes free

Current=6 Default=6 Failed=1 LastKnownGood=7 Sets=1,2,3,4,5,6,7

391 --- E O F --- 2009-09-10 07:04

Link to post
Share on other sites

Good morning! The computer is running very well, and you've impressed a 12 year old grandson and his MaMae with your incredible knowledge! Again, you have gone above and beyond and I can't begin to tell you how much your hard work is appreciated. :)

RunMe.bat file report:

-c----w 502,272 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

----a-w 507,904 2008-04-14 00:12:39 C:\WINDOWS\ERDNT\cache\winlogon.exe

-c----w 507,904 2008-04-14 00:12:39 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

------w 507,904 2008-04-14 00:12:39 C:\WINDOWS\system32\winlogon.exe

----a-w 507,904 2008-04-14 00:12:39 C:\WINDOWS\system32\dllcache\winlogon.exe

Entries: 5 (5)

Directories: 0 Files: 5

Bytes: 2,533,888 Blocks: 4,949

Link to post
Share on other sites

Hi, BucNut :)

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now copy and paste "c:\documents and settings\Gary McClellan\Desktop\ComboFix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.
    Once the process is completed, remove any other tool downloaded such as, Avenger and tools I requested. Make sure the following folders are removed:
    C:\Combofix
    C:\Combo-fix
    C:\Qoobox

Create a Restore point:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep bad files from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders.
  6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  9. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  10. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! wavey.gif

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.